[4oh9do]

My concerns with ostensibly privacy-focused Firefox forks:

* Needing to constantly monitor whether the fork is being actively maintained, or if it's a vanity project which abruptly stops/slows down updates when its owner/principal contributors lose interest.

* Needing to constantly monitor if the fork is using the latest official Firefox builds to make sure that it's also getting the latest security updates.

* Not being readily able to see a complete humanly understandable (meaning not just comparing git versions) list of changes that the fork makes to the official build.

* Not knowing the reputation of the developers behind the fork.

In sum, I basically trust Mozilla more than I do $random_fork_developer, so I use the official build and carry out my own tweaks, but I am always on the look out for more tweaks, which is why I'd appreciate if lists of privacy tweaks custom builds do were more transparently shared.

[r3trohack3r]

At Netflix, I went down the rabbit hole of package management. We were working on a distributed build system that allowed you to compose immutable builds of ecosystem independent artifacts. After working in that space, and reading the last few decades of LISA papers, I’m fairly confident our industry has gotten package management horribly wrong - and I think your comment cuts right to why.

The two closest build systems I’ve seen to getting it right: Nix (closest) and FreeBSD ports.

I’ll use the i3 window manager as an example. There are plenty of forks of i3 out there (example: adding space between windows, rounded corners, i3bar mods, etc). They’re each packaged and published as separate packages! You can’t compose them even though many of their changes are compatible. This leads to packages like i3-gaps-rounded.

What I really want out of a package manager is “patch support” - where I can publish, discover, share, and consume patches on top of the OSS I use.

Nix gets really close to this. I haven’t invested enough time in learning Nix yet, but it’s on my bucket list. Currently I use FreeBSD and use their ports collection for i3, and put all of my patches in the patch directory there. FreeBSD will apply the patches in order and then build the package for me.

I’m not sure exactly where I’m going with this rant beyond: I wish OSS package management adopted less of a producer-consumer relationship and more of a peer relationship when it comes to source code management and builds.

[chlorion]

Gentoo's portage (which is based on freebsd ports to some extent!) also allows patches like this! You just put the patches in /etc/portage/patches/$cat/$pkg(-$ver|:$slot) and it applies them automatically for you! It's also really easy to take an ebuild from the gentoo repo and modify it however you want!

I would definitely recommend giving Gentoo a spin!

[jrm4]

The nightmare scenario which we may be hitting? Firefox (which I've always loved and used) may be institutionally so used to surviving how it can by compromising that it loses its way?

I wasn't that much concerned with it until recently. I got into the idea of the whole "website as app," thing (specifically, client-side you turn a website into a self-contained app, with or without the "sites" permission) -- and to find that Firefox had dropped this is disappointing because it feels well within Firefox's mission.

FWIW, presently I'm solving this through GNOME's Epiphany.

[Tijdreiziger]

Yes, this is a really unfortunate missing piece of functionality for Firefox. I’m currently solving this through Microsoft Edge, but it’s pretty janky (external links open in Edge, so I need to copy and paste them into Firefox).

[Saris]

>Not being readily able to see a complete humanly understandable (meaning not just comparing git versions) list of changes that the fork makes to the official build.

I feel like this is a common thing with forks and alternatives, they usually have a basic list of big differences (like Librewolf with saying it's more private).

But I'd like to know how they do that, are they blocking more cookies? Are they making the browser harder to fingerprint? What am I giving up vs Firefox (ie; sites breaking, or missing features like sync)?

[night-rider]

Your concerns are valid but from the article:

> Firefox security patches are applied to prevent vulnerabilities

You are right about the reputation of the maintainers of LW though. The second this becomes abandonware I will ditch it.

[4oh9do]

> Firefox security patches are applied to prevent vulnerabilities

Sure, but at what rate? If Mozilla releases a critical patch today, and the core maintainer responsible for build maintenance is away on vacation for two weeks, what happens?

[mrkramer]

That's the main problem behind FOSS; they are not incentivized to be 100% dedicated to the project. Their FOSS projects are labour of love not labour of money.

[funcDropShadow]

You say it is a problem with FOSS projects. Isn't it more a problem with hobby projects? Some FOSS projects are hobby projects others not. As show cased by the fact that Firefox itself is a FOSS project.

Timely maintenance is also problematic with hobby closed-source projects or hobby apps on closed platforms, like iOS and Android.

[mrkramer]

>You say it is a problem with FOSS projects. Isn't it more a problem with hobby projects? Some FOSS projects are hobby projects others not. As show cased by the fact that Firefox itself is a FOSS project.

Mozilla gets paid $500m a year by Google so that Google can be default search engine on Firefox. They have the money that keeps them "incentivized" although they are FOSS and nonprofit. Or in another words Gitlab and Github FOSS devs do not have salaries like Mozilla people do, the only thing they get is an occasional donation.

[night-rider]

Valid point.

[dblohm7]

One aspect of these forks that never gets mentioned:

It's great when a fork ensures that it is always taking security patches from upstream. But what about the code unique to the fork? Is that new code following the same security practices as the upstream project? Are enough eyeballs poking at it to get it the same security scrutiny as upstream?

[mrkramer]

Open source is not safe by default. Read this: https://lwn.net/Articles/846272/

[seqizz]

Mind sharing your tweaks? :) I have a list but not so extensive.

[4oh9do]

Not my list, but I use https://gist.github.com/0XDE57/fbd302cef7693e62c769#privacy-...