[alexmcc81]

Once I would have used this, but I can't just can't bring myself to trust forks by small or unknown teams. We trust browsers with passwords to everything in our lives, like our bank details. The FAQ doesn't even cover who created LibreWolf. Why should I trust them?

Even if I do trust the developers, are they really capable of keeping a modern complex browser secure in the hostile environment of todays internet? It has millions of lines of code in multiple languages with a history going back 2 decades. I can't find:

- who is responsible for the project security

- their CVE policies

- policies for back porting Firefox patches etc

- update schedules

They also removed the auto-updater which is critical to ensuring browsers get the latest patches.

I'm really skeptical about the (undocumented) "hundreds of privacy/security/performance settings and patches" they claim to have implemented. What exactly cannot be achieved through settings and addons?

[geofft]

What I'd like to see is a Firefox (and Chromium) fork with

- automatic builds and uploads via GitHub/GitLab CI (or similar) from a well-commented build script

- all the knobs for reproducible builds set up, so anyone can fork the repo, run the CI themselves, and see that it's bit-for-bit the same thing

- an automatic merge or rebase of the latest stable release tag, and the result of that merge being plugged into automatic updates

- an automatic merge or rebase of the latest beta tag (or even nightly), and some form of alerting if the build fails

- perhaps some Selenium + Wireshark automation to see what requests happen and make sure there are no unexpected ones

And, actually, it seems like LibreWolf is on the way there. https://gitlab.com/librewolf-community/browser/common has a decently-well-commented build script that grabs the latest tarball from Mozilla and builds on top of it and even supports building on nightly, and their documentation (https://librewolf-community.gitlab.io/docs/) mentions that as well. But I don't see where it is run / who runs it, and what they do if the build fails.

(Honestly it seems like setting up the release automation and alerting is a substantial project in itself.)

[alexmcc81]

I see Brave are interested [1] in reproducible builds but it's not implemented yet. [2] I'm not sure if their CI artifacts are public or not.

[1] https://brave.com/building-brave/ [2] https://github.com/brave/brave-browser/issues/5830

[mdaniel]

This is relevant to my interests (less the reproducible builds part, but very much the "well commented CI script" part), and for a frame of reference I have successfully built the last couple of brave tags because I'm persistent that way. But I haven't put it in my CI yet because they appear to clone *the whole chromium* repo courtesy of depot_tools & gclient, making the caching story very bad as that git repo is twenty two gigs (not the checkout, mind you, I mean the git repo)

Plus, the build takes several hours on my Ubuntu machine, so unknown what the CI job timeout is or how beefy the runners need to be in order to not OOM a monster C++ linker

I want to be careful with this commentary, because it's just my opinion as an outsider, and ultimately it's their project. But I struggle mightily with the decision tree that lead one to have a home grown build system written in npm that shells out to depot_tools, gclient, a bunch of manual git clones (although there are some git submodules, too), then a ... fascinating ... manual patching system layered on top of it all. I'm glad it works for them, but it makes wading in by the casual user incredibly hard.

Compare that to mozbuild (and its new "mach" friend) that as very best I can tell is python all the way down and since their CI system is also open source, one can very easily crib enough config files to build it locally

[dblohm7]

A lot of those forks don't even bother with CI: Some of them, one of their first commits is to remove all the tests.

[Isthatablackgsd]

I feel the same as you. It is great that there is another variants at the same time, we already have more than 6 FF variants and they are behind with security patches and updates. I recalled that WaterFox and Pale Moon are quite of versions behind Firefox.

Would be nice to have a FF variant that are capable to be equal as Firefox like Chrome, Brave & Vivaldi. For Firefox variant, I couldn't think of variant that could have an equal footing.

[deviaan]

Something like Vivaldi but using FF as a base would be _wonderful_.