How do we actually know these browser forks don't contain malware of their own? If you can hide something in a tiny package like xz-utils... and a browser would seem to be a very juicy target.
I mean sure, there can be audits, 3rd party assurances, long histories without incidents, you can even check the code yourself.
But do you trust any of those completely to know what they're doing, not be compromised, to have actually done a thorough and total deep dive, and not missed anything (for example, something hidden in a tiny package like xz-utils) in the vast expanse of a codebase that is a modern browser? You shouldn't. In a small (<1000 LoC) codebase maybe, but a large one? It's not feasible. therefore...
> How do we actually know these browser forks don't contain malware of their own
You don't know, because you can't know, especially if you expand that beyond just malware, but also include dark patterns, back doors, and privacy disrespecting gems. So it becomes a matter of faith. Who do you trust more? The ones advocating for your privacy, or the ones removing such commitments from their website in light of a new ToS that has many people rightfully in an uproar?
These days, for projects of sufficient size/use, on a long enough timeframe, a project either dies or becomes enshittified. The key is to find that stage of a project/products life where you maximize usefulness and minimize enshittification. That's not to slander Waterfox, or any other project, but simply to assert that ultimately, there is rarely if ever a perfect solution that can be fully trusted.
Source: Trust me bro, I'm on the internet. No one ever lies on the internet.
Possible, but Waterfox has been out there long enough that I'd think someone would have picked up on it by now. Especially with it being marketed as a more secure Firefox.
EDIT: I'm not the one that downvoted the op. Not sure why it's getting heat, it's a valid question.
> but Waterfox has been out there long enough that I'd think someone would have picked up on it by now.
lol that doesn't mean anything. it's good that it's open source, but time unfortunately is not an indicator since it doesn't necessarily imply anything about the amount of those checking or the quality of said checks.
The point was that there is never some sort of guarantee, unless you personally audit every single piece of code and build it yourself with a compiler you built yourself on a computer you designed yourself.
But having an established project with a long history and many users and external developers can give you some ammount of trust in the safety of it.
I mean sure, there can be audits, 3rd party assurances, long histories without incidents, you can even check the code yourself.
But do you trust any of those completely to know what they're doing, not be compromised, to have actually done a thorough and total deep dive, and not missed anything (for example, something hidden in a tiny package like xz-utils) in the vast expanse of a codebase that is a modern browser? You shouldn't. In a small (<1000 LoC) codebase maybe, but a large one? It's not feasible. therefore...
> How do we actually know these browser forks don't contain malware of their own
You don't know, because you can't know, especially if you expand that beyond just malware, but also include dark patterns, back doors, and privacy disrespecting gems. So it becomes a matter of faith. Who do you trust more? The ones advocating for your privacy, or the ones removing such commitments from their website in light of a new ToS that has many people rightfully in an uproar?
These days, for projects of sufficient size/use, on a long enough timeframe, a project either dies or becomes enshittified. The key is to find that stage of a project/products life where you maximize usefulness and minimize enshittification. That's not to slander Waterfox, or any other project, but simply to assert that ultimately, there is rarely if ever a perfect solution that can be fully trusted.
Source: Trust me bro, I'm on the internet. No one ever lies on the internet.