To me, having worked with OSS for multiple decades, but only ever having dipped my toe into the dev waters, the amount of forks happening seems ridiculous.
(1) the 'subdivision of the estates' problem that primogeniture solved for inheritance is very well and alive in OSS. If you fork a project often enough most forks will have such a thin developer base, they wither.
(2) this then channels quite a bit of development into projects that will soon die, thus effectively depriving the surviving versions of dev hours.
(3) it's ridiculously complicated for non-technical people to keep up with what project formed from what and which fork is the most current/secure/convenient/otherquality of the bunch.
I am genuinely asking, with all this being known, why hasn't there been a bigger push towards modularity. This was the idea of Unix pipes, and i don't see why it is a bad idea 40+ years later.
Have a 'Gecko' module, have an 'UI' module, have a 'telemetry' module, ..... this would allow people to build Firefox 'flavors' instead of forking everything. Everyone would contribute to the same project/ecosystem, users can discover the big project, and immediately download 'vanilla', but also get info on whatever flavors there are and in what way they differ? What is the real problem here?
What is the incentive for the main project to build their software this way? It would likely be a lot of work to split up the software in modules like that. They would either regularly break backwards compatibility, negating the advantages of these modules, or they would have to bind their hands forever, unable to evolve the design and module boundaries. All to support forks that probably never get merged back into the main project, so from the main project perspectives the dev time is no less wasted than before. Except that they now wasted a lot of dev time to do this thing that doesn't bring them much, if anything.
This RPC stuff would likely also be slightly slower, so people would just say Firefox is slow and use Chrome.
Being able to join forces with more co-developers can be an incentive
... and a burden, to be honest. But for some it situations it could be an incentive.
The comment to which you are replying points out the obvious value of such a proposal. Your not seeing immediate value, else suggesting it is not valuable, seems to be your error. All projects benefit more from those who see value in an effort, who are willing to put in that effort, than those discouraging or subverting such effort, given their ignorance of such value.
This makes me think of the problem text messengers have. Do they have one central server, or do they have a federation of independently run servers with differing software versions? If they have the latter, how do they encourage everyone to maintain a minimal standard level of compatibility? What if someone wants to introduce a great new feature? Does it take years because of the non-centralized nature and people refusing to update?
What you envision about modularity in a small way has already happened with the Skia graphics api. "The library is used as of 2021 in Google Chrome, Chrome OS, Chromium OS, Mozilla Firefox, Mozilla Thunderbird, Android, Firefox OS, LibreOffice (from version 7.0), Flutter and Avalonia (from Alpha 4)."
there's no incentive to develop a better product, only to maintain an appearance of competition.
I don't know if it's a secret agreement or an implicit mutual understanding, but that's what it is. the only alternative explanation I have for Mozilla's actions in the past 8 or so years is incompetence to the degree of profound mental retardation of all decision makers there.
That’s just false. The $500M is just as much worth it for Google (to prevent a huge huge lawsuit) then for Mozilla. I really don’t see why would it incentivize bad things (I would worry much much more about a browser vendor having the biggest adnetwork, but to each their own).
No one is arguing Google (Chrome) is better than Mozilla (Firefox), at least until now. Of course, living in the house of big G is much worse for privacy.
But we were talking about why Mozilla is such a mess (not compared to G, but to its potential). And knowing big Daddy G is the main funding source might just make one a tiny bit suspicious. Just saying.
I don’t know whether it is fair to call it a mess. It is a very decent browser, but so are the others. Why would someone choose Firefox over Chrome on their androids, when the latter has system level integration/sync even for completely tech illiterate people? Similar story applies to ios, where you don’t even get a true non-safari browser.
> Have a 'Gecko' module, have an 'UI' module, have a 'telemetry' module, ..... this would allow people to build Firefox 'flavors' instead of forking everything. Everyone would contribute to the same project/ecosystem, users can discover the big project, and immediately download 'vanilla', but also get info on whatever flavors there are and in what way they differ? What is the real problem here?
People are doing this. Brave and Edge are "Chrome flavors". See also https://servo.org/ or the npm and cargo ecosystems.
That said interfaces are incredibly hard to get right. They take an unreasonable amount of work to make and will often end up being unsuitable or obsolete leading to a world of breakage, inefficiency and pain.
> If you fork a project often enough most forks will have such a thin developer base, they wither.
Spurious forks are a vector for attack. If your commercial product has FOSS competition, just encourage (finance) two or three forks of it, along the lines of any contentious issues. It's like splitting the opposition vote with fake candidates. It's not necessary for Firefox because it is a completely captured opposition, but it could be happening to other projects.
It's not wholly logical, but I think they might be working under the assumption that IPv6 addresses are usually "more public" (when accidentally not using random privacy addresses?) than NATed IPv4, and that it's more easily possible to configure a VPN that leaks IPv6 traffic via non-VPN routes.
I don't agree that disabling IPv6 improves privacy, but there is some foundation for the idea.
>but I think they might be working under the assumption that IPv6 addresses are usually "more public" (when accidentally not using random privacy addresses?) than NATed IPv4
Are privacy address per machine or per connection? My impression is that they're the former, which still makes them worse than IPV4 + NAT.
Privacy Addresses are for a time slice of connections. You can cycle a new address every 10 minutes but the OS will keep old addresses until all connections over these addresses have been closed.
Stable-Privacy is just like having an IPv4, but if your prefix changes the suffix changes, so you can't be easily traced across prefix changes. For desktops, normal privacy should be configured.
> Privacy Addresses are for a time slice of connections. You can cycle a new address every 10 minutes but the OS will keep old addresses until all connections over these addresses have been closed.
Sounds like it's still worse than IPV4 + NAT, because your address + port tuple changes with each connection, whereas with ipv6 it's the same across connections for 10 minutes.
With IPv4 + NAT your address does not change for 24h in most connections, while with IPv6 it changes every 10 minutes. IPv6 is better for privacy there. The outgoing port for IPv6 is also still randomized, so if you look at it over 2 days, on IPv4 you get two IPs doing a series of connections while with IPv6 you have potentially thousands for each device doing connections, with no way to correlate them.
Ipv6 addresses can be static, halfrandom and random.
in an older version the mac is used to create ipv6 addresses, but a few years ago privacy extensions were created that create random addresses for each ipv6 networkdevice in an computer that is regulary changed.
I don't agree either, and in fact, NAT is awful it breaks core functionality of the internet. I am old enough to remember the days when everyone had a unique IP address and things like FTP and all the rest would "just work".
Now you have to have all sorts of elaborate mechanisms like STUN, etc. to find a third server to coordinate handshaking so video chat can work, sometimes necessary to be relayed through the third server instead of directly between the two clients.
If I’m using Firefox with privacy badger, UBlock Origin, privacy possum, cookie and cache deleters, a URL tracker plug in, noscript, https enabled by default, a handful of others that are probably redundant on top of Firefox’s internal tracker protection, do I really stand to benefit from this fork?
When it comes to new sites, I have to usually reset noscript to allow the top level domain. Honestly I don’t know why I don’t just do that by default. At least half the websites don’t load at all without JS enabled.
On the sites with more heavy tracking —- chegg comes to mind or some different clothing stores with lots of media, payment service scripts, and heavy ad tracking like tentree — the plug-ins definitely interfere to the point where I will sometimes use a second browser so that the website operates as intended. NoScript seems to be the culprit in most cases, and I suspect the interface doesn’t adequately display all the scripts attempting to load after the initial render.
I’ve had some trouble with sites which communicate between themselves too. (Airlines do this a lot).
All in all, I’d say my browsing experience is normal to the extent that I don’t do a lot of browsing to new sites. I’ve got a good running list for noscript, but any new sites with lots of dependencies and media to load usually requires a couple refreshed after an updated rule list.
...mostly yes, at least initially. I use uMatrix and NoScript and its a matter of configuring/'training' them over such that most browsing over a few days/weeks becomes quite fantastic.
That said, one has to get used to making those configs every time a new site is browsed (or a previous site changes significantly what it does), but really, for some of us, the experience after the fact is well worth the investment, as browsing and reading become sane again.
Probably not. The irony is that when you disable default browser features, sites can use this fact as a fingerprinting input, and it only makes your browser more unique.
I'd expect standard Firefox's protection + popular plugins to be good enough to reduce creepiness of everyday adtech. If you really don't like to be tracked, then the Tor browser may be a better bet. At least you'll look like every other Tor user, rather than stand out with your custom config and a niche-of-niches browser.
I am a big fan of LibreWolf. Along with Ungoogled Chromium, these browsers feel a lot closer to what browsers should feel like.
One of my favorite features of LibreWolf is truly disabled autoplay. If a site wants to autoplay, you have to allow it first, no exceptions. This might sound petty, but in a world where it feels like you have no control over anything, this small return to feeling like I am allowed to decide what happens in my own damn browser is liberating.
Note that Librewolf doesn’t autoupdate, but you can get notifications when an update is available using an unofficial extension.
User control is remarkably empowering and makes the web more of a joy like it felt in the early days. The day that I can't run uMatrix anymore will be a sad day for me indeed.
I use the fully leaded version of firefox, which has the disable autoplay feature. That is one of the best quality of life features there IMO. So often I will click on an article or something like that, and it steps on my music and drives me crazy.
Sort of. They require you to dig around in about:config (where settings go to be hidden, then removed) to toggle some obliquely named and unnecessary exception to their autoplay policy, which is if your "gestures" trigger autoplay. This can mean simply mean that you scrolled the page to video was on. The setting to disable autoplay is therefore only reliable on unselected tabs.
I have no problem with the gigantic about:config section. I get that browser vendors want to have easy to navigate settings pages so its easy for the average person to stay on the "golden path" as it were. As someone who wants to fiddle with the knobs I am totally fine with the current approach. Its been my experience firefox does not aggressively prune these flags. My experience with chrome has been different though.
I don't know if this is done by default, but this is dangerous to do. A disabled canvas is itself a fingerprint, and can be more unique than your original fingerprint [1]. Canvas randomizers can have the same issues if they are not done properly. From what I've heard, the best mitigation is Firefox's `resistFingerprinting` flag, since it uses the same methods as Tor browser
I can't imagine disabled WebGL is that specific of a fingerprint. Surely there have to be millions of consumer devices out there without OpenGLES2 support, right?
However I agree that privacy.resistFingerprinting is probably the way to go.
> Surely there have to be millions of consumer devices out there without OpenGLES2 support, right?
Perhaps, but not many people in your area run the latest version of Firefox while not supporting WebGL and having a display with a high DPI (for example).
Apparently many computers have the same canvas fingerprint [1], much more than you'd think. So disabling it does seem like it would make you more unique.
Yeah....I'm not gonna trust a Firefox fork maintained by 1 dude, and if Firefox would ever disappear I don't expect any of these forks to pick up the slack. I'm not a fan of everything Mozilla does with the project but it's still better than the alternatives.
You are the only person to have brought this exact point up. And I think it's a huge one. I think it's pointless to go on about the features or the add-ons you'd need to add to Firefox to achieve this level of privacy in your browser, while ignoring the glaring problem that this has a really small maintainer pool and I assume folks have done no due-diligence on who those folks are.
I'll admit, I haven't done due-diligence on any of the folks at Mozilla, but I think it'd be a lot easier to socially engineer a project like LibreWolf than Firefox.
Edit: I'll add I mean no disrespect to the folks at LibreWolf, in fact it's awesome what they're doing. I just find it hard to take most things at face value these days, especially a browser.
Mentioned the one you replied to, but it syncs as normal to Mozilla's profile sync - what are you losing out on if the maintainer stops maintaining it?
That is far from the only concern. For me, the biggest consideration is trust. With such a small maintainer base, you are placing a large amount of trust in their team. There would be huge motivation in creating a privacy-focused browser that secretly slurps data and/or monitors users somehow[1]. Using a project like this would require me trusting a small-handful of people I don't know at all, and aren't represented by an entity I somewhat inherently trust (Mozilla).
I can't say my logic is without holes, for example I don't do much to verify my trust in Mozilla, but you have to make generalizations in this field or you would never get anything done.
This saves a lot of time. I tried hardening Firefox and it took more than a day to get everything sorted. I added a few policies and about:config tweaks yet with each new release of Firefox some new stuff has to be disabled or tweaked for hardening purposes. I always wondered why Firefox doesn’t just do all this anyways and be more privacy-aware. Their data grab in recent years has gotten worse. Forks like LibreWolf are a godsend and I am glad it exists. My only issue with it is that it causes sites to have a CAPTCHA interstitial due to all the fingerprinting mitigations it does, and it doesn’t play nice with e-commerce since those sites do a lot of KYC and fraud prevention and flag browsers which are trying to blend in.
How can librewolf people "fork" Firefox which brave creators called "pita" ??
Guess they don't care about supporting privacy other than skimming off of work of google all the while lambasting their efforts of destroying the same privacy policies they believe they are protecting.
My concerns with ostensibly privacy-focused Firefox forks:
* Needing to constantly monitor whether the fork is being actively maintained, or if it's a vanity project which abruptly stops/slows down updates when its owner/principal contributors lose interest.
* Needing to constantly monitor if the fork is using the latest official Firefox builds to make sure that it's also getting the latest security updates.
* Not being readily able to see a complete humanly understandable (meaning not just comparing git versions) list of changes that the fork makes to the official build.
* Not knowing the reputation of the developers behind the fork.
In sum, I basically trust Mozilla more than I do $random_fork_developer, so I use the official build and carry out my own tweaks, but I am always on the look out for more tweaks, which is why I'd appreciate if lists of privacy tweaks custom builds do were more transparently shared.
> Firefox security patches are applied to prevent vulnerabilities
Sure, but at what rate? If Mozilla releases a critical patch today, and the core maintainer responsible for build maintenance is away on vacation for two weeks, what happens?
That's the main problem behind FOSS; they are not incentivized to be 100% dedicated to the project. Their FOSS projects are labour of love not labour of money.
You say it is a problem with FOSS projects. Isn't it more a problem with hobby projects? Some FOSS projects are hobby projects others not. As show cased by the fact that Firefox itself is a FOSS project.
Timely maintenance is also problematic with hobby closed-source projects or hobby apps on closed platforms, like iOS and Android.
>You say it is a problem with FOSS projects. Isn't it more a problem with hobby projects? Some FOSS projects are hobby projects others not. As show cased by the fact that Firefox itself is a FOSS project.
Mozilla gets paid $500m a year by Google so that Google can be default search engine on Firefox. They have the money that keeps them "incentivized" although they are FOSS and nonprofit. Or in another words Gitlab and Github FOSS devs do not have salaries like Mozilla people do, the only thing they get is an occasional donation.
One aspect of these forks that never gets mentioned:
It's great when a fork ensures that it is always taking security patches from upstream. But what about the code unique to the fork? Is that new code following the same security practices as the upstream project? Are enough eyeballs poking at it to get it the same security scrutiny as upstream?
The nightmare scenario which we may be hitting? Firefox (which I've always loved and used) may be institutionally so used to surviving how it can by compromising that it loses its way?
I wasn't that much concerned with it until recently. I got into the idea of the whole "website as app," thing (specifically, client-side you turn a website into a self-contained app, with or without the "sites" permission) -- and to find that Firefox had dropped this is disappointing because it feels well within Firefox's mission.
FWIW, presently I'm solving this through GNOME's Epiphany.
Yes, this is a really unfortunate missing piece of functionality for Firefox. I’m currently solving this through Microsoft Edge, but it’s pretty janky (external links open in Edge, so I need to copy and paste them into Firefox).
At Netflix, I went down the rabbit hole of package management. We were working on a distributed build system that allowed you to compose immutable builds of ecosystem independent artifacts. After working in that space, and reading the last few decades of LISA papers, I’m fairly confident our industry has gotten package management horribly wrong - and I think your comment cuts right to why.
The two closest build systems I’ve seen to getting it right: Nix (closest) and FreeBSD ports.
I’ll use the i3 window manager as an example. There are plenty of forks of i3 out there (example: adding space between windows, rounded corners, i3bar mods, etc). They’re each packaged and published as separate packages! You can’t compose them even though many of their changes are compatible. This leads to packages like i3-gaps-rounded.
What I really want out of a package manager is “patch support” - where I can publish, discover, share, and consume patches on top of the OSS I use.
Nix gets really close to this. I haven’t invested enough time in learning Nix yet, but it’s on my bucket list. Currently I use FreeBSD and use their ports collection for i3, and put all of my patches in the patch directory there. FreeBSD will apply the patches in order and then build the package for me.
I’m not sure exactly where I’m going with this rant beyond: I wish OSS package management adopted less of a producer-consumer relationship and more of a peer relationship when it comes to source code management and builds.
Gentoo's portage (which is based on freebsd ports to some extent!) also allows patches like this! You just put the patches in /etc/portage/patches/$cat/$pkg(-$ver|:$slot) and it applies them automatically for you! It's also really easy to take an ebuild from the gentoo repo and modify it however you want!
I would definitely recommend giving Gentoo a spin!
>Not being readily able to see a complete humanly understandable (meaning not just comparing git versions) list of changes that the fork makes to the official build.
I feel like this is a common thing with forks and alternatives, they usually have a basic list of big differences (like Librewolf with saying it's more private).
But I'd like to know how they do that, are they blocking more cookies? Are they making the browser harder to fingerprint? What am I giving up vs Firefox (ie; sites breaking, or missing features like sync)?
I switched a couple of months ago from Dev Edition as well.
The biggest improvement for me? On macOS, I can control upgrades myself via homebrew. No more popups every day begging me to update. It became really annoying that Dev Edition uses the same release cadence as Nightly, so you basically have a new update available all the time. And now vanilla Firefox doesn't even let you disable update checks.
79 comments
[ 3.9 ms ] story [ 104 ms ] threadIt sure looks interesting but that article definitely burst some of my privacy bubbles...
(1) the 'subdivision of the estates' problem that primogeniture solved for inheritance is very well and alive in OSS. If you fork a project often enough most forks will have such a thin developer base, they wither.
(2) this then channels quite a bit of development into projects that will soon die, thus effectively depriving the surviving versions of dev hours.
(3) it's ridiculously complicated for non-technical people to keep up with what project formed from what and which fork is the most current/secure/convenient/otherquality of the bunch.
I am genuinely asking, with all this being known, why hasn't there been a bigger push towards modularity. This was the idea of Unix pipes, and i don't see why it is a bad idea 40+ years later.
Have a 'Gecko' module, have an 'UI' module, have a 'telemetry' module, ..... this would allow people to build Firefox 'flavors' instead of forking everything. Everyone would contribute to the same project/ecosystem, users can discover the big project, and immediately download 'vanilla', but also get info on whatever flavors there are and in what way they differ? What is the real problem here?
Edit: autocorrect-correction
This RPC stuff would likely also be slightly slower, so people would just say Firefox is slow and use Chrome.
What you envision about modularity in a small way has already happened with the Skia graphics api. "The library is used as of 2021 in Google Chrome, Chrome OS, Chromium OS, Mozilla Firefox, Mozilla Thunderbird, Android, Firefox OS, LibreOffice (from version 7.0), Flutter and Avalonia (from Alpha 4)."
$500M that Mozilla gets from Google every year.
there's no incentive to develop a better product, only to maintain an appearance of competition.
I don't know if it's a secret agreement or an implicit mutual understanding, but that's what it is. the only alternative explanation I have for Mozilla's actions in the past 8 or so years is incompetence to the degree of profound mental retardation of all decision makers there.
But we were talking about why Mozilla is such a mess (not compared to G, but to its potential). And knowing big Daddy G is the main funding source might just make one a tiny bit suspicious. Just saying.
People are doing this. Brave and Edge are "Chrome flavors". See also https://servo.org/ or the npm and cargo ecosystems.
That said interfaces are incredibly hard to get right. They take an unreasonable amount of work to make and will often end up being unsuitable or obsolete leading to a world of breakage, inefficiency and pain.
Spurious forks are a vector for attack. If your commercial product has FOSS competition, just encourage (finance) two or three forks of it, along the lines of any contentious issues. It's like splitting the opposition vote with fake candidates. It's not necessary for Firefox because it is a completely captured opposition, but it could be happening to other projects.
um... what'd i miss? Why would i want this?
I don't agree that disabling IPv6 improves privacy, but there is some foundation for the idea.
Are privacy address per machine or per connection? My impression is that they're the former, which still makes them worse than IPV4 + NAT.
Stable-Privacy is just like having an IPv4, but if your prefix changes the suffix changes, so you can't be easily traced across prefix changes. For desktops, normal privacy should be configured.
Sounds like it's still worse than IPV4 + NAT, because your address + port tuple changes with each connection, whereas with ipv6 it's the same across connections for 10 minutes.
More than a few. RFC 3041 was published in January 2001.
https://datatracker.ietf.org/doc/html/rfc3041
Now you have to have all sorts of elaborate mechanisms like STUN, etc. to find a third server to coordinate handshaking so video chat can work, sometimes necessary to be relayed through the third server instead of directly between the two clients.
I remember reading about one or more web browsers dropping FTP support entirely not very long ago. Sic transit gloria mundi.
EDIT: Just in case it is not clear, I wholeheartedly agree with you!
In other words, is this truly necessary?
One question. How does website availability fare with all these plugins and options active? Does it mangle or render sites unusable? And at what rate?
On the sites with more heavy tracking —- chegg comes to mind or some different clothing stores with lots of media, payment service scripts, and heavy ad tracking like tentree — the plug-ins definitely interfere to the point where I will sometimes use a second browser so that the website operates as intended. NoScript seems to be the culprit in most cases, and I suspect the interface doesn’t adequately display all the scripts attempting to load after the initial render.
I’ve had some trouble with sites which communicate between themselves too. (Airlines do this a lot).
All in all, I’d say my browsing experience is normal to the extent that I don’t do a lot of browsing to new sites. I’ve got a good running list for noscript, but any new sites with lots of dependencies and media to load usually requires a couple refreshed after an updated rule list.
That said, one has to get used to making those configs every time a new site is browsed (or a previous site changes significantly what it does), but really, for some of us, the experience after the fact is well worth the investment, as browsing and reading become sane again.
I'd expect standard Firefox's protection + popular plugins to be good enough to reduce creepiness of everyday adtech. If you really don't like to be tracked, then the Tor browser may be a better bet. At least you'll look like every other Tor user, rather than stand out with your custom config and a niche-of-niches browser.
https://xkcd.com/1105/
I also sometimes use Mull on Android. Its nice that there's some variety these days, even if they're just config differences.
Choice is nice.
One of my favorite features of LibreWolf is truly disabled autoplay. If a site wants to autoplay, you have to allow it first, no exceptions. This might sound petty, but in a world where it feels like you have no control over anything, this small return to feeling like I am allowed to decide what happens in my own damn browser is liberating.
Note that Librewolf doesn’t autoupdate, but you can get notifications when an update is available using an unofficial extension.
https://addons.mozilla.org/en-US/firefox/addon/librewolf-upd...
You can use a package manager to install and update it, too. Even on Windows; it’s available in Winget.
Usability is clearly the least important concern for the devs. Mozilla can't make that decision it has to work out of the box.
Of course the most private thing to do is not use computers at all.
Gonna have to try out librewolf.
Sort of. They require you to dig around in about:config (where settings go to be hidden, then removed) to toggle some obliquely named and unnecessary exception to their autoplay policy, which is if your "gestures" trigger autoplay. This can mean simply mean that you scrolled the page to video was on. The setting to disable autoplay is therefore only reliable on unselected tabs.
I don't know if this is done by default, but this is dangerous to do. A disabled canvas is itself a fingerprint, and can be more unique than your original fingerprint [1]. Canvas randomizers can have the same issues if they are not done properly. From what I've heard, the best mitigation is Firefox's `resistFingerprinting` flag, since it uses the same methods as Tor browser
[1]: https://multilogin.com/how-canvas-fingerprint-blockers-make-...
However I agree that privacy.resistFingerprinting is probably the way to go.
Perhaps, but not many people in your area run the latest version of Firefox while not supporting WebGL and having a display with a high DPI (for example).
Not really. Even my decade+ old laptop supports webgl on both firefox and chrome.
[1]: https://multilogin.com/the-great-myth-of-canvas-fingerprinti...
I'll admit, I haven't done due-diligence on any of the folks at Mozilla, but I think it'd be a lot easier to socially engineer a project like LibreWolf than Firefox.
Edit: I'll add I mean no disrespect to the folks at LibreWolf, in fact it's awesome what they're doing. I just find it hard to take most things at face value these days, especially a browser.
"It can die some day" - everything does.
I can't say my logic is without holes, for example I don't do much to verify my trust in Mozilla, but you have to make generalizations in this field or you would never get anything done.
[1] If you need a real-world example, see Anom.
Guess they don't care about supporting privacy other than skimming off of work of google all the while lambasting their efforts of destroying the same privacy policies they believe they are protecting.
Eh, fuck'em
* Needing to constantly monitor whether the fork is being actively maintained, or if it's a vanity project which abruptly stops/slows down updates when its owner/principal contributors lose interest.
* Needing to constantly monitor if the fork is using the latest official Firefox builds to make sure that it's also getting the latest security updates.
* Not being readily able to see a complete humanly understandable (meaning not just comparing git versions) list of changes that the fork makes to the official build.
* Not knowing the reputation of the developers behind the fork.
In sum, I basically trust Mozilla more than I do $random_fork_developer, so I use the official build and carry out my own tweaks, but I am always on the look out for more tweaks, which is why I'd appreciate if lists of privacy tweaks custom builds do were more transparently shared.
> Firefox security patches are applied to prevent vulnerabilities
You are right about the reputation of the maintainers of LW though. The second this becomes abandonware I will ditch it.
Sure, but at what rate? If Mozilla releases a critical patch today, and the core maintainer responsible for build maintenance is away on vacation for two weeks, what happens?
Timely maintenance is also problematic with hobby closed-source projects or hobby apps on closed platforms, like iOS and Android.
Mozilla gets paid $500m a year by Google so that Google can be default search engine on Firefox. They have the money that keeps them "incentivized" although they are FOSS and nonprofit. Or in another words Gitlab and Github FOSS devs do not have salaries like Mozilla people do, the only thing they get is an occasional donation.
It's great when a fork ensures that it is always taking security patches from upstream. But what about the code unique to the fork? Is that new code following the same security practices as the upstream project? Are enough eyeballs poking at it to get it the same security scrutiny as upstream?
I wasn't that much concerned with it until recently. I got into the idea of the whole "website as app," thing (specifically, client-side you turn a website into a self-contained app, with or without the "sites" permission) -- and to find that Firefox had dropped this is disappointing because it feels well within Firefox's mission.
FWIW, presently I'm solving this through GNOME's Epiphany.
The two closest build systems I’ve seen to getting it right: Nix (closest) and FreeBSD ports.
I’ll use the i3 window manager as an example. There are plenty of forks of i3 out there (example: adding space between windows, rounded corners, i3bar mods, etc). They’re each packaged and published as separate packages! You can’t compose them even though many of their changes are compatible. This leads to packages like i3-gaps-rounded.
What I really want out of a package manager is “patch support” - where I can publish, discover, share, and consume patches on top of the OSS I use.
Nix gets really close to this. I haven’t invested enough time in learning Nix yet, but it’s on my bucket list. Currently I use FreeBSD and use their ports collection for i3, and put all of my patches in the patch directory there. FreeBSD will apply the patches in order and then build the package for me.
I’m not sure exactly where I’m going with this rant beyond: I wish OSS package management adopted less of a producer-consumer relationship and more of a peer relationship when it comes to source code management and builds.
I would definitely recommend giving Gentoo a spin!
I feel like this is a common thing with forks and alternatives, they usually have a basic list of big differences (like Librewolf with saying it's more private).
But I'd like to know how they do that, are they blocking more cookies? Are they making the browser harder to fingerprint? What am I giving up vs Firefox (ie; sites breaking, or missing features like sync)?
The biggest improvement for me? On macOS, I can control upgrades myself via homebrew. No more popups every day begging me to update. It became really annoying that Dev Edition uses the same release cadence as Nightly, so you basically have a new update available all the time. And now vanilla Firefox doesn't even let you disable update checks.
LibreWolf – A fork of Firefox, focused on privacy, security and freedom - https://news.ycombinator.com/item?id=30720301 - March 2022 (217 comments)
LibreWolf – A fork of Firefox, focused on privacy, security and freedom - https://news.ycombinator.com/item?id=29106155 - Nov 2021 (306 comments)
LibreWolf: A fork of Firefox, focused on privacy, security and freedom - https://news.ycombinator.com/item?id=26034774 - Feb 2021 (1 comment)
LibreWolf – A fork of Firefox, focused on privacy, security and freedom - https://news.ycombinator.com/item?id=23901130 - July 2020 (5 comments)