Frequency of Updates

[lelouxx]

What is the user problem or growth opportunity you want to see solved?

Iceraven is a fantastic browser and fork of Firefox but it rarely gets updated to main Fenix upstream version.

How do you know that this problem exists today? Why is this important?

It's important because Firefox is still behind of Chromium in terms of security and each version update of Firefox makes it more secure. As a result, it may be beneficial to catch up with main Firefox version to reduce vulnerabilities of the Iceraven. Plus, there were some performance tweaks in recent versions.

Who will benefit from it?

Everyone who loves to use Iceraven as their daily browser.

[Hubfront]

Its a great browser which is more competitive than fenix. Updates depend on maintainer which im ok with. If somebody is willing to invest time for faster update frequency, fine.

[SkewedZeppelin]

https://divestos.org/misc/ffa-dates.txt Iceraven currently has 22 known security vulnerabilities and is two major releases behind.

[ChiefMikeK]

A major problem with the Automated updates is CI building has been failind since 31January something broke with that days earlier commit and nightlies from then are all pending-status see;

• https://github.com/fork-maintainers/iceraven-browser/actions
• after a fix? It's likely that each pending needs to be re-run.
• So not an easy fix, probably :shipit:

[interfect]

I think a lot of the CI stuff is Mozilla's, which hasn't been ripped out because that would create more merge conflicts. It looks like the last release build did in fact successfully build and publish.

I too would love the frequency of updates to be more often, but I'm also extremely lazy. If anyone else wants to do the merge with Mozilla Firefox's changes and raise a PR of that, I can merge that in instead of doing all that work, and then there could be a new release.

[ChiefMikeK]

back around jan i had noticed a few gitlab/github fails and heard around that was preventitive changes some of which were made due to hijacking by crypto miners that were abusing the ci framework.
But i'm not shure if that was true or not 🤷🏽‍♂️.

[goodevilgenius]

FWIW, FFUpdater now shows a warning if you have IceRaven installed, due to its lack of updates, and no longer offers it as available.

[CharmCityCrab]

FWIW, FFUpdater now shows a warning if you have IceRaven installed, due to its lack of updates, and no longer offers it as available.

Thanks. I was not aware that this had happened because I install updates directly from GitHub.

It would have been nice if @Tobi823 had given someone a heads up on this so that @interfect could have evaluated whether or not whatever Tobi's requirements for remaining in his updater app were would have been doable, and so that fans of the browser could have had a transition period to stop plugging FFUpdater as a way to update Iceraven.

Also, the warning FFUpdater apparently now pops up for users with Iceraven installed seems petty and in excess of requirements. It's one thing to stop listing it and another to actively discourage something's use, especially if you imply that it's abandonware and not just something that is updated less often than is ideal.

I was the one who talked him into adding it into the app in the first place, and I fairly aggressively promoted his app to people seeking an update mechanism. So, seeing it removed like this without notice to the Iceraven community (and with what sounds like a misleading pop-up to people who have it installed) vicerally annoys me maybe more than it should. Still, people I brought to his app because they wanted to use Iceraven are now being steered away from Iceraven by the same app. It doesn't take an advanced degree in psychology to see why I'd be annoyed.

Obviously, Iceraven should be updated more often, but Interfect is only going to do what he's going to do, and it's annoying to see people like the guy maintaining this updater app and someone who maintains another browser diss a lack of updates when they have the skills to submit pull requests and actually do the updates if they want (Something Interfect has openly invited people to do).

[Tobi823]

@CharmCityCrab Sorry if it came across that way, but I had no ill intent. I implemented the warning in FFUpdater after the following discussion in my repository (https://github.com/Tobi823/ffupdater/issues/198). Only from the perspective of security it was the right decision. But I also see that there are good reasons why you want to take this higher risk for certain features.

I can remove the warning for Iceraven - but I also want that the users of FFUpdater can make an informed decision if they want to use a specific browser. What do you think would be the best solution @CharmCityCrab ?

My idea:

• When an user installs Iceraven, he sees the information that "Iceraven has a lower update frequency"
• The age of the latest version for every app will be displayed in the FFUpdater main menu
• When the users clicks (in the FFUpdater main menu) on a browser title, we will be redirected to the main webseite of the project (for latest news etc.)

[SkewedZeppelin]

@CharmCityCrab

someone who maintains another browser diss a lack of updates

I have absolutely nothing against this project, or Interfect, or you. I only care about users knowing that the software they're using is insecure or not. Iceraven is actively insecure and brings very little to the table to actually warrant its use.

have the skills to submit pull requests

we intend to try to cut down on telemetry and proprietary code https://github.com/fork-maintainers/iceraven-browser/issues/463 https://github.com/fork-maintainers/iceraven-browser/issues/286

A pull request cannot fix these issues because Iceraven doesn't compile from source.

and actually do the updates

Why would I maintain this? I already maintain Mull and Mulch. What benefit does Iceraven existing in its current state have that is worth continuing it? Enabling users to rice out their browser with extensions that actively harm them with false promises or open up their browser to attacks or have the potential to siphon off their browsing activity?

As I see it Iceraven filled a temporary gap after the immediate release of Fenix successfully and now that time has passed.

[interfect]

rice out

I feel like we ditched that one for racism.

Anyway, given the amount of attention I have available to update Iceraven, it might make a lot of sense to warn people that it is chronically out of date. Just today I was wondering if I really should have kept the "janky" adjective from the original "Janky Iceweasel Fork" to remind people that they should not, in fact, expect it to work safely or reliably.

(We should also all spend a minute in contemplative silence thinking about why we choose to install software in March that we can reliably predict will be a danger to ourselves and our loved ones by July.)

I'm maintaining this for me, personally, to use. I see why If you build an easy way for people to trust random other people with control of their browser, that's going to end badly for a lot of folks. But if I actually want to trick out my browser with thirty-five extensions that don't work, six of which are selling my browsing data to the cops, that's my right as a user in a deep, fundamental way that goes back to Alan Kay and some of the basic tenets of hackerism. The true root of trust in the system is and must always be the person the system is acting on behalf of.

I didn't feel like Mozilla's Fenix was hewing strongly enough to this principle, so I got mad enough to work out how to use Mozilla's build system and swap everything around so the browser would listen to me personally. Why anyone else wants a browser that listens to @interfect on Github (or to anyone who downloads a Metasploit exploit for Firefox from two releases ago) instead of some other, legitimate actor is a mystery.

[CharmCityCrab]

@CharmCityCrab Sorry if it came across that way, but I had no ill intent. I implemented the warning in FFUpdater after the following discussion in my repository (Tobi823/ffupdater#198). Only from the perspective of security it was the right decision. But I also see that there are good reasons why you want to take this higher risk for certain features.

I can remove the warning for Iceraven - but I also want that the users of FFUpdater can make an informed decision if they want to use a specific browser. What do you think would be the best solution @CharmCityCrab ?

My idea:

* When an user installs Iceraven, he sees the information that "Iceraven has a lower update frequency"

* The age of the latest version for every app will be displayed in the FFUpdater main menu

* When the users clicks (in the FFUpdater main menu) on a browser title, we will be redirected to the main webseite of the project (for latest news etc.)

I think that showing the age of the latest version in main menu of the updater app is fair provided that there is a mechanism to ensure that the menu updates to the new correct date within 24 hours of an browser update. Some lists like that in software or on webpages lag on acknowledging new updates, which can make something seem worse than it is on getting updates out, potentially in absolute terms, relative terms, both, especially if the list maintainer is manually checking other software more often for updates.

Having a pop-up on browser install seems less than ideal. I don't know how to talk you out of it if you're set on it, so I'd just encourage you to keep an open mind and try to approach things from a minalistic standpoint. People know if their browser is getting frequent updates or not, especially if the app they use to update them is right there in the updater menu. Having a pop-up essentially warning people off could really hurt uptake unnecessarily. People tend to look at a warning as being much more serious than their own evaluations based on the same data sometimes.

[CharmCityCrab]

I have absolutely nothing against this project, or Interfect, or you. I only care about users knowing that the software they're using is insecure or not. Iceraven is actively insecure

The three other Firefox forks you're involved with create a conflict of interest for you on that subject IMO. You also frequently point to a list comparing browsers that you maintain and that lists one of your browsers as #1.

Instead of working together to make every browser better, you seem to actively be denigrating the browser you aren't involved with here, on Reddit, and so on and so forth.

I've never once mentioned that Fennec, the browser on which Mull is based, is maintained by a Russian national. A lot of people would say that makes it potentially insecure. It's tough to trust software coming out of an autocracy even if the developer has the best of intentions. It's really only the relatively small scale of it and the open availability of source code that makes me think it's probably on the level.

No browser is free from potential issues.

I would also point out that many of the Android phones running Iceraven probably themselves receive only quarterly updates from their carriers or manufacturers.

I'd love to see Iceraven updated more, but you'd rather complain about it and scare users off than using that same time to help the browser's developer.

and brings very little to the table to actually warrant its use.

In your opinion. So, don't use it. There's no need to launch a public crusade against it.

Some of us care very much about some of the options Iceraven gives us and no other browser does in white the same way, including not only the above but also some other things including a long list of add-ons available out of the box through the GUI on a stable version of base Mozilla software.

If you want to compete with Iceraven, adopt it's features. However, trying to kill the browser dead without adopting the features that make it the choice of many users just seems mean.

You may not care about the features exclusive to Iceraven, but clearly there is a user base that appreciates them, and open-source software is supposed to allow for that sort of diversity.

You may additionally feel that these features are out of scope for your browsers, but, if so, that makes it even more important that Iceraven or some other radically customizable and extendable options browser be around. The major Android browsers have abandoned that audience, and as far as I know, Fennec is narrowly targeted at eliminating proprietary code and Mull at privacy issues. None (Apart from Iceraven) really attempt to restore the proper dynamic of the user controlling the experience through both options and information. Any browser that won't even provide full URLs, which is almost every Android browser on the market other than Iceraven, is clearly not interested in providing users information.

A pull request cannot fix these issues because Iceraven doesn't compile from source.

As I understand it, there are three major Fenix components. Iceraven only touches one of them. So, one could find the latest stable versions of the other two, merge them with the Iceraven modified one, resolve conflicts and dependencies, spend an hour or two web surfing and going through program menus to make sure its stable and is correctly reflecting Iceraven's branding, version numbering, and customizations, and then submit it.

Honestly, it sounds so simple that I tried to reach myself how to do it several times and failed. I've never been able to code. However, it seems like something a veteran coder could handle.

Why would I maintain this?

It would be a more constructive and laudable use of your time than trying to scare people into abandoning something that suits their needs better than any other Android browser.

Wouldn't you feel better helping to enable people to access the web the way they want to in a safer and more secure way (Via more frequent updates) rather than torpedoing the thing that lets people surf the way they want or having people use it even though it may not be up to your standards due to infrequent updates? I mean, it really seems to bug you that it's here and doesn't get updates promptly. Since you can code, helping with the updates seems like one way to resolve that issue for you and make you a hero rather than an antagonist among fans of the browser. It's not like anyone is against more updates, we'd all like more updates. You are one of the few people who could actually do it if you wanted to.

[soredake]

Because of https://github.com/mozilla-mobile/fenix/issues/12731 any firefox version is absolutely useless for me (tabs die when switching them/switching between apps), the ONLY fork that fixes this is iceraven, i will use iceraven until firefox fixes this issue, if iceraven won't be updated anymore i'd still use it, cause using unusable but "secure" browser is not a option for me.

[SkewedZeppelin]

@CharmCityCrab

Having a pop-up on browser install seems less than ideal.

Having a pop-up is an absolute must given the update cycle. It should have a reminder at least every month that passes without an update too.

Having a pop-up essentially warning people off could really hurt uptake unnecessarily

This is a good thing. FFUpdater in this case is acting as a distributor. We as users choose our distributors because we believe that we share similar interests. As an example I use F-Droid because it only contains free software, if F-Droid started shipping proprietary software, I'd jump ship along with everyone else. If FFUpdater decided to include Microsoft Edge or Opera, I'd be genuinely concerned about the project.

Additionally, using this logic of not warning would be asking them to remove the Chromium warnings too.

The three other Firefox forks you're involved with create a conflict of interest

Three? I only have involvement in Mull and Fennec F-Droid. I actively work with Fennec F-Droid ever since Fenix was released and Mull rebased from Fennec onto Fennec F-Droid.

You also frequently point to a list comparing browsers that you maintain.

That page has been sanity checked by others many times. I'd be happy to point to a better comparison laid out in similar vein that wasn't written by me.

and that lists one of your browsers as #1

Mull is #1 for Gecko and Bromite is #1 for Chromium given the criteria (freedom, data isolation, content blocker, etc.).

Instead of working together to make every browser better, you seem to actively be denigrating the browser you aren't involved with here

I actively promote Bromite when it is up to date. I have contributions to Firefox, Fennec F-Droid, Lightning Browser, FOSS Browser, rejected contributions to Privacy Browser, and never finished contributions to Firefox Focus.

I've never once mentioned that Fennec, the browser on which Mull is based, is maintained by a Russian national. A lot of people would say that makes it potentially insecure.

The Fennec F-Droid codebase is barely 1000 sloc, you can skim it in minutes. Something I've done many times over the nearly two years I've used it and helped maintain it.

many of the Android phones running Iceraven probably themselves receive only quarterly updates

Which is why I've spent nearly a decade working on a project to provide longer term support to devices, but it can only go so far. A fully patched and up to date browser is of upmost importance to any system, even moreso in such cases of known insecure systems.

The only thing keeping users from having their devices compromised surfing the net on outdated systems is the browser component, once escaped it is game over.

If you want to compete with Iceraven

Iceraven isn't my competition.

but clearly there is a user base that appreciates them

An anecdote: Many people I've personally talked to use Iceraven solely for extensions and hadn't actually realized the official Firefox has extension support. When they learned that they switched off of Iceraven, even given the limited list of "recommended extensions".

None (Apart from Iceraven) really attempt to restore the proper dynamic of the user controlling the experience through both options and information.

Uh, Bromite? Heck maybe even Brave. They both add a ton of options.

Honestly, it sounds so simple

It sounds simple because it misses the steps of patching and compiling the components.

Any browser that won't even provide full URLs

There is a good reason for this! It reduces chance of phishing in cases where a campaign may put the spoofed domain in the subdomain or path component of a URL.

Wouldn't you feel better helping to enable people to access the web the way they want to in a safer and more secure way (Via more frequent updates) rather than torpedoing the thing that lets people surf the way they want or having people use it even though it may not be up to your standards due to infrequent updates?

Why can't I do both? Don't I already?

[interfect]

I feel like people are getting in a bit of a fight here, mostly about FFUpdater which isn't even part of this repo, so I'm going to go ahead and lock this thread.

FFUpdater should tell the user whatever they need to know to make a good informed decision about what browser to use. I'd suggest that it continue to be able to install Iceraven when people ask for it, and that it fall on the right side of the line between user notification and user bullying, but we can move further discussion of what it is up to to wherever the FFUpdater issue tracker is.

As for the "Iceraven should update more often" issue: I agree, it would be great if Iceraven updated more often.

I just pushed a new update yesterday. My new rebasing approach seems to be a lot easier than the old merge approach; I didn't have to make any actual code changes or resolve any real conflicts. I can see whether Github Actions can be made to do simple rebases for me, but then I'd be publishing releases that I hadn't actually tested, with no unit tests, that could break any number of things. So that might not be the best approach either.

I'll keep thinking about this; if someone has a concrete suggestion as to how exactly a greater update frequency could be achieved without me doing any more work, please open an issue for that.