Sarah Jamie LewisSep 13, 2024

Firefox forks might be a reasonable short-term solution to the current era of Mozilla paper cuts, but the crisis is ultimately driven by economics.

Browser dev and maintenance is expensive and that pressure is pushing Mozilla towards the same underhanded, advertiser-driven strategies embraced by google et al.

At best firefox-forks are a less well funded version of what Mozilla used (at least publicly) aim for.

Show threadmccSep 13, 2024
@sarahjamielewis It is also unfortunate because a point a number of mozilla/ex-mozilla people have raised with me is that the forks don't have security fast-response teams and will naturally lag a little on deploying time-sensitive security patches. and i just don't have a compelling response to that :(
Show threadHishamSep 13, 2024

@mcc @sarahjamielewis An honest, vulnerable and naive question: how fast do we really need security response to be?

I mean, I've often ran browsers several versions out-of-date (either by disabling auto-updates on my phone, or by installing an alternative .deb over Ubuntu's) and I have only updated when I found that a particular site stopped working. All seemed ok.

Again, not a rhetorical question and not me saying "maybe we don't need fast updates". I'm asking why should I not be doing this.

Show threadSarah Jamie LewisSep 13, 2024

@hisham_hm @mcc

Most of the time you will be fine, ad-blockers and the fact that most people stick the the same small set of sites most of the time minimize the attack surface greatly.

But then once every 2 years or so, something like the web-p vuln happens and any image loading becomes a potential full-system takeover. At that point you really do want fast update rollout.

Show threadHishamSep 13, 2024

@sarahjamielewis @mcc Thanks! That matches my general feeling of "how bad can it be to access Wikipedia on a year-old version of a browser".

My feeling is that this makes a firefox-fork that's upgrading on a best-effort volunteer basis somewhat of a viable option for someone like me, but not something we could go around recommending for family and the public at large the same way we've been campaining for Firefox over all these years...

Show threadmccSep 13, 2024
@hisham_hm @sarahjamielewis I want to remind that there is "Firefox ESR" which is an official version of Firefox that updates no more than once a year EXCEPT security updates. This will not protect you from misfeatures but it may be easier to maintain, for example, an autoconfig that blocks misfeatures if you know misfeatures come no more than once a year. We shouldn't have to do even that, but if that's the world we live in maybe that's the solution.
Show threadHishamSep 13, 2024

@mcc @sarahjamielewis I'm typing this from my personal laptop running the last version of GoboLinux I helped build. Half of its packages are from 2017. Its kernel is Linux 4.x. Every package was compiled by either by me or a friend, save for LibreOffice and Firefox.

The only thing in it I have on semi-auto-update is Firefox, which is running from the upstream binaries with "auto-update on restart" (and I don't restart it for weeks or sometimes months). That's how much I trusted Mozilla. :(

Show threadMatěj Cepl 🇪🇺 🇨🇿 🇺🇦Sep 15, 2024

@hisham_hm @mcc @sarahjamielewis

I wonder whether the applications like Firefox are not exactly the best candidates for giving up and using #Flatpak only. Although, perhaps #GoboLinux is exactly the distro, which doesn’t want to use Flatpaks?

Show threadHisham
@mcepl @mcc @sarahjamielewis I have used AppImages successfully. When I tried using Flatpaks, they were not isolated enough, and failed due to making assumptions about the underlying system libraries.
Sep 16, 2024 at 12:03amTusky
Show threadMatěj Cepl 🇪🇺 🇨🇿 🇺🇦Sep 17, 2024

@hisham_hm @mcc @sarahjamielewis

I think it is different on different distros.

Without trying to have much of an opinion of my own, let me post here (a bit old, yes) link to https://youtu.be/4WuYGcs0t6I by @sysrich

#OpenSUSE #Tumblweed #Rolling_release #MicroOS #Moldavite #Flatpak

- YouTube

Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.

Show threadHishamSep 17, 2024

@mcepl @mcc @sarahjamielewis @sysrich

Before even watching the video:

> I think it is different on different distros.

Yes, that's what I meant. I'm sure Flatpak works well on some distros. But the point of those all-in-one packages was to abstract us from the underlying distro. (I do understand how hard/unfeasible it is to get full universality — just saying that in my experience with a VERY nonstandard distro, _the AppImages I tried_ did better.)