Open LiCybora opened 4 years ago
I will push one urgent update to disable issue reporter first, their new privacy policy is too shady for me.
i hope them can support you more
i hope them can support you more
Who are them refers to? If you mean "new developers", they are unlikely to support me because they refuse to being interacted with.
i hope them can support you more
Who are them refers to? If you mean "new developers", they are unlikely to support me because they refuse to being interacted with.
it's like that they are working on offical version for firefox??? maybe not?
The App Nano Adblocker and Nano Defender is an extension for Google Chrome internet browser.
Their privacy policy only claims for Google Chrome. They leave no words about Firefox so their stance are still unknown.
Similarly, the Edge version still showing the former developer name. Most likely they don't care at all.
Did you ask new devs for make a port version, or you did and they dont care about that?
New devs never show up or provide any ways to contact them. No one knows who they are and how to contact them except former developers. I can only ask via former developer and he reply he do forward the information to them, but I receive no words from them for more than a week.
Anyway, I decide not to port for them now. Many users are asking who they are for a week here, they still no-show, no reply.
A quick FYI: I still control legacy.hugoxu.com
, but I will shut down my Quick Issue Reporter backend service later this week or early next week.
@LiCybora
Also for this: https://github.com/LiCybora/NanoCoreFirefox#what-should-i-do I highly recommend users to manually copy settings instead. Below is part of the original project changes announcement that I drafted before the new developer(s) contacted me, I hope that it helps.
Due to the many differences, I strongly recommend you to copy the settings over manually instead of using the backup and restore feature. Below are the details about the differences between Nano Adblocker and uBlock Origin which should hopefully assist you with a smooth transition:
example.com
with the domain you want to
force scroll
example.com##*:style(overflow: auto !important;)
iframe
option, if you have custom filters using iframe
, be sure to
change them to frame
debugScriptletInjector
advanced setting a tryCtrl
and
Shift
keys, instead of either Ctrl
or Shift
Thanks for the guide. I will add it and link it such that your past effort on this guide not waste but benefit users to migrate.
@LiCybora Do you want to maintain the Quick Issue Reporter? I can give you some of my backend code. Let me know if you're interested.
@jspenguin2017 Yes I am interested. If I have enough resources I can try to implement it.
So first, you need a server, a domain, a GitHub bot account, and some knowledge of Node.js.
For server, I use AWS. You can use Digital Ocean, GCP, etc. I think GCP is the cheapest, but I'm not sure. I recommend DO or AWS Lightsail if you have no experience with cloud. This should cost you at most $5 a month, it currently costs me USD $3.5 a month.
For domain, I'm with Namecheap. I recommend a .com
domain to avoid headaches down the line. Try to avoid those "free domains". This should cost you about $12 a year.
You can also give Heroku a try if you don't want to spend money, but I think you still need to give them a credit card.
I recommend you to register a new GitHub account for your bot to use. You can use your current account, but if something goes wrong, it can be a pain to clean up. If you accidentally leaked your API key, revoke it immediately and generate a new one, don't hope that "no one saw it".
My server is written in Node.js, so you need to know how that works. I didn't use any packages, but using a good server package (for example, Express.js) should make things easier. Be sure to set up a vulnerability watcher if you use a package. Also remember to update your server regularly to make sure you're not running vulnerable software. I update my server once a week.
I can't tell you exactly how my server accepts and stores reports as I don't want to reveal how the anti-spam system work, but take a look at the frontend code (the one in the extension) to see what the backend server should be expecting. I can tell you how I process reports and call GitHub APIs if that's needed.
Let me know how it goes.
You can also give Heroku a try if you don't want to spend money, but I think you still need to give them a credit card.
There is also https://glitch.com/, which doesn't require giving credit card.
Umm... Seems lots of services I have to purchase before goes on. I need several days to look up and compare available services.
This weekend I will finalize and terminate Nano Adblocker and launch new project to continue Nano Defender since users are too fear about the product name "Nano" and looking for alternative.
@jspenguin2017 I may ping you again once I have resources ready. Thanks for your details on per-requisite.
How many resources does hosting it require? I host quite a few things for FOSS-focused Discord communities and the like, and I wouldn't mind adding something else on top as long as it doesn't use like 20GB of RAM or similar :sweat_smile:.
(For the record, I would also understand if anyone is reluctant to take the help of a random GitHub user, given what just happened with Nano...but do note that I work with many open source projects and have been active on GitHub for a very long time, so it's not exactly the most completely random thing.)
Since the installation of Nano Defender for Firefox required changing the userResourcesLocation
in uBlock to a url from @jspenguin2017 repo (that is now archived), should we now change it? What else should I change if I want to still use Nano Defender fo Firefox alongside uBlock?
should we now change it
It wasn't forked yet, so for now no.
What else should I change if I want to still use Nano Defender fo Firefox alongside uBlock?
Same case, for now nothing to change.
I can't tell you exactly how my server accepts and stores reports as I don't want to reveal how the anti-spam system work
Says the guy who sold his main extension to secretive people who immediately turned it into malware. Anyone who trusts this guy's server to accept and store reports, even though the owner doesn't want to reveal how it's done, at this point is just asking for trouble.
I would urge caution in dealing with anything even distantly relating to this guy and his current or former projects at this point. The one thing that might be okay, is the Firefork fork of NanoDefender that is being renamed and was always maintained and will continue to be maintained by someone not in the line of authority of the old Nano developer or the new Nano developers- and even there I would wait until it's renamed and people who know what they are talking about weigh in on the new code and how it operates. And I would urge him to not take anything the old owner says at face value- if he needs a mentor in figuring out how to work the system, trying to talk to someone like gorhill (Who maintains UBO) or another trusted developer who may be able to reverse engineer how the old system was working before it became malware would be a much better option.
Since the installation of Nano Defender for Firefox required changing the
userResourcesLocation
in uBlock to a url from @jspenguin2017 repo (that is now archived), should we now change it? What else should I change if I want to still use Nano Defender fo Firefox alongside uBlock?
You will receive guiding information once I release the update. Before that release, you can still keep it for now. His repo is archived and cannot do anything harm if secure is your concern.
I would urge caution in dealing with anything even distantly relating to this guy and his current or former projects at this point.
I understand your concern, but just knowing how he made the backend server without actual implementation harms nothing. Don't worry, I am not going to blindly apply whatever he say and give.
@LiCybora
You can get started with Heroku (or Glitch), but be careful that those services tend to not offer a persistent file system. So you need to store data in a proper database. I think Heroku also offers a free database, you'll have to look into that.
If you use Heroku (or Glitch), your app (backend service) will be shut down (I think it's SIGINT
or SIGTERM
) after some time of inactivity (no incoming requests). It can take up to a few minutes for your app to wake back up. This may not may not be a problem for you, but it's something to keep in mind.
Also, I would discourage you to use a server provided by someone else unless you can trust them with your API key.
@jspenguin2017 I want to say thank you for developing and maintaining Nano Adblocker and Nano Defender and whatever you did for the community as a whole. Nano Defender's Quick issue reporter was what got me into using Nano Adblocker. It helped me immensely as most of the website I used implemented anti-adblocks, pop-ups, popunders, had broken websites, etc. and uBO didn't exactly made it easy to report website issues. I had to go through several steps to report websites using their GitHub repo, Reddit, etc. but Nano Adblocker made reporting websites really really easy in just a few taps and anonymous too (with a few extra steps like using VPN). I'm very thankful for what you have done.
Everybody does mistakes and everyone should get chances to fix and/or at least acknowledge them that what they have done is wrong and accept that they will try to not do these kind of things again. We are human beings and we are made to make mistakes and we need to do them in order to not do them again. After all we are just human beings. What matters are the intentions with which they are doing what they are doing.
Even the uBlock Origin's developer is criticizing like they have not done any mistakes whatsoever...
I know you have always had good intentions to help the community; your actions, I think, spoke them all. Thank you very much for everything you have done.
P.S. I keep deleting my online accounts and GitHub is not an exception.
@CharmCityCrab
Anyone who trusts this guy's server to accept and store reports, even though the owner doesn't want to reveal how it's done, at this point is just asking for trouble.
My server code is always proprietary, It's been like this for years. Funny how it's only now that you criticize me for it. Did you find anything wrong with my comments above? Or you're just trying to find all possible ways to criticize me?
trying to talk to someone like gorhill
Honestly I'm not even sure why I'm here, I have other things to do. If someone wants to step up, I'm happy to leave this to them. @gorhill do you want to take over from here?
@LiCybora
Don't worry, I am not going to blindly apply whatever he say and give.
Don't worry, I'm not going to give you anything that can be applied blindly.
If I want to start fresh with Ublock Origin + NanoDefender, does these steps still applied to me?
@CharmCityCrab
Anyone who trusts this guy's server to accept and store reports, even though the owner doesn't want to reveal how it's done, at this point is just asking for trouble.
My server code is always proprietary, It's been like this for years. Funny how it's only now that you criticize me for it. Did you find anything wrong with my comments above? Or you're just trying to find all possible ways to criticize me?
@jspenguin2017 I have no pre-existing beef with you. To be honest, I don't even use your (former) extensions. However, these issues have been news a lot of places I read and sometimes participate in conversations on, and of course have implications in the broader concepts of extensions and how much power they are given over APIs, something both Google and Mozilla have been chipping away at for years in various ways, which is something that is a concern for me as a user of extensions in general.
On mobile, I had years ago begun to use Firefox on that platform because it was a mobile browser with extensions, and then I switched from it to the Iceraven fork of Firefox in part because Firefox cut the number of mobile extensions they offered from thousands to nine (Yes, nine), though that was not the only reason I switched, or the primary one (Although it was related, the general lack of customization and information flow to the user and such were big deals to me, something their lack of complete extension support related to, but was not synonymous with.).
What has and is happening with Nano is going to be used as an example of security issues with extensions and an excuse for the big browsers to cut back on what they allow extensions to do for a long time to come. I am sure that you are aware of the issues with Chrome's Manifest v3, and the ways they would have limited your primary extension as soon as Manifest v2 is deprecated (Edge actually looks like it'll be doing that before Chrome, oddly enough). Fortunately, Firefox and it's forks aren't going to be immediately affected, and some Chromium forks may be able to keep some API support there for this stuff in the short-term, but things tend to follow the market leader, which sets expectations, eventually.
What has happened here with Nano has implications that actually go way beyond you, the people you sold to, and even the users of the extensions. You have really hurt a cause a lot of us care about, which is having powerful user extensions. You've given browser companies another talking point and another excuse. And that could impact everyone who uses extensions, eventually.
It'd be nice if you would provider a fuller explanation of exactly how this sale transpired, exactly how much you made from it, why you initially said there were two developers and now talk about "developer(s)" as if there may only be one, who, or what company, wrote you a check, why you didn't look into them more closely or pass your extension on to a trusted contributor or developer, and so on and so forth.
Taking a little personal responsibility would be nice, too. You blew it, and you owe people an apology. Instead, you are being defensive and snarky and saying things like "Honestly I'm not even sure why I'm here, I have other things to do".
If you want your public image as a developer to rebound from this mess, you would be well advised to take a different tact. A lot of your users have potentially been compromised by this. They could incur very real financial losses and have to go through a lot of bureaucracy and spend a lot of time trying to fix certain things. Have you even looked at what's been done to the code to tell them just what could be being sent? You know, like, should they be calling their banks?
I'm going to assume you live in a free country and don't have to do any of that. You can use your new money and, if you're not in an area with a Covid outbreak, hit the beach or whatever it is you want to do with the money and ignore what's happening with your old extensions. However, while that may be legal and whatever, you probably at some level know that you have an ethical obligation to your former former user base to try to explain this, to apologize, and, if you can, make it right.
@CharmCityCrab
It looks like you didn't read the original announcement post [1], I recommend you to read it (the whole thread). If you don't want snarky replies, don't randomly attack people without knowing the full story.
If I want to start fresh with Ublock Origin + NanoDefender, does these steps still applied to me?
For now, yes. I will make announcement later to notify what you need to change when new project released.
@jspenguin2017
I will get started with glitch first to see what's next. New GitHub account is ready, although domain is not yet ready. Will ping you again once everything is ready.
Don't worry, I am not going to blindly apply whatever he say and give.
Btw, this is not an offensive statement to you, just means I will not simply direct re-apply everything you provide to me. If you feel offensive then I am sorry about that.
@CharmCityCrab
@jspenguin2017 I have no pre-existing beef with you. To be honest, I don't even use your (former) extensions.
I understand your concern and feeling about addons being sold to stranger that annihilate almost all trust from past. However, I want to keep this thread focus on discussion for Firefox port. Maybe move personal discussion to his issue thread instead please? Thanks.
@LiCybora
I think Glitch will give you a subdomain.
Also remember to use timing safe compare to check admin password (or use an authentication related package).
Hi @LiCybora If you find you can't maintain the webserver functionality on glitch etc. without paying for the boost or whatever they call it, set up a patreon and I and I'm sure many others would be willing to help keep the project alive
@jspenguin2017 I'm curious about this force scroll mode you mentioned earlier. Does this have anything to do with these websites that have anti-adblock overlays which make the content beneath unscrollable, so that even if you block the DOM elements contained in the overlay you still can't scroll through the content? I have always been trying to figure out a way to get past that without breaking other sites
Also @jspenguin2017 thanks for spending so much of your time on this and trying to implement a stable transition. I have switched back to ublock origin but it's not fair to blame you for this when all of us would never have stopped using ubo in the first place were it not for your contributions
@aminomancer
I'm curious about this force scroll mode you mentioned earlier
The force scroll mode is designed to be used with the element zapper. Force scroll mode will break the layout of the webpage though, it's more of a temporary solution. You should report those issues to filter lists maintainers so that you won't need the force scroll mode.
Note that if the webpage has scroll locking implemented in JavaScript, the force scroll mode won't work. It only works for CSS-based scroll locking.
So Firefox folk are alright for now but... Should I undo the things in the extra installation steps here? Or am I good with those? I'm using uBlock Origin with Nano Defender.
@537 It was already answered => https://github.com/LiCybora/NanoDefenderFirefox/issues/187#issuecomment-710688167
uBO's zapper already has code to unlock scrolling, this has been there since I first implemented it years ago.
@gorhill
uBO's zapper already has code to unlock scrolling
Sometimes the scrollable section is in a div
instead of being the body
itself. The force scroll mode injects an UserCSS rule to forcefully enable scrolling on all elements, and is intended to be used as a fallback.
Sometimes
Any issue can be reported, they will be investigated and fixed. If nothing is reported, I can't investigate. Did you ever report an issue regarding this?
@gorhill I investigated the case that I found and concluded that a specific filter rule was needed. Unfortunately I do not have the link anymore. I will let you know when I find other cases so you can check if a generic heuristic can be implemented.
I can use this https://jspenguin2017.github.io/uBlockProtector/#extra-installation-steps-for-ublock-origin on UBlock for import all filter from nano to UBlock? is secure this? i want Nano filter to UBlock, but i not have find link for add this filter to UBlock. thanks for all the work done so far.
I switched from ubo to NA just so I could use ND. Is it possible to get the same benefits from ND with ubo?
@jshir yes, follow the instructions on the nano defender page, you just need to tick the 'advanced user' box and paste in the resource URL
@LiCybora I'm using NA and ND on firefox... should I stay with those forks or should I switch to uBO??
Switch to uBO and uninstall NA. You may also refer to https://github.com/LiCybora/NanoDefenderFirefox/issues/187#issuecomment-708101527 for migration note.
You may still keep ND.
Hello @LiCybora How about removing these instructions since nano is archived ,dead(malicious)
Thanks @LiCybora for all of this! And thank you for adding the notification in Firefox about what had occurred. I would have never have known otherwise. Much appreciated!
Came to basically just say the same as thelittlemike. Thank you so much for your work and integrity @LiCybora.
How about removing these instructions since nano is archived ,dead(malicious)
Resources and filter are required and should be safe for now. I may make a quick clone if people fear to archived repository.
Second image still link to upstream website which is something I need to migrate as well. Thanks for reminder.
correct me if i wrong somethings: @LiCybora you are the maintainer of both extension for firefox.... that's "Nano Adblocker" and "Nano Defender for Firefox" right ?
The 2 counterparts for chrome it's not anymore avaiable (and we all know the right reasons or not).
The project "Nano Defender for Firefox" it is not abandoned but it will most likely change its name right ?
At today therefore it would be recommended to switch to "Ublock Origin" and remove (or better disable) "Nano Defender for Firefox" and wait some next news in future right ?
Honestly I have read a lot and not understanding English very well I have a lot of confusion in my head :)
EDIT Meantime i stay to open my Chrome Portable to uninstall "Nano AdBlocker" also even though I still have the version 1.0.0.154 installed and i not obtain the "BAD" version only because Chrome it's not my main browser.....
@DjDiabolik
Nano Defender for Firefox is still safe to be enabled for now, but it is up to user decide keep, disable or remove.
Perhaps you may mention which language you understand so other volunteers may assist you?
@LiCybora Hello and sorry for PMing you but I really need an answer from you, because you may be the person that knows the best - first of all, I used the nano defender for firefox for the moment, i deleted it until new instructions are set However, my biggest concern - So, for the last time, just to be extra-sure - the nano filters/ nano integration filter ( the ones tat can be downloaded from here https://jspenguin2017.github.io/uBlockProtector/#extra-installation-steps-for-ublock-origin) were under original dev, and new devs don't have acess to them? (PLEASE confirm if so). So, they practically released a new extension (probably with new filters) that have nothing to do with those
@jspenguin2017 if u can, waiting for an answer as well. Just tell me that those filters werent compromised, please...
As someone misunderstand my future plan, let me put words at begin.
Nano Adblocker is abandoned at the time new upstream devs push their privacy policy. There is no plan to continue Nano Adblocker and urge user migrate to uBO. v1.0.0.154 is released, meaning the end of Nano Adblocker.
Nano Defender is planned to rename as a new project which is independent form any entities or people. I have never claimed abandon Nano Defender, unless I make a typo I do not notice and please let me know in this case.
If you don't trust, check my edit history of this thread.
As upstream project has been acquired by new developers, and until the time this issue post, no words are received from new upstream developers. It is time to reconsider the future of the port. Again, I am neutral to upstream decision. Everyone may have their hard time and it is their rights to decide what to do in their life. Do not blame anyone for that.
Initially, I am not hostile to the new developers, but the recent updates seems untrustworthy to me. Although their removal of privacy policy on Chrome Store is suspicious enough, the bigger issue is that every links found on Chrome store still link to the old developers repository, while the former developer claims he already lost control of his extension. Given that I cannot find their repository anywhere, nor neither they exist on the issue tracker to introduce themselves as new developers, I really doubt whether the "two developers" exist, as I don't see any reasons to hide themselves to their users. It is unlikely I will maintain this port for them under current situation
, unless they at least show up on somewhere that can be interacted with. I hope these are just because they still not yet post or update anything in this early stage...So, the remaining options will be abandon or maintain as a new project in worst case. But the later case is a tough job. Not only just two extensions, but also Nano Filters, NanoMeow and Nano resources. Without them, Nano Adblocker is just a uBO clone and Nano Defender is just some user scripts. Given that I am not as active and experienced as the upstream developers, I really afraid I will do more harm than benefit to user if I make mistake on that.
For now, I will release one more version of NA that update included the last former developer changes, but I am not sure what's next if still no words from upstream. ND may still be updated when needed as it is designed working on uBO as well even decided to detach from upstream. Related links of announcement will be included in release notes and README as well when released, which is supposed to be within two days.
I am still open to any decisions, including the new developers given that they are good but just I misunderstood them[1]. Decision is now firmed, see below.TL;DR
unless upstream maintain themselves or at least, they contact me for that.whether maintain independently from upstream depends on their stance.might be renamed and released as a new product deal to bad reputation of the name "Nano Defender" since Chrome 15.0.0.206 can be consider as malware.NA and ND with LiCybora as author on AMO or on my GitHub repository are still under my control and independent from any entities or people.
[1] They update their privacy policy but still keep themselves stealth from GitHub, which means they are active and purposefully hide themselves. There is no point to maintain for an unidentifiable developer.