It's just a custom build of the latest Firefox version with some patches applied.
Everything is very well documented and you can build it by yourself, there is no need to trust "some new devs who may have good intentions"
Sure, I could review the source code. And then review it again next week when a change is released. I don’t want to have to though.
Trust matters.
I don’t trust Mozilla not to push ads, but I do trust them not to build in intentional backdoors and steal my personal data, because there’s a whole public organization there, with a reputation and responsibilities and heads that will roll if they are caught doing nefarious things.
You might ask why I trust thousands of other open source community led projects? Largely because they have built rep and get at least a minimal vetting via distro package management.
I’m not saying this fork is malware. But I don’t know it isn’t, and the browser is the #1 critical component that handles all my most sensitive data.
Doesn’t help if the exfiltration only occurs monthly and you only monitored for a week, or if there’s something locally malicious, or if side channels are involved, or if it’s manipulating data sent to legitimate sites (e.g. instructions to your bank, while logged in as you).
Quite right that these concerns apply to any software, but they are significantly mitigated by sourcing software from organizations you trust.
There’s no way I would be able to spot the operation of malware-masquerading-as-browser without committing totally to a forensic examination of every system call it makes. Imagine how much attention you’d have to pay to stop it capturing your bank credentials and then making transactions in an invisible tab (the browser doesn’t have to render a site in order to interact with it).
To echo a sibling comment, I think you may be discounting the time and effort it would take to monitor every change made and the ripple effects of each change.
One of the key pieces of open source is the larger a project, the more people will be incentivized to monitor the code for malicious changes. This distributes the burden to a much much larger pool therefore minimizing the burden to single nodes across the board.
Is it perfect? No, absolutely not. Do malicious or unintentional bugs slip through? Sure. But when it comes to scaled out projects, nothing is perfect and never will be. I certainly trust a large open project with years of reputation built up and a large user base significantly more than a large closed source project or large and open with no reputation.
There are of course valid criticisms of this model but I’ve yet to see an alternative put forward that isn’t fraught with its own issues.
I do find it strange how over the past few years we’ve seen a number of people who engage in a whiplash type behavior where they see minor problems with a model so they whiplash away into a far worse model with far more serious problems.
Providing you actually review the code and not just trust it because the code is there. Reviewing (a fork of) Firefox sounds like a big job, if can be done at all. Being a Firefox fanatic does not magically make you a rust programmer
Trust matters.
I don’t trust Mozilla not to push ads, but I do trust them not to build in intentional backdoors and steal my personal data, because there’s a whole public organization there, with a reputation and responsibilities and heads that will roll if they are caught doing nefarious things.
You might ask why I trust thousands of other open source community led projects? Largely because they have built rep and get at least a minimal vetting via distro package management.
I’m not saying this fork is malware. But I don’t know it isn’t, and the browser is the #1 critical component that handles all my most sensitive data.