1

Topic: questions regarding Iceweasel-UXP

- If I understand correctly, Iceweasel-UXP is based on Basilisk. Is it a hard fork or does it receive updates from upstream? Is the appropriate place to submit bug reports and features requests Hyperbola's issue tracker or upstream's?

- Is it appropriate to request backporting of Firefox >=52 (last pre-Quantum ESR) and/or >=57 (post-Quantum) features that do not rely on WebExtensions or otherwise conflict with Hyperbola's goals?

2

Re: questions regarding Iceweasel-UXP

chaosmonk wrote:

- If I understand correctly, Iceweasel-UXP is based on Basilisk. Is it a hard fork or does it receive updates from upstream? Is the appropriate place to submit bug reports and features requests Hyperbola's issue tracker or upstream's?

- Is it appropriate to request backporting of Firefox >=52 (last pre-Quantum ESR) and/or >=57 (post-Quantum) features that do not rely on WebExtensions or otherwise conflict with Hyperbola's goals?

Probably not, webext has security issues so its not likely.  Do you need any addons that are from >=57 firefox?

Pretty sure there are alternatives to most addons from firefox. Unless they non-free software. of course... wink

PS, Iceweasel-uxp does recieve updates from upstream pretty sure, and Basilisk probably recieves applicable upates from some code in firefox.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

3

Re: questions regarding Iceweasel-UXP

zapper wrote:

Probably not, webext has security issues so its not likely.

I didn't mean to suggest that Iceweasel should implement WebExtensions. I'm aware of the security issues. I was referring to other features of Firefox, such as privacy-enhancing patches implemented as part of the Tor Uplift Project.[1] However, if

Basilisk probably recieves applicable upates from some code in firefox.

then this might happen anyway.

I've also noticed a possible branding issue with Iceweasel, which is that although the .desktop file provides the name "Iceweasel-UXP", once Iceweasel is running it's WM_CLASS is "Firefox", which is visible with xprop. In GNOME (I have not checked with other desktop environments) the title bar says "Firefox" and an entry appears in the dock with the Iceweasel logo but the name "Firefox". If Iceweasel-UXP is added to Favorites, the Firefox entry appears in addition to the Iceweasel one. I think that this might be a violation of Mozilla's trademark policy, but if it is I'm not sure if I should report it here or upstream.

Do you need any addons that are from >=57 firefox?

Pretty sure there are alternatives to most addons from firefox

I did not see NoScript in the Iceweasel addons page, but I found the legacy version here.[2] I'm not sure whether NoScript was specifically excluded due to some freedom issue I'm unaware of or if it just wasn't considered.

The only addon I miss is Invidious Redirect[3]. It has only ever been a WebExtension, so I guess it can't be backported.

[1] https://wiki.mozilla.org/Security/Tor_Uplift
[2] https://noscript.net/getit#classic
[3] https://addons.mozilla.org/en-US/firefo … -redirect/

4 (edited by freemedia 2018-12-15 08:59:37)

Re: questions regarding Iceweasel-UXP

mozillas trademark policy has gotten much more lax-- it is no longer required to change the name to iceweasel in order to change the things they insisted upon traditionally as their own quality assurance.

also referrers, user agents and internal os strings probably arent affected by trademark policy anyway. trademark would apply more heavily to to brand of the browser itself-- the title bar, the icon, not the values in xprop.

worst case, devs would probably get a c&d (bad pr these days, so they probably wouldnt) and theyd have to change the code. but honestly, any browser can spoof ff internally. i dont think they can do anything about that. think about it-- this isnt because theyre charitable, microsoft and google cant stop mozilla from spoofing their user agent either. copyright is about contents, you cant copyright a brand name-- trademark is about appearances. no one is going to mistake iceweasel for firefox-- its called iceweasel, eh? probably dont call it "mozilla iceweasel" though. at a guess, they would have cause to make a fuss over that.

5

Re: questions regarding Iceweasel-UXP

freemedia wrote:

trademark would apply more heavily to to brand of the browser itself-- the title bar, the icon, not the values in xprop.

Yes, I agree. I only mentioned xprop's output because I think that the WM_CLASS value might have something to do with why the icon and titlebar say "Firefox".

worst case, devs would probably get a c&d (bad pr these days, so they probably wouldnt) and theyd have to change the code.

I'm not particularly worried about Mozilla either. I consider this a very minor issue and only meant to use it as an example of one that I'm not sure whether to report for Iceweasel or Basilisk. In this particular case the answer is probably Basilisk.

6

Re: questions regarding Iceweasel-UXP

Guys, i suggest see our Iceweasel-UXP, Icedove-UXP and Iceape-UXP articles for further details. Anyway if you have some question, you should contact g4jc who is developing our UXP applications.

7

Re: questions regarding Iceweasel-UXP

chaosmonk wrote:

- If I understand correctly, Iceweasel-UXP is based on Basilisk. Is it a hard fork or does it receive updates from upstream? Is the appropriate place to submit bug reports and features requests Hyperbola's issue tracker or upstream's?

Please submit all bug reports to our bug tracker. If it is an upstream issue we will correlate with upstream. It is a soft-fork of Basilisk as we're working pretty closely with them at the moment. We do have some different application goals, primarily removal of DRM and some different privacy and security defaults, but both of us are working towards the same goal of keeping XUL alive and patched with security updates. All of the toolkit (browser engine) portion of Basilisk changes are also applicable for Iceweasel-UXP. You can have a look at UXP's recent changes here.

chaosmonk wrote:

-  Is it appropriate to request backporting of Firefox >=52 (last pre-Quantum ESR) and/or >=57 (post-Quantum) features that do not rely on WebExtensions or otherwise conflict with Hyperbola's goals?

The WebExt code is radically different, so anything pre-FF52 we can have a look at and in some (rare) cases we can backport post-Quantum stuff by either inventing it from scratch or borrowing the few relevant bits that are not dependent on it. I'd rather not reinvent things from scratch, but others are certainly welcome to do so. If you're going to submit a bug report I prefer you link to the last known XUL (legacy) version and we can go from there.

chaosmonk wrote:

- I did not see NoScript in the Iceweasel addons page

For addons we are currently bundling, they are included in the package repository directly. This may change once upstream implements a shared addons database for UXP applications. You can find our NoScript package here. There are some patches we've applied, primarily removal of Google, some networking pings, and the whitelist. We do not feel the whitelist should auto-populate every time the addon starts, as many of the websites listed are running non-free JavaScript and can open you up to security vulnerabilities, so we disable this and let the user decide what should be whitelisted. See the current patch here.

I'll update the wiki to clarify this.


chaosmonk wrote:

I was referring to other features of Firefox, such as privacy-enhancing patches implemented as part of the Tor Uplift Project.

I'm currently monitoring these. Many of them do not currently apply to us as they are for post-Quantum design and/or are incomplete.
We're not currently trying to compete with Tor browser, as it requires a significant rewrite of the HTTP layer that was optimized for Tor. Mozilla has not fully gotten on board with that either which is why Tor browser continues to exist.

Their modifications include longer proxy timeout defaults and GUI changes to mark all onions as "secure" with a green lock regardless of whether or not they run HTTPS. There is also the Tor Browser button, which works exclusively with their browser and uses their custom networking layer to open a new circuit per page and set a bunch of default about:config options with a slider.

I currently recommend using different Profiles for extra privacy. You can launch iceweasel-uxp with --ProfileManager and you can have one for banking/personal, and one for every day browsing.

We have back-ported some important items such as disabling SSLKEYLOGFILE which is a patch borrowed from Tor that prevents local SSL stripping. See here for more details.

chaosmonk wrote:

I only mentioned xprop's output because I think that the WM_CLASS value might have something to do with why the icon and titlebar say "Firefox".

I'll try to reproduce and fix this for the next release, thanks for the report.

8

Re: questions regarding Iceweasel-UXP

g4jc wrote:

You can find our NoScript package here. There are some patches we've applied, primarily removal of Google, some networking pings, and the whitelist. We do not feel the whitelist should auto-populate every time the addon starts, as many of the websites listed are running non-free JavaScript and can open you up to security vulnerabilities, so we disable this and let the user decide what should be whitelisted. See the current patch here.

The first thing I do after installing NoScript is disabling everything in the whitelist. However, the annoying thing is that Mozilla browsers have JavaScript turned on by default (javascript.enabled is set to true in about:config), so I need to run JavaScript in order to download NoScript if I forget to disable it in the about:config  settings (unless I download it from a search engine which runs without JavaScript such as DuckDuckGo Lite/HTML). As long as NoScript isn't bundled with Mozilla browsers on Hyperbola, disabling JavaScript in the settigns should be activated by default in order to protect users from running non-free JavaScript by mistake.

9

Re: questions regarding Iceweasel-UXP

aloniv wrote:

As long as NoScript isn't bundled with Mozilla browsers on Hyperbola, disabling JavaScript in the settigns should be activated by default in order to protect users from running non-free JavaScript by mistake.

if thats the idea, just bundle librejs.

if youre going to disable js completely, hopefully the page it loads at start tells you how to go to about:config and turn js on. i get the libre aspect, but dont take a shortcut that kills usability. just bundle librejs. it will also have the outcome you want, but in a better way. the startpage-with-instructions for turning js on is also acceptable.

10

Re: questions regarding Iceweasel-UXP

LibreJS isn't compatible with Iceape (as far as I know) and also is resource intensive rendering Iceweasel unusable.

Hyperbola can provide a list of about:config flags that the developers chose to set for freedom or privacy purposes which the users can easily modify.

11

Re: questions regarding Iceweasel-UXP

aloniv wrote:

and also is resource intensive rendering Iceweasel unusable.

well there i agree, fsvo of unusuable on some machines.