[conspire] (forw) Re: [Lug-nuts] On the two post-2016 Firefox apocalypses (was: Firefox and Frys)
Rick Moen
rick at linuxmafia.com
Sun Sep 15 15:26:48 PDT 2019
Man, I just love entitled people who think the naturmeasure of my
public-benefiting postings to community mailing lists is the immediate
utility of those postings to their personal problems.
----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----
Date: Sun, 15 Sep 2019 07:42:46 -0700
From: Rick Moen <rick at linuxmafia.com>
To: lug-nuts at saclug.org
Subject: [Lug-nuts] On the two post-2016 Firefox apocalypses (was: Firefox
and Frys)
Organization: If you lived here, you'd be $HOME already.
I wrote:
> Quoting Gary McGlinn (saclug at garymcglinn.com):
>
> > I get the impression both the Firefox browser and Frys are on the way out.
>
> I'm going to disregard the matter of Firefox.
OK, I'm over the disregarding, but needed to take my time on this, Gary.
You wrote (the context being Raspbian and other RPi builds):
> I used the package manager to install firefox-esr, which is what's
> provided by the distro, to pick up any possibly missing libraries. I
> was then going to go to the Mozilla site. Well, I used chrome to go
> to the site while firefox was downloading. I got stuck in an endless
> loop trying to get to the download link. That can't be good. After I
> installed Firefox with the package manager, I was at the site when the
> browser opened, as normal.
So far, using the package manager, which is the right way to maintain
software on Linux. On Raspbian, I'm pretty sure that's the apt stack.
> I clicked on the "Upgrade Firefox" button and it told me to go through
> the help item on the browser. Fair enough.
Er, eh? So, you decided to ignore the system package manager and try to
get the program to upgrade itself, ignoring package management? This is
a minor point compared to the big one I'm building up to, but I'm
calling it out to say this was unwise to try (and why).
> But version 52, esr that rPi uses, doesn't have the upgrade option
^^^^^^^^^^^^^^^
> under help. Bottom line: I can't get a new version to upgrade to.
Ah, I'm betting you hadn't heard the big Firefox news of the last few
years, and are unaware of what is very distinctive about Firefox ESR 52.
And this is very likely intimately involved in why you are perceiving
a lack of a current Firefox ESR upgrade path. (Disclaimer: I lack
RPi/Raspbian-specific knowledge.) The last clue was this, when you
mentioned Greasemonkey, one of the great XUL extensions:
> Are there any other browsers out there that you can build from source
> that have as many add ons and features as Firefox? Things like Grease
> Monkey.
And so I arrive at my point. I've just now finished updating my 'Are
there any good Linux Web browsers?' FAQ
(http://linuxmafia.com/~rick/faq/kicking.html#linuxbrowser), and here's
the relevant excerpt:
This paragraph used to simply state that I used Firefox with a small
list of recommended XUL-type extensions (User Agent Switcher[1], BugMeNot[2]
that is now vanished and I was looking at alternatives[3], Firebug[4],
Adblock Plus[5] with EasyList and EasyPrivacy[6] subscriptions albeit
I was considering uMatrix or uBlock Origin, NoScript[7], OptimizeGoogle[8]
but that unfortunately was orphaned in 2012 so works less well[9],
RequestPolicy[10], HTTPS Everywhere[11], and Beef Taco[12]) — and was
happy with it.
_Unfortunately, mid-2016 brought the first of two apocalyptic changes to
Firefox._ First, starting with Firefox 48 on 2016-08-02, Firefox (Release
Edition and Beta) refuses to run any extension not cryptographically
signed by Mozilla, Inc. at AMO.[13] For the time being, this restriction
can be skirted by running Firefox ESR, Developer Edition, nightly, and
unbranded builds, and setting preference "xpinstall.signatures.required"
to "False" in about:config.
Most observers appear to have been unbothered by this change (and
Mozilla, Inc. produced a list of justifications), but I was and am
very concerned: An open-source application where I cannot decide for
myself what ancillary code I'm permitted to run, but need sign-off by
a corporation operating the codebase as a walled garden, isn't really
open source. Code-signing is fine and laudable — _provided_ I am
allowed to have my own signing key in the approval keyring, and Mozilla
doesn't allow that. (Of course, a small persistent third-party fork
could fix this and other problems, but we'll get to forks below.)
The greater apocalypse, that got many people's backs up, was Firefox
totally dropping, starting with the newly redesigned Firefox 57 (aka
Firefox Quantum) on 2017-11-14 and later versions, support for all
XUL extensions and the related XPCOM object framework, replacing
XUL/XPCOM with the greatly less capable WebExtensions API. Again, Mozilla,
Inc. articulated its reasons (and there are advantages).
XUL/XPCOM support continued in Firefox ESR through version 52 on
2017-03-07. Support for ESR 52.x was EOLed on 2018-09-05, and all
(thousands of) XUL extensions were removed from AMO.[14] All but a
pittance of those efforts will never reappear as WebExtensions (and most
inherently cannot). Since Sept. 2018, it's been possible to use XUL
extensions in Firefox-branded browsers only by using an unsupported, old
version — not recommended.
Some are OK with Firefox 57+ (with its mandatory corporate signing of
reduced-functionality WebExtensions) or Firefox ESR 53+, some
emphatically are not.[15] I'm watching this situation, and for now
have moved sideways to forks of the XUL-supporting Firefox pre-57
codebase, of which there are several: Pale Moon[16], Basilisk[17],
Waterfox[18], Iceweasel-UXP[19], Iceape-UXP[20], and Borealis
Navigator[21] (unfinished at this writing).
[1] http://chrispederick.com/work/useragentswitcher/
[2] http://bugmenot.mozdev.org/
[3] http://linuxmafia.com/pipermail/conspire/2016-August/008537.html
[4] https://getfirebug.com/
[5] http://adblockplus.org/en/
[6] http://easylist.adblockplus.org/
[7] http://www.noscript.net/
[8] https://sourceforge.net/projects/optimizegoogle/
[9] http://forums.mozillazine.org/viewtopic.php?f=19&t=2263049
[10] https://www.requestpolicy.com/
[11] https://www.eff.org/https-everywhere
[12] http://jmhobbs.github.com/beef-taco/
[13] https://addons.mozilla.org/
[14] https://addons.mozilla.org/
[15] https://www.downthemall.org/re-downthemall-and-webextensions-or-why-why-i-am-done-with-mozilla/
[16] https://www.palemoon.org/
[17] https://www.waterfox.net/
[18] https://www.basilisk-browser.org/
[19] https://wiki.hyperbola.info/doku.php?id=en:project:iceweasel-uxp
[20] https://wiki.hyperbola.info/doku.php?id=en:project:iceape-uxp
[21] http://binaryoutcast.com/projects/borealis/
So, if my guess is correct, you were unaware of the reason for the odd
blockage at Firefox ESR 52. I believe it's all part of the Firefox
apocalypse that I gather you perhaps hadn't heard about before now.
Anyway, I hope the above is useful in at least explaining this
unfortunate situation, and suggest some possible ways forward.
If I had to pick one specific place to start; Pale Moon.
https://www.palemoon.org/contributed-builds.shtml
https://forum.palemoon.org/viewtopic.php?f=40&t=10050&sid=36ba924675e03979c023d4fd048b8f4b&start=20
But...
You didn't say _what_ RPi, and the cross-compilation target differs
significantly depending on the chip. And, of course, most RPi SoCs
have pretty thin RAM, so that might be highly relevant about what
browser is worth even trying to run/build. My FAQ page includes (in the
text _not_ quoted above) a list of all known Linux Web browsers
including a number of minimalistic ones.
Have fun!
--
Cheers, "I am a member of a civilization (IAAMOAC). Step back
Rick Moen from anger. Study how awful our ancestors had it, yet
rick at linuxmafia.com they struggled to get you here. Repay them by appreciating
McQ! (4x80) the civilization you inherited." -- David Brin
_______________________________________________
Lug-nuts mailing list
Lug-nuts at saclug.org
http://lists.saclug.org/cgi-bin/mailman/listinfo/lug-nuts
----- End forwarded message -----
----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----
Date: Sun, 15 Sep 2019 13:04:36 -0700
From: Rick Moen <rick at linuxmafia.com>
To: lug-nuts at saclug.org
Subject: Re: [Lug-nuts] On the two post-2016 Firefox apocalypses (was:
Firefox and Frys)
Organization: If you lived here, you'd be $HOME already.
Quoting Gary (saclug at garymcglinn.com):
> Thanks Rick, this is good info.
Well, that's certainly deucedly lucky for me, given that I've FAQed it. ;->
> I had heard some rumblings about "add ons", but didn't really know the story.
Yeah, I guessed you really had no idea. But, after all, any given thing
is new to at least 10,000 people a day. (https://www.xkcd.com/1053/)
> I would sort of like to use the same browser everywhere: phone,
> desktop, rPi.
Personally, I would sort of like a Caterham.
(https://en.m.wikipedia.org/wiki/Caterham_Cars) That's what comes on
imprinting on Patrick McGoohan's Lotus Seven series II in 'The Prisoner'
when I was a lad
(http://www.theprisoneronline.com/the-prisoner-1967/news-archive/the-car-kar-120c)
Prisoner: What's the number of that car?
She steps back onto the doorstep and regards him with mild amusement.
Lady: Terribly interesting.
Prisoner: K-A-R, a hundred and twenty C. What's the engine number?
Lady: Do tell me.
Prisoner: 461034TZ.
Lady: Marvellous.
Prisoner: I know every nut and bolt and cog. I built it with my own
hands.
Lady: Then you're just the man I want to see. I've been having a good
deal of overheating in traffic. Perhaps you'd care to advise me.
(https://pospapendix.blogspot.com/2009/01/prisoner-episode-seven.html)
> I went to Discover's website from my desktop and they hard walled me
> out because I was running Firefox 58.something.
I'm mystified about what, if anything, your phrase 'hard walled me out'
means. Does this mean your browser's User-Agent string wasn't on an
approved list? If that's a possibility, have you tried using something
like the User Agent Switcher XUL extension I just got through posting
about upthread to make your browser use a User-Agent identity of your
choosing?
As an aside, one of the worst obstacles to giving people including LUG
members technical help is their attraction for providing ad-hoc
hypotheses where what is needed is raw diagnostic data. The phrase
'hard walled me out' seems to be a case in point.
Maybe, just maybe, what you've been needing all along is the ability to
set User-Agent to suit.
> I had to upgrade to current, which I think is 69.something.
See, there you go with an ad-hoc hypothesis, again. You _surmised_ that
you had to upgrade to current. You _chose_ to upgrade to current. It's
far less clear that you had to upgrade to current.
> Since my last note, from my rPi [...]
I'll mention for the second time that you haven't bothered to say what
RPi model (with how much RAM). Rational choice of Web browser differs a
lot depending on model, not to mention the cross-compilation details,
and SacLUG members might be able to give you a lot better help if you
provide relevant data.
> Turns out the rPi runs a 32 bit OS.
It's actually (as you acknowledge) a good bit more complicated than
that. Prior to the RPI 3 series, the (earlier) models used 32-bit ARM
CPUs.
The Raspbian distribution has so far been available (only) compiled
32-bit. There are some other RPi-specific distros available in pure
64-bit that thus (obviously) can run only on 3 series and 4 series.
Mind-numbing amounts of detail about this situation can be gleaned from
https://raspberrypi.stackexchange.com/ .
> But I Googled and AFAICT, version 52, ESR is the best you can do on an
> rPi on Raspian.
If you mean 'Nothing beyond 52 is available as a prepackaged binary deb
of Firefox ESR for Raspbian', you are probably correct. If you mean
it's the best browser possible on Raspbian, you are probably incorrect
(bearing in mind that 'best' can easily be a matter of opinion).
> This all started with this whole 2 factor authentication kick that
> is going around, I'm trying to figure out how to handle that.
Well, for the record, 2FA via SMS is a security joke, and a truly
terrible idea.
https://www.jwz.org/blog/2018/07/two-factor-auth-and-sms-hijacking/
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
https://www.howtogeek.com/310418/why-you-shouldnt-use-sms-for-two-factor-authentication/
https://www.makeuseof.com/tag/two-factor-authentication-sms-apps/
https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/
> This whole internet thing is sort of going in a direction I'm not too
> fond of.
Same old, same old.
Remember 'This site optimized for use with $FOO'? Remember Front Page?
Macromedia Flash?
> Then there is the IoT disaster.
ITYM 'Then there is the Internet of Pwned Things disaster.'
_______________________________________________
Lug-nuts mailing list
Lug-nuts at saclug.org
http://lists.saclug.org/cgi-bin/mailman/listinfo/lug-nuts
----- End forwarded message -----
More information about the conspire
mailing list