[conspire] So, CABAL, eh? Saturday the 12th, eh? 4pm, eh?

[Rick Moen]

Quoting Paul Zander (paulz at ieee.org):

> When we are not laughing at the crazy legal antics, I have a couple
> questions about web browsers.  By this email, Rick and others have
> time to think about the subjects.   I can wait until Saturday for a
> discussion.

Cool!

> Normally I don't pay much attention to the browser as long as the
> Mozilla offering works.  However: 1)  What became of IceWeasel and
> siblings?

Aw, man, Debian killed that project as no longer needed, only something
a year before it became again (IMO) needed.  (For present discussion,
I'm concentrating on specifically Iceweasel, and ignoring your qualifier
of 'and siblings' for the time being.)

The launch of Iceweasel in 2006 as a persistent fork that closely
tracked Firefox was Debian developers' logical response to Mozilla
Corporation being asshats.  Mozilla had become more and more tight-ass
about wanting all third-party changes to the codebase to be cleared with
them before release.  This was a problem for Debian Project because they
had a legitimate need to quickly apply security fixes to the .deb
packages, without long delays for corporate blessing.  At some point in
2006, Mozilla Corporation became insistent, and said third parties
henceforth may not issue modified code without company clearance, _or_
they would be deemed to violate Mozilla Corporation's trademark rights.

Important point to be noted:  Trademark is a limited monopoly based on
brand identity (or 'impression'), the perception that a product is
_your_ product with a particular name and styling, as distinct from
someone else's product.  The obvious way to do an end-run around a
trademark stakeholder that is being an asshat about its open source
codebase is to use a different name, and different styling / logo.  Thus,
Debian Project did the standard hackish thing and did wordplay on the
name 'Firefox' to produce something distant enough in meaning to be
distinct from 'Firefox' but invoking it in a
this-name-is-totally-not-Firefox way -- and designed artwork and styling
(logo, etc.) to accompany the name.

The Iceweasel browser was maintained for ten years as a _very_ close
fork of Firefox.  I doubt there were ever significant differences other
than branding (though I might have missed something).  

This same idiocy likewise drove Debian Project to rebrand Mozilla
Thunderbird as 'Icedove'.  Mozilla Sunbird (the now-discontinued
scheduling/calendar software that could deal with iCal files) became
Iceowl.  Mozilla SeaMonkey (later spun off from Mozilla) became Iceape.

For better or worse, Mozilla Corporation realised in 2016 that they had
succeeded in looking stupid and gotten nothing for it, and relented on
the dumbtastic trademark policy.
https://www.pcworld.com/article/3036509/iceweasel-will-be-renamed-firefox-as-relations-between-debian-and-mozilla-thaw.html
Mozila, Thunderbird, SeaMonkey, and Sunbird (until it was EOLed) then
came back into Debian Project under their more-familiar names, and
Debian ceased to maintain Iceweasel, Icedove, Iceowl, and Iceape as
(theoretically) distinct codebases, as of Feb. 2017.


Debian Project dropped all of the Ice* branding.  So, Iceweasel and kin
ceased to exist.   More recently, however, a distro named Hyperbola GNU
Linux-libre has revived the names -- as Iceweasel-UXP, Iceape-UXP,
Icedove-UXP.  (There is no Iceowl-UXP because the Sunbird based code 
is too moldy.)


Iceweasel-UXP, the Web browser, is one of the several efforts to keep
the traditional Firefox support (through Firefix v. 52) for XUL
extensions, the related XPCOM object framework, and NPAPI plug-ins
alive.  

{sigh}  OK, more back-story.

Firefox used to rely on a rendering engine named Gecko, and the main
point of Gecko, even though it was only passable as a rendering and
Javascript engine, was its support for XUL/XPCOM, ergo the very large
variety of extensions.  _Also_ lots of other things are actually XUL 
extensions.  The aforementioend Sunbird app was in XUL.  Thunderbird,
the mail application,  was and still is in XUL (and runs atop an
embedded instance of Gecko).  A lot of the attraction of Firefox at all
was things in XUL.

Mozilla Corporation decided by 2016 that, in their opinion, the entire
Gecko superstructure was a dead end and had to go.  Unfortunately, that
would also mean all XUL extensions for Firefox would also be killed off.
Mozilla proposed, and eventually switched over to, a new rendering
engine named Quantum, which dropped XUL & XPCOM entirely.  And Quantum
was actually a transitional project, to move over to a _third_ rendering
engine, called Servo, written from scratch in Mozilla's new Rust
programming language.

Disclaimer:  Above is not entirely right (or at least murky), as Mozilla
Corp. claims that Gecko still exists, and that it and Quantum are all
pieces and conglomerations, and both they and other places including the
Wikipedia page cited below claim Firefox is still Gecko-based, but _you_
can sort it out if you care.

Main point is:  XUL extensions got dropped from Firefox ESR after
version 52 on 2017-03-07.  It was dropped even earlier on the non-ESR
browser codebase.  And _that_ was got people up in arms.  Mozilla Corp.
offered a far-less-capable substitute for XUL/XPCOM called
WebExtensions:  Extension-writers could, if they wished, start over from
scratch and re-code _some_ of their extensions in WebExtensions --
though many things XUL/XPCOM used to be able to do were now off-limits.

Why were they off-limits?  Mozilla Corp. claimed -- and they're probably
right -- that XUL/XPCOM was too featureful.  Any extension could clobber
the browser instance, and the interface prevented isolation of
tabs/instances into separate processes for greater stability.  Thus (in
part) the changes.


I personally felt the critics underreacted to the _earlier_ change.
Starting with Firefox 48 on 2016-08-02, Firefox refuses to run any
extension not cryptographically signed by Mozilla, Inc.  (There has been
a temporary workaround by running the ESR or developer or nightly or
unbranded builds and doing fiddly things in about:config to un-break
ability to run your own choice of extensions, but the writing was on the
wall.)

IMO, if you cannot run code without someone else's permission, then it's
not open source.  Thus, IMO, not only was Debian's EOLing of Iceweasel
untimely, but Debian Project _should_ have reacted to the Firefox
changes of mid-2016 by making iceweasel a hard fork.

That's easy for _me_ to say, of course.  Maintaining a full-featured Web
browser is a ton of work, and the pre-2017 Ice* packages were just
Mozilla packages with serial numbers filed off to work around the
trademark idiocy. 


Anyway, a number of projects still want XUL are trying to separately
maintain any of a variety of hard forks of the Mozilla Firefox ESR version
52 codebase from early 2017.  I'm not convinced this is a really good
idea over the long term -- but it's a real dilemma.

Several years ago, I rewrote
http://linuxmafia.com/~rick/faq/kicking.html#linuxbrowser to try to
document the state of the resulting chaos.  You'll notice that the
narrative recommends a bunch of particular XUL extensions -- and then
there are paragraphs that basically say '...but you may be running a
pre-57 release of Firefox ESR that cannot run any of those.

The coverage on that page lists all Linux Web browsers I know of.
It doesn't include updated recommendations, because, gosh, I'm not
sure where I'd recommend people jump in 2020.

So, in short, if you'll be looking for 'Dude, run browser $FOO', 
I'll not be dispensing that -- but I do have a handy Web page that 
cites all known candidates, so in theory you could use that as a
jumping-off point for looking through them.

This page's taxonomy of browsers based on rendering engine is IMO 
also useful just to get the lay of the land:
https://en.wikipedia.org/wiki/List_of_web_browsers
The page is not, however, exhaustive, in that some small Web browsers
for Linux that my page links to are not chronicles on the Wikipedia
page.



> 2) Regarding certificates of websites, my first awareness was when I
> was being warned that my personal info might not be secure.  It was
> common to get this warning even from places that were not selling
> anything or asking for any of my info.  I found it a mixture of
> puzzling and amusing.  From an earlier item, I understand that even
> now that certs are not especially robust or secure and continue to
> cause problems for people with websites that are not an ecommerce
> business.

Obligatory lexicon quotation:

http://linuxmafia.com/~rick/lexicon.html#moenslaw-security4

  Moen's Fourth Law of Security 

  The way most people use the word, "secure" has exactly the same
  semantic value as "minty fresh" (i.e., none at all).

  The concept of something being "secure" or not is nonsensical:
  Realistically, security is a heuristic estimate of probable exposure to
  particular risks within a particular threat model. (Secure against what?
  With what configuration? Under what operating conditions and with what
  usage modes?) Therefore, you cannot speak meaningfully about security
  without a proper understanding of the software/hardware and situations,
  and the underlying threat model.

  Even then, the concept is probabilistic, and relative. People who talk
  about something being "secure" or not as an absolute property are
  selling something, are seeking implied permission to turn their brains
  off, or both.

  (The word is sometimes used as a synonym for "encrypted", e.g., in
  "secure HTTP": That is a bad habit, as the usage hides assumptions about
  integrity of the endpoints, crypto implementation, and authentication
  that may be unjustified.)