Why are there unpatched vulnerabilities in Classic?

[Videogamer555]

I read in your wiki that it would be difficult if not impossible to apply some fixes to both simultaneously, because what would be needed to fix each one might be different. So my question is why don't you have 2 teams working here? One team of developers working on the Waterfox Classic branch, and one team working on Waterfox Current branch, each team independently responsible for patching browser in the branch they are working on? In fact, that's what I thought was supposed to be the way development was going to be from now on, based on this article I read about how Waterfox was splitting into two branches. https://www.ghacks.net/2019/10/25/waterfox-development-splits-into-classic-and-current-branches/ It clearly stated in the article that security patches would be constantly supplied to the Classic version, so that it would never become a vulnerable browser. In other words, you guys were not going to just abandon it, according to the article. And just 3 years later you basically did abandon it, as I can see from this huge warning on the official Waterfox Classic website that says "Waterfox Classic has many unpatched security advisories. Use at your own discretion.". Why did you guys abandon your jobs, jobs that you clearly are supposed to do as stated in the above article on ghacks.net that I posted?

[Squall-Leonhart]

"job" kek.

[rebop]

For the same reason they have not responded to you Gamer. Its abandoned. They sold out. Disassembled one of the best help teams I had seen. And renigged on a promise to make the browser what we all wanted. They did for a number of years, but then became just another browser.

I think its incredibly sad. Nothing comes close to what Classic did when all was working.

[jobbautista9]

Their reasoning can be found at the same wiki page you linked:

Some of the patches may still be needed, but the changes between versions so numerous between ESRs making merging difficult if not impossible.

Basically they're saying they can't address those security vulnerabilities because... Mozilla's patches don't apply cleanly. Which is just a ridiculous excuse to me. You can't expect changes post-Quantum to merge cleanly into a Firefox 56 codebase.

Anyway if they can't be asked to do actual work on porting those security patches to Waterfox, they can cherrypick some changes from UXP, which is the platform of Pale Moon. I don't think Moonchild wouldn't mind as said in this forum post. Keeping the browser secure should be the highest priority, even if it means you have to do some work yourself trying to make the security fixes from Mozilla apply cleanly.

[Videogamer555]

Why? Did they just find it too difficult to keep working on?

On Fri, Jul 15, 2022 at 12:09 PM Bob @.***> wrote:

For the same reason they have not responded to you Gamer. Its abandoned. They sold out. Disassembled one of the best help teams I had seen. And renigged on a promise to make the browser what we all wanted. They did for a number of years, but then became just another browser.

I think its incredibly sad. Nothing comes close to what Classic did when all was working.

— Reply to this email directly, view it on GitHub https://github.com/WaterfoxCo/Waterfox-Classic/issues/141#issuecomment-1185829546, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKB4DAXQKAHUFXE34UKZWDVUGZPVANCNFSM53FZEQPA . You are receiving this because you authored the thread.Message ID: @.***>

[EchedelleLR]

Probably better to move to Pale Moon or Basilisk from here.

Waterfox Classic is currently "UXP-based" in the end, and XUL is mostly now developed by Pale Moon team and other contributors but Waterfox team moved on their own without unifying efforts.

Pale Moon team is working to get Web Components and there is already a beta really advanced about it, plus they are up-to-date in security fixes since they implement that on their own plus possible fixes that can be backported from Mozilla in each release.