Closed dm17 closed 5 years ago
beerisgood
commented
5 years ago Forks are always behind mainline in terms of security. Also Waterfox doesn't have any stuff you can't do in Firefox. Firefox + gHacks user.js is much better solution then such a fork with just few maintainer
Kcchouette
commented
5 years ago April fool was the 1rst, not the 12th. Anyway, thanks for the laugh
it was in my head.
Anyway, in term of privacy, tor browser is recommended in top.
quantumpacket
commented
5 years ago From what I've read, Mozilla has removed the addon from their addons website saying it violates their terms due to promoting hate speech. That's fine, if they wan to do that they are within their right to do so since it is their platform. However, from what I've read is that Firefox blacklists the addon and will remove it when you restart the browser. I haven't confirmed that is the case, but if true that is stepping over the line. Mozilla has no right to remove/block an extension that an end-user has chosen to install on their system.
Let's not split hairs in regards to left/right wing politics, but look at the implications and precedent that is being set that could be applied to any addon. I don't think @dm17 is wrong to see this as a something to be concerned about.
dm17
commented
5 years ago From what I've read, Mozilla has removed the addon from their addons website saying it violates their terms due to promoting hate speech. That's fine, if they wan to do that they are within their right to do so since it is their platform. However, from what I've read is that Firefox blacklists the addon and will remove it when you restart the browser. I haven't confirmed that is the case, but if true that is stepping over the line. Mozilla has no right to remove/block an extension that an end-user has chosen to install on their system.
Let's not split hairs in regards to left/right wing politics, but look at the implications and precedent that is being set that could be applied to any addon. I don't think @dm17 is wrong to see this as a something to be concerned about.
Thank you; I agree... And just look at all of the stuff Waterfox strips out of Firefox! That there is so much tracking and crap in there now that Waterfox even has a major following is evidence that Firefox is not a "privacy tool"!
beerisgood
commented
5 years ago @quantumpacket which "addon" you're talking about?
quantumpacket
commented
5 years ago I believe it's this addon https://dissenter.com/download once again, I have yet to test that the browser blacklists it, but there was a reddit post asking for help on preventing Firefox from unloading it on restart.
beerisgood
commented
5 years ago So you blame Mozilla to blacklist a addon on a external site which doesn't provide the source code for that addon and track users on their website itself?!: https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fdissenter.com%2Fdownload#requests
Sound like invalid / trolling post
dm17
commented
5 years ago @beerisgood I didn't mind your first post, but now this is borderline trolling. As I have said twice, the topic is not just Mozillas censorship. Primarily, based on the fact that privacytools.io is supposed to be about privacy and Firefox is not defaultly as private as other browsers with your data.
So the politics of George Soros & the Mozilla foundation aside (and their supporting RiseUp) - we can speak objectively about the privacy of Waterfox vs Firefox. It is simply unfair to be promoting Brave & Firefox as the top privacy browsers. Brave defaultly whitelists Facebook and Twitter trackers. Most users will never figure out how to disable most of Firefox's privacy issues - and Waterfox goes much further than one can do manually anyway.
quantumpacket
commented
5 years ago It was originally hosted on the Mozilla addons site, which as OP has stated was removed. The source code is here https://github.com/gab-ai-inc/gab-dissenter-extension/ also what does their download page have to do with this post? Tracking is done on even Firefox's download page.
beerisgood
commented
5 years ago @dm17 I never vote for Brave. Instead i vote for removing that Chrome/ Chromium shit
five-c-d
commented
5 years ago part of privacy is what you are allowed to see & use
Hmmm, this seems like a slippery slope. When a browser has advert-blocking on by default, I do not consider it to be restricting my freedoms nor invading my privacy somehow, when it blocks me from seeing those adverts. If I want some other behavior, I can adjust the settings, and if the browser does not let me adjust the settings the way I want, I can install some other browser.
Same goes for browsers that have anti-phishing and IP-based anti-malware blacklists ... often these are implemented questionably from a privacy perspective (the people providing the blacklists use them as a means of spying on what websites I visit while they scan for whether I'm visiting a website I should not ... typically that was the real motive for providing the free-as-in-beer service in the first place I often suspect), and also the very idea of letting some third party blacklist websites is questionable from a freedom standpoint (often the listing process is politicized either overtly or covertly).
Similarly, if an OS comes with a firewall on by default, that prevents me from visiting certain websites, or even blocks entire domains from loading (a la PiHole or the old-school HOSTS file with badsites explicitly prevented from loading), that is not a privacy invasion, that is usually a desired behavior. As long as I can turn it off, if I choose.
Here is background, https://en.wikipedia.org/wiki/Gab_(social_network)#Dissenter
> FF has recently banned free speech extensions You sound like you are saying there was more than one such incident. Are there other examples of where firefox sysadmins and programmers, have seemingly let their political biases or their systems of ethical beliefs, lead them to blacklist addons for non-technical reasons? I will note that mozilla corporation might be subject to the legal constraints against certain kinds of legislatively-defined-hate-speech in Germany and France and such places, is there any indication whether the removal of GabDissenter was due to it being made illegal by a court, rather than just firefox people deciding on their own? I will also note this, https://xkcd.com/1357/ ...and that the addons website is something mozilla pays to host. There is a reddit-thread about GabDissenter versus MozillaAddonsSysadmins, and like a lot of things nowadays, seems to be full of self-censorship and maybe forum-mod-censorship and possibly even reddit-sysadmin-censorship (I'm not familiar enough with reddit to say on way or the other). https://old.reddit.com/r/firefox/comments/bbugc5/firefox_bans_free_speech_commenting_plugin/?limit=500 Google has removed the pages from their cache, and Chrome has followed mozilla in blocking the extension in question. The reddit thread DOES assert that the GabDissenter addon can be installed still, just, no longer installed from addons.mozilla.org -- it has to be installed from the extension-owner's site with some kind of different code-signing procedure, or something? Quoting: > * One thing I'll note (since it hasn't been stressed enough), is that Mozilla is not saying that Firefox users can't use the Dissenter add-on. They are just saying that they are unwilling to post it on https://addons.mozilla.org Of course that is within their rights. > * To be clear, they are still willing to sign the add-on to let users add the add-on with a guarantee that it was distributed by Dissenter, to let people get updates, and to prevent them to have to load "temporary add-ons" (which are basically just add-ons that are being developed, and not distributed). > * There are interesting conversations about free speech going on here, and I have participated in some here, but I wanted to make it clear that while Mozilla is removing the add-on from their website, Dissenter is free to host it themselves - and Firefox users can continue to use the add-on without much fuss. > * Firefox hasn't banned the add-on, since it is still installed, and can continue to be installed. Mozilla has removed the add-on from their site. There is a difference End quoth. I dunno whether what is said there is true, or maybe, was true at one point and now firefox is detecting and unloading the addon at runtime, or what. But the waters(heh) around the most recent firefox-versus-waterfox controversy seem pretty muddy.
I don't have a firm opinion on the waterfox-versus-firefox question, except to say that every year there is always Yet Another Firefox Fork which promises to provide better privacy and on-by-default settings and whatnot. PrivacyToolsIO even used to list one, the JonDoBrowser project if memory serves. But it is actually shockingly tough to maintain a soft-fork of a complex thing like Firefox, and almost none of these projects tend to make it over the long term. The default behavior of Firefox w.r.t. privacy is "pretty good" (compared to chrome especially), and with a few key addons (also listed further down the page), that becomes "very good". Soft-forks that promise to do better, tend to end up doing worse: they fall behind on the upgrade-treadmill, and at some point are not pushing the security-patches needed (browsers are a huge risk when it comes to using them without the latest security-patching done promptly). As for the question of whether Waterfox should be WorthMentioning (which is distinct from the question of whether Firefox should be delisted-or-demoted), unlike *most* of the soft-fork efforts waterfox seems to have been around quite some time. Not sure how well they keep up with security-patches, but well enough not to wither away over the years, at least. They have a wikipedia page https://en.wikipedia.org/wiki/Waterfox and the project was started in 2011. It has mostly nerdy-technical difference with stock firefox, but also some good moves for privacy: no Pocket, telemetry, data-collection, startup-profiling, the EME/DRM disabled by default, and the default search-engine is Ecosia rather than Google-or-similar (they started out as a tree-friendly search engine in 2009 but as of 2018 have apparently begun to rebrand as also being a privacy-oriented search engine).
p.s. Brave is not the best of all available options, but in some situations it is necessary: not just Chrome, and the reference-implementation Chromium, but also every other major browser (in terms of market share I mean) browser except firefox-and-firefox-clones, is based on the same engine as chromium. That means Safari, Opera, and MicrosoftEdge are all running on the same basic rendering-engine and javascript-engine as Chrome... and in turn, means that webdevs fairly often JUST test their websites on Chrome. Firefox is down to the single-digits of market share nowadays, much like it was back in the days of MSIE6 dominance fifteen years ago. Point being, there are plenty of websites where TorBrowser just does not work right, and firefox is also at risk of such things happening, so a webkit-or-chromium-based browser that tries to respect privacy is needed pragmatically today, even if not ideal from a long-term perspective.
p.p.s. There is no need for accusations of trolling, and counter-accusations of the person making the accusation getting accused of trolling. Please stick to the merits of the case, and whether privacy is at risk with a particular tool, and if so to what degree, compared to other tools that provide similar functionality. Personal bickering is non-helpful.
dm17
commented
5 years ago part of privacy is what you are allowed to see & use
Hmmm, this seems like a slippery slope. When a browser has advert-blocking on by default, I do not consider it to be restricting my freedoms nor invading my privacy somehow, when it blocks me from seeing those adverts. If I want some other behavior, I can adjust the settings, and if the browser does not let me adjust the settings the way I want, I can install some other browser.
Same goes for browsers that have anti-phishing and IP-based anti-malware blacklists ... often these are implemented questionably from a privacy perspective (the people providing the blacklists use them as a means of spying on what websites I visit while they scan for whether I'm visiting a website I should not ... typically that was the real motive for providing the free-as-in-beer service in the first place I often suspect), and also the very idea of letting some third party blacklist websites is questionable from a freedom standpoint (often the listing process is politicized either overtly or covertly).
Similarly, if an OS comes with a firewall on by default, that prevents me from visiting certain websites, or even blocks entire domains from loading (a la PiHole or the old-school HOSTS file with badsites explicitly prevented from loading), that is not a privacy invasion, that is usually a desired behavior. As long as I can turn it off, if I choose.
Here is background, https://en.wikipedia.org/wiki/Gab_(social_network)#Dissenter
mozilla-sysadmins versus gabDissenter-devs... unclear to me what the current state is? waterfox-vs-firefox is a different issue, and a thorny one p.s. Brave is not the best of all available options, but in some situations it is necessary: not just Chrome, and the reference-implementation Chromium, but also every other major browser (in terms of market share I mean) browser except firefox-and-firefox-clones, is based on the same engine as chromium. That means Safari, Opera, and MicrosoftEdge are all running on the same basic rendering-engine and javascript-engine as Chrome... and in turn, means that webdevs fairly often JUST test their websites on Chrome. Firefox is down to the single-digits of market share nowadays, much like it was back in the days of MSIE6 dominance fifteen years ago. Point being, there are plenty of websites where TorBrowser just does not work right, and firefox is also at risk of such things happening, so a webkit-or-chromium-based browser that tries to respect privacy is needed pragmatically today, even if not ideal from a long-term perspective.
p.p.s. There is no need for accusations of trolling, and counter-accusations of the person making the accusation getting accused of trolling. Please stick to the merits of the case, and whether privacy is at risk with a particular tool, and if so to what degree, compared to other tools that provide similar functionality. Personal bickering is non-helpful.
I appreciate the long and thoughtful reply. The following addresses a few issues: 1) Here's an incomplete list of privacy features that Waterfox has over Firefox: https://github.com/MrAlex94/Waterfox/#user-content-features As you can see there are a load of privacy enhancements that Waterfox has over Firefox - even after a power user does the typical privacy-enhancing modifications to Firefox.
2) Since this project is called "privacy tools" and not "security tools," then is the fact that Firefox has quicker security patches an argument for it to stay in the recommendation list no matter what? I think not.
3) As previously mentioned, the censorship the Mozilla foundation is participating in is not a primary component of my GitHub ticket. The lack of privacy in two main PrivacyTools recommendations a) Firefox, and b) Brave - is the issue (especially when compared to the well supported alternatives like Waterfox). a) Firefox - please see #1 for a list of privacy features Firefox lacks, and Waterfox has. b) Brave - how can defaultly whitelisting Facebook & Twitter trackers be seen as "privacy centric?" We can open another ticket about this; I'm trying to keep this one focus on the Firefox recommendation.
4) You said, "As for the question of whether Waterfox should be WorthMentioning (which is distinct from the question of whether Firefox should be delisted-or-demoted), unlike most of the soft-fork efforts waterfox seems to have been around quite some time. Not sure how well they keep up with security-patches, but well enough not to wither away over the years, at least. They have a wikipedia page https://en.wikipedia.org/wiki/Waterfox and the project was started in 2011. It has mostly nerdy-technical difference with stock firefox, but also some good moves for privacy: no Pocket, telemetry, data-collection, startup-profiling, the EME/DRM disabled by default, and the default search-engine is Ecosia rather than Google-or-similar (they started out as a tree-friendly search engine in 2009 but as of 2018 have apparently begun to rebrand as also being a privacy-oriented search engine)." -- Agreed - great points! And you also said, "almost none of these projects tend to make it over the long term." But that doesn't seem like a reason not to promote and try for privacy. Netscape didn't last either.
ghost
commented
5 years ago Forks are always behind mainline in terms of security.
Mozilla develops at an unstable speed as they tend to push frills and extra features. It's actually wise to stay behind a bit because the feature richness they always chase actually causes security bugs. Users on the chronic upgrade path are always exposed to the highest number of unknown bugs, which are more risky than known bugs that can be controlled for if needed.
I sometimes have to pin a past version of Firefox because of a reckless release, and in a couple cases it took a couple years for Mozilla to put out a version that overcame nasty behavior like spontaneous crashes.
OTOH, Firefox + gHacks (Librefox) empowers users to decide whether they want to be on the bleeding edge or not. That control is an advantage for advanced users. Novice users will just take any upgrade, which means they'll take upgrades that just deliver new functionality (read: more bugs).
Recent versions dance for CloudFlare (a privacy abuser). It's said to be disabled out of the box but it's still not a privacy-respecting direction.
However, from what I've read is that Firefox blacklists the addon and will remove it when you restart the browser.
:eyes: yikes; that's really fucked up if it's true. Fair enough if they want to control what's in their repository (since 3rd party repos are an option).. but to take end-user control away from users (who should be in control over their own installations) is an unacceptable appropriation of liberty.
Everyone knows about Firefox so users don't get much value out of seeing it on PTIO. Exceptionally, if PTIO actually studied Firefox in depth and had strong reasons to dismiss other forks, then it would make sense but this doesn't seem to be the case. It's likely one of the blind crowd-following endorsements.
Tor Browser is a Firefox fork in the top slot. Showing users Firefox only distracts them from what they should be considering.
I've not dug into that but perhaps someone should. The problem with letting Tor Browser stand as the only Firefox implementation is that it can't handle profiles. So if a user wants a secure way to do profiles using a Firefox-based client then one of these might be the answer.
(edit) Starting to dig in a little... Waterfox has had lags of ~9-14 days on security updates. Librefox wouldn't have that problem.
PTIO's focus is mass surveillance and FF-raw defaults to sending telemetry data. PTIO should put its own mission above all. It seems Waterfox is more suitable than FF-raw for endorsement, but the listing should warn users about the security update lag and let them decide. These are the relevant features to PTIO:
For me ATM, FF-raw is a loser. Endorsement should go to Waterfox or Librefox. Someone needs to dig into the pros and cons of Waterfox and Librefox strictly in terms of mass surveillance and present their findings.
Brave - how can defaultly whitelisting Facebook & Twitter trackers be seen as "privacy centric?"
Indeed it's a problem. Ad blocker projects usually profit by kickbacks from advertisers in exchange for favorable treatment. Ads are already unfair, creating an arms race whereby vendors are forced to push ads to offset damage done by their competitors' ads. Then ad blocker projects like Brave manipulate ad exposure to game it to be even less fair.
I looked into Chromium-based browsers a year or so ago and short-listed these for a closer look:
https://github.com/eloston/ungoogled-chromium (sources from Iridium and Inox) https://iridiumbrowser.de/ (ungoogled-chromium sources from it) https://epicbrowser.com/ (mac/pc only) https://www.comodo.com/home/browsers-toolbars/browser.php (windows only) https://en.wikipedia.org/wiki/Brave_%28browser%29 (ad replacement) https://github.com/gcarq/inox-patchset http://otter-browser.org/
In the end I favored Ungoogled Chromium. I didn't keep good notes so I don't recall why it came out ahead, but it's certainly harder to trust Brave with all its controversy and advertising shenanigans.
It shouldn't be at the top level. It's software, and should be under the software category.
dm17
commented
5 years ago Thanks @libBletchley, very concise reply.
Would be nice if the folks that thumbed down my post (Mikaela, lumbo7332, abbluiz, ookangzheng) would state their reasons why. I don't see how to @ them though.
beerisgood
commented
5 years ago Mozilla develops at an unstable speed as they tend to push frills and extra features. It's actually wise to stay behind a bit because the feature richness they always chase actually causes security bugs. Users on the chronic upgrade path are always exposed to the highest number of unknown bugs, which are more risky than known bugs that can be controlled for if needed.
Then i ask you why the builds are all stable? Even the beta build. (never test alpha build) Also you recommend a Chrome/ Chromium Fork which do the same, but have a lot worse privacy.
All Chrome/ Chromium Forks still send data to Google and none of them remove or disable all google telemetry. Only in Firefox you can do that in about:config or with a user.js -> see gHacks user.js
Mozilla heart's CloudFlare
I guess the mean the encrypted DNS stuff? Well you know that Google does the same right? Not with CloudFlare but with their own DNS. Mozilla have a deal with CloudFlare for respect user privacy. You don't have that with Google
ghost
commented
5 years ago @dm17 I hope whoever makes these decisions (@BurungHantu1605?) would ignore votes. Votes just indicate what idea is popular but there are plenty of down-voted yet uncountered posts. An uncountered argument is an argument conceded.
I started a ditch Github thread and downvotes came but not a single good reason was given to put GH over the alternatives from a mass surveillance standpoint. Decision makers would be foolish to give much consideration to votes.
I have yet to see a good case for FF-raw in this thread.
ghost
commented
5 years ago Then i ask you why the builds are all stable?
This begs the question. I've seen Firefox deploy unstable crash-prone releases, and they've even escaped the quality control of Debian. I had to pin an old version to get something that simply functions for a while. Stability is a clear weakness for Firefox.
All Chrome/ Chromium Forks still send data to Google and none of them remove or disable all google telemetry.
If that's true users should be warned of that on PTIO (in the Brave endorsement). And if you've found a bug in Ungoogled Chromium, have you reported it? Or is there an existing bug report? I would be interested in seeing what you're talking about specifically with U/C.
Chromium has pros and cons but it's not easily dispensable because most webmasters target it (I think @five-c-d mentioned this as well -- Firefox only has like 5% of the market). PTIO should endorse the lesser of Chromium-based evils, as well as a lesser of Firefox-based evils, and take care to make it clear which is the lesser of those evils.
uMatrix does not exist on Firefox IIRC, and the alternatives are dicey.
I use TB, UC, and FF-raw; giving up any of the 3 would be problematic^1 (although I should replace ff-raw with either librefox or waterfox). I've only hesitated because FF-raw is official Debian, and giving that up steps outside of Debian's generally decent QA. That's the one advantage to FF-raw, but it's unique to users of Debian-based OSs.
(1) Using privacy-focused add-ons breaks websites in various ways that's not always trivial to fix and tends to sidetrack workflow. So when FF + \
beerisgood
commented
5 years ago All Chrome/ Chromium Forks still send data to Google and none of them remove or disable all google telemetry.
If that's true users should be warned of that on PTIO (in the Brave endorsement). And if you've found a bug in Ungoogled Chromium, have you reported it? Or is there an existing bug report? I would be interested in seeing what you're talking about specifically with U/C.
Just check it by yourself?! Also did you read the project description from the browser you use? Then you would know that they don't remove all Google telemetry/ tracking/ services. None of the forks
Chromium has pros and cons but it's not easily dispensable because most webmasters target it (I think @five-c-d mentioned this as well -- Firefox only has like 5% of the market). PTIO should endorse the lesser of Chromium-based evils, as well as a lesser of Firefox-based evils, and take care to make it clear which is the lesser of those evils.
Firefox is still the best browser for privacy and security. Not matter if 5% on some suspicious statistics.
uMatrix does not exist on Firefox IIRC, and the alternatives are dicey.
What? Kidding? https://addons.mozilla.org/en-US/firefox/addon/umatrix/ It exist many years for Firefox. Same like uBlock Origin
(1) Using privacy-focused add-ons breaks websites in various ways that's not always trivial to fix and tends to sidetrack workflow. So when FF +
breaks a site, often Ungoogled Chromium + uMatrix (and others) will produce a funcational privacy-centric result. Chrome/ Chromium and Privacy are two different worlds. You can't get privacy with such a browser. No matter which addons or configs you use. See above
angela-d
commented
5 years ago I have yet to see a good case for FF-raw in this thread.
Pushing a privacy newb to a Chromium-based browser is very uncool. A lot of people take PTIO at face value and place 100% trust in their offerings.
Firefox, as much as I detest what Mozilla has become, is the lesser of all evils when it comes to privacy. Firefox + the about:config / profile hacks are perfect for people just getting their feet wet.
The people that run this site seem to have a dislike for the Firefox forks, I doubt you will ever see them posted. Those that take issue with Mozilla's behavior will find them on their own, as I and many others have.
This site would lose a lot of credibility if they started suggesting Google browsers.
ghost
commented
5 years ago Just check it by yourself?! Also did you read the project description from the browser you use? Then you would know that they don't remove all Google telemetry/ tracking/ services. None of the forks
Nothing in the project description on this page:
https://github.com/eloston/ungoogled-chromium
supports your claim. This is why it's important to cite your sources, when asked. I could dig through bug reports and try to guess what it is that you're talking about, but in the end it's only a guess and your claim is vague.
Exactly what information is Ungoogled Chromium sending to Google?
Firefox is still the best browser for privacy and security.
If you're talking about FF-raw, you've contradicted your statement about gHacks. Please be clear about which "Firefox" you are referring to.
Not matter if 5% on some suspicious statistics.
Most users don't tamper with the user-agent string, so I see no reason to consider the stats suspicious.
ghost
commented
5 years ago Pushing a privacy newb to a Chromium-based browser is very uncool. A lot of people take PTIO at face value and place 100% trust in their offerings.
In effect, you are saying remove Brave and replace it with nothing Chromium based. Yet, you've not made a case for Ungoogled Chromium leaking data.
Firefox, as much as I detest what Mozilla has become, is the lesser of all evils when it comes to privacy. Firefox + the about:config / profile hacks are perfect for people just getting their feet wet.
At first you seemed to be talking about FF-raw. But it's implied you're actually talking about Librefox, correct? Please be clear.
The people that run this site seem to have a dislike for the Firefox forks, I doubt you will ever see them posted. Those that take issue with Mozilla's behavior will find them on their own, as I and many others have.
We are not here to please those running the site or to tell them what they want to hear. We are exposing privacy abuses and countermeasures. Those making the decisions can do what they want with the information. I'm not here to filter or bend the findings to their taste or to fit into their pre-existing world views.
This site would lose a lot of credibility if they started suggesting Google browsers.
Credibility is already on the low side, and Ungoogled Chromium is not a "Google browser". If the unfiltered information about privacy abuses and countermeasures is disregarded, that's what harms credibility.
dm17
commented
5 years ago @libBletchley Agreed; I have no idea what you're talking about @angela-d. No one is "pushing" anything; this issue is about removing Firefox, which is not acceptable as a "privacy recommendation" compared with the alternatives. Please state why it is "uncool" to recommend a chromium-based browser (which is sort of off-topic in this thread). How is ungoogled-chromium a "Google browser?" It is even in the name that it is not... Perhaps you have access to evidence that we do not?
dm17
commented
5 years ago Firefox is still the best browser for privacy and security. Not matter if 5% on some suspicious statistics.
You have stated this opinion before, and I am happy to look at any evidence for it... But so far no one in this thread has supported that claim with evidence. Furthermore, I would like to truncate this conversation to one topic at once (not both privacy & security, but just privacy - for now). Furthermore, if Waterfox is Firefox minus some privacy-leaking behaviors, then how is it not self-evidently better?
@beerisgood, @angela-d also mentioned that you cannot get privacy with ungoogled-chromium... Can you please cite some evidence for this? Theoretically, if you have a browser leaking information about you (chromium in this example), then you strip out the code that is responsible for that information leaking - why is that invalid or impossible?
angela-d
commented
5 years ago @libBletchley
I stand corrected, the leaks I had read about were, of course, vanilla Chromium based.
At first you seemed to be talking about FF-raw.
But it's implied you're actually talking about Librefox, correct? Please be clear.
The forks in general, here. They aren't listed and don't seem like they ever will be. There's been a lot of posts suggesting the same forks in different threads, yet they chose Brave over all of them.
We are not here to please those running the site or to tell them what they want to hear.
Only a select few can push changes to the site, no? So yes, you have to "please" them or your commits don't get pushed.
ghost
commented
5 years ago The forks in general, here. They aren't listed and don't seem like they ever will be.
Waterfox is a fork, but Librefox is not. Librefox is standard FF with a series of gHacks. I'm not sure if the PTIO config changes you linked to are wholly the same as what composes Librefox, but I see that ghacks-user.js is there. PTIO makes no mention of Librefox, so it would be useful to know how PTIO's config differs from Librefox.
One of the problems is that "Mozilla Firefox" is endorsed, and then further down the page users are given a series of tasks to harden it. That style of mass surveillance avoidance will fail the lazy masses. If the endorsement were for "Librefox" instead of "Mozilla Firefox", and included a statement on the spot about steps required make it "Librefox", that would be more compelling than endorsing FF-raw and then listing optional tasks further down.
We are not here to please those running the site or to tell them what they want to hear.
Only a select few can push changes to the site, no? So yes, you have to "please" them or your commits don't get pushed.
Those with the power have to go along in the end for something to change, but it would be backwards to let guesswork about what will be liked influence the findings - like when a UK prime minister orders scientists to discover that marijuana is harmful, it's a disservice to all for the scientists to undermine scientific principles to get the demanded result. If we find that Waterfox is better at avoiding mass surveillance then that's what should be presented regardless of whether it compels action.
dm17
commented
5 years ago Only a select few can push changes to the site, no? So yes, you have to "please" them or your commits don't get pushed.
Well that is worrisome! Perhaps they're taking money or have interests over privacy? Perhaps you have more information about this? It is well known that well-funded companies fund seemingly unrelated sites (like privacytools.io potentially) to market their products.
Perhaps I'll make another thread recommending to remove Brave. It is obviously more interested in pleasing advertisers than protecting customers.
five-c-d
commented
5 years ago Perhaps they're taking money
Yes, and perhaps they are secretly alien invaders with big tentacles instead of eyeballs! Maybe they just built privacyToolsIO and invested hundreds of hours of time for free trying to thwart mass surveillance, because they have something to hide: their alien mothership on the dark side of the moon, whilst sending pod-people to infiltrate humanity! Oh nohz!
Hint: Please. Do. Not. Start. This. Kind. Of. Stuff.
Perhaps I'll make another thread recommending to remove Brave
Sure, nothing wrong with having that discussion. But please be aware that privacyToolsIO is not about purity of essence, and it is aimed at a broader userbase than people who are willing to hand-compile their own ELinks for OpenBSD so as to avoid the slim possibility of JPEG-file-format zero-day remote arbitrary code execution exploits. Nine out of ten website-visitors are running a flavour of Chromium, and privacyToolsIO has to recommend a flavour-or-two of chromium that
Rather than looking at things from the purist perspective (if it ain't perfect then remove it), try to look at things from the pragmatic perspective (what tools satisfy A+B+C the best and which of them is currently best-in-class for everyday endusers and which of them is WorthMentioning for hardcore endusers willing to go the extra mile).
One of the problems is that "Mozilla Firefox" is endorsed, and then further down the page users are given a series of tasks to harden it. That style of mass surveillance avoidance will fail the lazy masses
No, you are wrong: the word 'fail' implies a failure. That pathway is exactly what the masses need, to incrementally upgrade their privacy-consciousness and their toolkits.
9 out of 10 people run *Chrome* or a knockoff thereof (msEdge/appleSafari/opera/etc) which are purposely built to monitor the habits of the enduser, direct the enduser to specific search engines, and so on -- browsers with built-in-adverts are not the norm, but browsers are very much indirectly facilitating the advert industry and the user-profiling biz. If you want them to get out of that, you have to give them something they can put to use **immediately** which does *not* have a learning-curve like the Matterhorn. Partly that is usability, but partly it is existing rep. Most people have heard of firefox -- and likely used it in the past in some form, if they have been alive long enough. It is a well-known brand with a decent reputation amongst the public. Specifically, *unlike* Tor which is either an unknown or a negative-reputation to a very large slice of humanity. Firefox is not perfect, by any stretch, but *let not the perfect be the enemy of the good-enough-for-now*. And especially not when what the masses will use INSTEAD is typically going to be Chrome-on-Windows and Chrome-on-GooglizedAndroid! "Firefox on all platforms" is the recommendation of privacyToolsIO because it is a large incremental improvement over that base-level-state. The section on installing hardening-tweaks via about:config and/or ghacks, as well as the section immediately above on hardcore addons like NoScript, **is a good thing** because it once again incrementally improves privacy-levels for individual endusers. Using firefox instead of chrome-and-knockoffs is a fairly easy-to-stomach upgrade for most endusers. They can keep using the internet the way they are used to. They can get assistance from a vast number of forums and helpdocs and walkthrus and such. Firefox concentrates hard on being compatible with 99.99% of the websites out there which matter to endusers. Once they HAVE made the leap to a browser used by the 10% of somewhat-privacy-conscious folks, it is possible they will go further, and join the 1% -- hardcore-privacy-conscious folks which run TorBrowser-the-firefox-ESR-fork, or misnomer-Librefox-the-firefox-alt-config, or somewhat more simply stock-firefox-with-NoScript-and-uMatrix-and-all-the-trimmings. But one step at a time, is the key to this happening someday, not "anybody who does not handcompile ELinks is a lazy sheeple" > Firefox is still the best browser for privacy and security This is not a true statement, without the qualifiers, but it is essentially correct. Firefox is the best browser for privacy and security, that the masses are likely to actually install, if they are only somewhat-privacy-conscious and not interested in hassle of a niche-browser. If you want to fight mass surveillance, you need to help the masses, incrementally. So that makes firefox the proper browser for privacyToolsIO to recommend, either top1 or top2, depending on what the intended audience/readership is. Right now the list is TorBrowser + Firefox + Brave, followed by tweaks to harden firefox (some straightforward and some complex/arcane/hassle). Which is not perfect but is solid. One could argue for Firefox + TorBrowser + Brave, or maybe even Firefox + Brave + TorBrowser, and still have the 9-out-of-10-use-chrome-based-masses firmly in mind. But several people in this thread seem to mistakenly believe that not only must firefox be completely removed as no better than GoogleChrome, but also that brave should be junked as no better than GoogleChrome. This would give a fundamentally altered top3, possibly Waterfox + ungoogledChromium + TorBrowser if @dm17 got their way, or ELinks + ungoogledChromium + TorBrowser if @libBletchley had their druthers... if I'm slightly wrong on the exact picks or exact ordering, apologies, but I'm not FAR wrong. Nothing really incorrect with those ... **iff** the audience is hardcore privacy cipher-punk humans, the small slice of humanity that ALREADY cares a lot, and is ALREADY willing to go the extra mile. But that is no longer fighting mass surveillance, that is just, insiders swapping insider-tips with each other. Completely different target-audience, completely different idea of who the readership is, and is very much no longer trying to help the masses: indeed, the whole point of insider-tip-lists like that is to feel superior to the masses ('they are just lazy' kind of contrast to insiders). Yes, most people are lazy, if you define that as "unwilling to spend dozens of hours re-installing all their tools every few months for getting the best-of-the-best-of-the-best" in privacy-respecting purity.
If only everybody really deeply cared about privacy, that might even work! But we live in a reality where most people cannot even spell metadata, let alone tell you what it means. They won't install random binaries from the internet they have never heard of, either, because it has been drilled into them that this is ludicrously poor infosec/opsec. (Which is true.) And no, they won't invest dozens of hours researching tools, followed by dozens of hours carefully installing and configuring all of the results of that r&d effort.
They are reading privacyToolsIO for some helpful "double your privacy-level with this one cool tip" type of thing. That is the audience: everyday people, not hardcore wizards.
dm17
commented
5 years ago Perhaps they're taking money
Yes, and perhaps they are secretly alien invaders with big tentacles instead of eyeballs! Maybe they just built privacyToolsIO and invested hundreds of hours of time for free trying to thwart mass surveillance, because they have something to hide: their alien mothership on the dark side of the moon, whilst sending pod-people to infiltrate humanity! Oh nohz!
Hint: Please. Do. Not. Start. This. Kind. Of. Stuff.
Interesting that you feel comfortable mocking me like this. You must be some kind of authority here. I'm going to stick to the argumentation below:
Perhaps I'll make another thread recommending to remove Brave
Sure, nothing wrong with having that discussion. But please be aware that privacyToolsIO is not about purity of essence, and it is aimed at a broader userbase than people who are willing to hand-compile their own ELinks for OpenBSD so as to avoid the slim possibility of JPEG-file-format zero-day remote arbitrary code execution exploits. Nine out of ten website-visitors are running a flavour of Chromium, and privacyToolsIO has to recommend a flavour-or-two of chromium that
I did not claim privacyToolsIO is about purity of essence. This also seems like mocking my efforts here to get the easiest to use privacy option to the masses. Can you point to any of my suggestions that would decrease ease of use for the masses? For instance, people on all platforms can easily click a download-and-install binary on the Waterfox website. OpenBSD is not a from-source distro, and someone running OpenBSD would merely install Elinks from the ports system. So again, this just sounds like you're mocking me.
- A) is decently privacy-respecting despite the upstream vendor of that entire codebase,
Decently? Why down play it? If there are easy-to-install and more privacy-respecting alternatives, then why not a "greatly privacy-respecting" recommendation?
- B) is not going to subvert any privacy-gains due to security-holes which result in endpoint-pwn'age, plus
Can you be more specific here about which browser recommendations would result in "endpoint-pwn'age"?
- C) is well-maintained enough and user-friendly enough and easy-to-install enough that everyday folks will not backslide and start using Chrome again.
Can we address why Waterfox, for example, does not fulfill this?
Rather than looking at things from the purist perspective (if it ain't perfect then remove it), try to look at things from the pragmatic perspective (what tools satisfy A+B+C the best and which of them is currently best-in-class for everyday endusers and which of them is WorthMentioning for hardcore endusers willing to go the extra mile).
I'm not saying there should be a "top 3" - or "if it ain't perfect then remove it." I'm saying, why not pick the top 3 that are easy to install for the masses in terms of privacy. What is the evidence for lack of pragmatism in this suggestion? Again, why is Waterfox so "hardcore?" I don't think basic privacy respect is hardcore.
One of the problems is that "Mozilla Firefox" is endorsed, and then further down the page users are given a series of tasks to harden it. That style of mass surveillance avoidance will fail the lazy masses
No, you are wrong: the word 'fail' implies a failure. That pathway is exactly what the masses need, to incrementally upgrade their privacy-consciousness and their toolkits.
You want the masses to incrementally upgrade their privacy? Seems reasonable, but if there is an easier path, then why not recommend it?
the issue here is monkey If only everybody really deeply cared about privacy, that might even work! But we live in a reality where most people cannot even spell metadata, let alone tell you what it means. They won't install random binaries from the internet they have never heard of, either, because it has been drilled into them that this is ludicrously poor infosec/opsec. (Which is true.) And no, they won't invest dozens of hours researching tools, followed by dozens of hours carefully installing and configuring all of the results of that r&d effort.
Are you implying here that non-mainstream browsers like Waterfox are "random binaries"? I agree that people should have to spend lots of time researching tools; I take that as one of the primary purposes of sites like privacyTools - and is the reason why I want to contribute back to it after my research into why Firefox is not a browser that is good for privacy.
If you want them to get out of that, you have to give them something they can put to use immediately which does not have a learning-curve like the Matterhorn.
No one here suggested Matterhorn. Why stress "immediately?" The suggestion in this thread was Waterfox as a privacy-respecting Firefox - can't it be used just as immediately?
Most people have heard of firefox -- and likely used it in the past in some form, if they have been alive long enough.
I don't get how this adds to your argumentation that it should be suggested to them.
It is a well-known brand with a decent reputation amongst the public.
If a browser is starting to invade privacy more and more, then why should privacyTools continue to reenforce this reputation?
Specifically, unlike Tor which is either an unknown or a negative-reputation to a very large slice of humanity.
I don't get this. Tor is in the #1 recommendation slot on privacyTools. If public reputation plays a factor, then why is Torbrowser a top recommendation? If public reputation is not a factor, then your previous claim does not make sense.
They are reading privacyToolsIO for some helpful "double your privacy-level with this one cool tip" type of thing. That is the audience: everyday people, not hardcore wizards.
Again, I'm not implying the audience is wizards. This is a straw man argument. If you think this is not a straw man argument, then you need to state who is arguing that the audience of privacyTools should be more adept or is wizards. Again, I'm arguing that the audience should not have to be so adept to figure out - against the recommendation of privacyTools - that Firefox is not a very privacy conscious choice.
five-c-d
commented
5 years ago Interesting that you feel comfortable mocking me
I'm not mocking you, I'm pointing out you are "rhetorically" accusing the six people that run this project of being paid plants of the mass surveillance giants.
Perhaps they're taking money
Do not do that. There is an edit-button on your post where you did that. Edit out your slur, and I will happily remove my analogy pointing out how ludicrous your accusation is ("on nohz maybe the people running the site are invaders from planet zorg"). Both of those hypotheticals are completely groundless conspiracy theories. If you really have evidence, then post it immediately, right now. If you have no evidence, then you are behaving so badly in "merely" positing the hypothetical, that you either recognize what you are doing is wrong, and fix the situation by striking the wrong thing you did... or you fail to do so. Pick one or the other. But no, the person in the wrong here is you, not me.
which browser recommendations would result in "endpoint-pwn'age"?
Ones that have relatively lower security: lagging patch-level, lack of personnel concentrating on security-problems, lack of eyeballs reviewing the codebase, potential MitM opportunities in the distribution-chain, etc. Librefox is better in this respect than Waterfox, which is better than PaleMoon, which is better than MSIE6 on winXP (hundreds of thousands of these still hitting wikipedia), which is better than MSIE6 running on Win98 still (thousands of these!).
TorBrowser is probably slightly ahead of Librefox because it has more people involved that are competent when it comes to security... the old with-enough-eyeballs-all-bugs-are-shallow kind of thing. Firefox has some problems, but the average grandpa can install it from a well-known place and let the auto-updates take care of security, for the most part. This is not the-best-of-the-best-of-the-best security, mind you: it is just, good enough for what grandpa can stomach, so that he is not backsliding to Chrome at some point. Brave browser I'll save for your new thread about the evils of Brave ;-) [edit: see below for Brave-vs-PaleMoonAndBasilisk]
well-maintained enough
why Waterfox, for example, does not fulfill this?
Waterfox has one single dev, correct? It is not in privacyToolsIO 'worth mentioning' section at this point, let alone in the top3. Your proposal is to eliminate firefox entirely, rather than demoting it to the worthMentioning section, and promote waterfox immediately into the top3.
I don't get this. Tor is in the number one recommendation slot on privacyTools. If public reputation plays a factor, then why is Torbrowser a top recommendation?
What plays a factor, to my knowledge, is A) whether the project is widely vetted and widely respected, and B) the balance of the amount of privacy provided with the amount of ease-of-use plus ease-of-installation plus likelihood the project remains viable, aka sustainability.
TorBrowser is pretty widely vetted and (amongst privacy-nerds) pretty widely respected, and gives a large amount of privacy without a SEVERE amount of hassle. It is definitely a two-wizards tool however: you cannot expect to just install it and go about browsing as usual, there will be hiccups along the way. See also, using firefox+noscript, which is recommended but with a caveat. Firefox with addons is very widely vetted and (amongst privacy-nerds) reasonably respected ... despite screwups repeatedly over the years, Mozilla is still a reasonable option, compared to the major-browser-alternatives. It is a one-wizard tool: install it and install some addons from the well-known place and go. Incrementally return to tweak further: even better. Waterfox is not widely-vetted, it has an extremely small userbase and an even smaller number of developers. It is, unlike TorBrowser which is ESR-based and unlike Librefox which is current-rolling-release-based, in that twilight zone of old-version-with-manual-backports ... thus, even if it hypothetically had tenfold as many devs as TorBrowser, the waterfox project is structurally harder to vet. You can get a sense of how many eyeballs are looking into a given project, by using wikipedia pageviews as a proxy-measure: * ~60% marketshare, GoogleChrome == ~300k/mo * ~12% marketshare, Safari == ~60k/mo * ~6% marketshare, Firefox == ~120k/mo * <1% marketshare, Tor, including TorBrowser == ~130k/mo [max] * <1% marketshare, Chromium upstream project == ~50k/mo * <<1% marketshare, BraveBrowser == ~20k/mo * <<1% marketshare, Waterfox == ~10k/mo * <<1% marketshare, PaleMoonAndBasilisk10k/mo * <<<<1% marketshare, ELinks == ~3k/mo * <<<<1% marketshare, UngoogledChromium == no wikipedia page at all (pageview stats are not made public when 404 is the result) [but max 50k] * <<<<1% marketshare, LibreFox == no wikipedia page at all (pageview stats are not made public when 404 is the result) If you don't like wikipedia pageviews, you can use alexa pageranks, or subreddit subscriber-counts, or google queryzeitgeist, or various other things. They all give the same answers, about which projects are dominant (Chrome), which projects are significant (Firefox and Safari), which projects are niche but well-vetted (TorBrowser), which projects are very niche but somewhat-well-vetted (BraveBrowser and Chromium), and which projects are ultra-niche and less-well-vetted (Waterfox and PaleMoon and clinging-for-dear-life-to-relevance ELinks). The same nums also tell us, as well, which projects are so esoteric they do not even have a wikipedia article yet, and cannot be well-vetted by the normal english definition of the word well and the word vetted: Librefox and UngoogledChromium.
If the target audience of the site is the masses, recommending things that are to the far end of the esoterica spectrum will backfire: they will trust in the reputation that privacyToolsIO has been cultivating, and install some random binary from some random site on the internet. Which will end poorly. Not just for the people that got burned: for privacyToolsIO, whom they will blame for the improper recommendation. If the target audience of the site is insiders that are willing to invest dozens of hours, then recommending only the best-of-the-best-of-the-best esoteric tools with a large amount of hassles, a higher possibility of vetting-trouble, and so on... well, that is fine. But it changes the character of the website, and makes it useless to grandpa, in the process. No offense to grandfathers -- plenty of them are extremely tech savvy, have endless hours to research tools and tweak configurations (benefit of being retired), and care deeply about old-fashioned ideals about privacy. But the average grandfather is just like the average person: not that wizardly, does not have the stomach for extreme hassles, only cares somewhat. > who is arguing that the audience of privacyTools should be more adept or is wizards Definitely @libBletchley :-) This is the same argument they have against signalapp, which they want to replace with Jami-fka-RingCx-fka-SFLphone, on the basis of "vetting does not matter and privacyToolsIO must only recommend the best-of-the-best-of-the-best tools without regard to hassles and hiccups". 99% of their arguments are political in nature, not technical. To a lesser extent yourself @dm17 since you are wanting to drop all the somewhat-mainstream options and start listing the ultra-niche ones in the top3. If you were arguing that Waterfox should be in worthMentioning, that is one thing, but you are specifically arguing that two of the current top3 should be deleted en toto, and you are arguing mostly on political grounds (the GabDissenter thing and how it was handled) rather than on privacy-of-the-enduser grounds.
Firefox is not a very privacy conscious choice
If you want Firefox demoted from the top3 and put into worthMentioning, then you have to make the argument, and show what should replace it -- aka is relatively better in all key aspects (where "key aspects" is determined by the target audience's implied needs rather than on some absolute uber-privacy-nerd scale). Firefox, even without addons, is better than Chrome, which is what the majority of people run. Firefox, with a handful of addons -- helpfully right on the same page firefox is recommended -- is a VERY good step up. Some people will keep taking that route, and apply all the tweaks, eventually and incrementally.
Some people will switch gears, and use TorBrowser-aka-Firefox-ESR instead. (Ask yourself: since TorBrowser is based on a delayed-by-a-few-months respin of Firefox, doesn't that make every single politically-based argument you are putting forth against Mozilla Foundation, apply to TorBrowser-a-few-months-from-now? If not, why not?)
Is firefox a maximally-privacy-conscious choice? Nope. Does that mean demotion? Maybe, show me the alternative which Dave-in-Denmark can use as easily and with as few hassles, yet gives about-equal security-levels and significantly better privacy-levels. Does that mean not just demotion to worthMentioning, but outright deletion? Unlikely, unless there are enough other tools to REALLY fill the gap. And there are not. Browsers are tough.
ghost
commented
5 years ago One of the problems is that "Mozilla Firefox" is endorsed, and then further down the page users are given a series of tasks to harden it. That style of mass surveillance avoidance will fail the lazy masses
No, you are wrong: the word 'fail' implies a failure.
It is a failure. It fails in a variety of ways:
Note as well that those who advocate "Firefox" in this thread are exploiting the same ambiguity described in the first bullet. They advocate FF-raw, and then when issues are pointed out they back-peddle and advocate FF with hacks, which isn't the same thing and also not what most users are lead to.
(edit) I missed this: "Don't forget to adjust the settings according to our recommendations: WebRTC and about:config and get the privacy add-ons." So apparently FF-raw is not endorsed, and I overlooked that due to sloppy speed reading.. I probably saw "Firefox is fast, reliable, open.." and quit reading the box at that point.
BTW, "reliable" should be removed. Firefox is not reliable; it is buggy. PTIO doesn't need to sell reliability and it only serves to mislead and appear biased. Even if a particularly stable version is on offer at some moment in time, no browser is "reliable" after it's hardened. Hardening inherently breaks a lot of sites and users should expect that.
That pathway is exactly what the masses need, to incrementally upgrade their privacy-consciousness and their toolkits.
It's exactly what fails most users. Incremental labor-intensive approaches are non-starters for the general public. While it's useful for enthusiasts to get that info, the current presentation disservices the masses to help a few.
A design that mitigates this problem while still catering for enthusiasts and tinkerers would be to endorse Waterfox at the top, with a statement "or if you prefer to harden plain Firefox, scroll down for hands--on instructions".
iff the audience is hardcore privacy cipher-punk humans,
It's the status quo that requires extra diligence and attention from the user, not what's being proposed.
Rather than looking at things from the purist perspective (if it ain't perfect then remove it), try to look at things from the pragmatic perspective (what tools satisfy A+B+C the best and which of them is currently best-in-class for everyday endusers and which of them is WorthMentioning for hardcore endusers willing to go the extra mile).
Rather than neglecting some perspectives, try to look at all perspectives and advocate the lesser of evils for the baseline group of normies who are unlikely to manually hack their configs. It would be a straw man to claim anyone is saying "if it ain't perfect then remove it", because no one is advocating for an empty page.
Waterfox is not widely-vetted, it has an extremely small userbase and an even smaller number of developers.
Waterfox is a fork of code you're claiming to be well vetted, which means the code has had the eyes of its own project plus the eyes of the parent. The eyes of the parent don't see the privacy-focused changes, but let's not lose sight of the target PTIO visitor and split hairs and undermine changes made directly to facilitate privacy whilst using market share as an obtusely blunt instrument by which eyes-on-code is measured. The Waterfox changes are also removals to a large extent. Removing Pocket removes bugs (all code has bugs). Waterfox also has less code to review -- less code if you review the whole project, and also if you just review the changes from FF stock that's likely manageable for just one person.
dm17
commented
5 years ago @five-c-d said, "Waterfox has one single dev, correct?" Another disingenuous argument. I don't know how many developers work on Firefox, but for the sake of this discussion let's say "50." Ok, so Firefox has 50 and Waterfox has 1? No! Waterfox encapsulates Firefox for the most part. So Waterfox has what Firefox has + 1 developer who strips out privacy-invading features from Firefox as his primary task.
@libBletchley You said, "(edit) I missed this: "Don't forget to adjust the settings according to our recommendations: WebRTC and about:config and get the privacy add-ons." So apparently FF-raw is not endorsed, and I overlooked that due to sloppy speed reading.. I probably saw "Firefox is fast, reliable, open.." and quit reading the box at that point."
So you're a wizard (according to @five-c-d) and you still missed this?! Just goes to show the high expectations on average users! I'm not going around in circles with you @five-c-d until you start addressing the root of these arguments. Here's a brief summary of arguments you've not addressed: 1) Staying behind the latest Firefox does not necessarily reduce its Waterfox's security 2) The fact that Waterfox is merely Firefox minus many privacy invasive aspects 3) The fact that Waterfox is just as easy to install as Firefox 4) The fact that Waterfox can also auto-upgrade (you said, "...but the average grandpa can install it from a well-known place and let the auto-updates take care of security...") 5) The fact that it is disingenuous to say Waterfox only has 1 developer 6) Why saying "perhaps" there are monetary motivations behind the proliferation of browsers is a "slur," as you claimed.
@five-c-d, you last said, "If you want Firefox demoted from the top3 and put into worthMentioning, then you have to make the argument, and show what should replace it..." This is just dishonest. Myself and others in this thread have made arguments as to why Firefox deserves demotion as a top privacy browser. You have the right to ignore our argumentation, but I find it dishonest to claim that we have not many arguments as to why other browsers are "relatively better in all key aspects" than Firefox for an average user's privacy.
angela-d
commented
5 years ago Well that is worrisome! Perhaps they're taking money or have interests over privacy? Perhaps you have more information about this? It is well known that well-funded companies fund seemingly unrelated sites (like privacytools.io potentially) to market their products.
Browse the closed pull requests and other issues. A lot of really good debates have taken place and they just get closed, with no explanation, by one of the moderators.
Not every PR is worthwhile and nobody owes it to anyone to commit a PR, as with any project; but the lack of explanation for refusing some of the commits after a lively debate is interesting.
Perhaps I'll make another thread recommending to remove Brave. It is obviously more interested in pleasing advertisers than protecting customers.
This is one debate I am referring to. It's taken place multiple times.
@five-c-d Do you have another account?
You have an authoritative tone to your replies and its curious you have no projects in your profile.
I know there's a lot of other users that aren't active anywhere else on Github, which is also curious, given the nature of PTIO. Makes me wonder about the intentions of the recommendations given by the anonymous users, is all.
five-c-d
commented
5 years ago @angela-d No, I'm just one human, with one github account. I don't list any project in my profile because I don't run any projects on github :-) I didn't participate in your past discussions here trying to get the fork-browsers listed, but I did (as part of researching THIS thread here) read most of them. You were on the verge of getting something committed, but you insisted on a copyright-license that was incompatible with what the site was using at the time, from what I can tell. Which is unfortunate because a comparison-table is needed, not just for browsers but for a lot of sections. I'm working on such a thing for VoIP/etc, but I cannot use your stuff in my efforts because it is incompatibly-licensed and I am hoping to get some changes committed. Maybe reconsider?
@dm17
1. wrong, see upthread, or the nutshell in point#2 2. wrong, the primary motivation of waterfox has been, at various times, 64bit build of firefox, and then support-deprecated-extension-APIs-of-firefox, and most recently, improve privacy of firefox. When you look at the homepage you can see that this is true: "tailored for the power user... support for classic addons..." and on the aboutpage, "the most customizable". TorBrowser is all about privacy, waterfox is more complex and has multiple goals which is why it fails to stay on ESR (or like Librefox mirror the rolling release) and thus has patch-lag of a week or two. 3. this is the installation link for waterfox, which I linked to earlier == https://storage-waterfox.netdna-ssl.com/releases/linux64/installer/waterfox-56.2.8.en-US.linux-x86_64.tar.bz2 which you get to from waterfoxproject.org ... and if the official repo system of your OS does not have firefox you can do something "similar" from firefox.com which redirects to mozilla.org and offers a download from mozilla.net The question is not whether it is 'easier' the question is whether an everyday enduser will see pathway#A as being a random binary from a random site on the internet, versus pathway#B. Compare the wikipedia nums or whatever proxy-metric you prefer, to see why I think waterfox is aimed at the 'wrong' audience for the top3. Or a different audience at least, though mayhap I don't understand the endgoal of privacyToolsIO well enough yet. 4. yes, waterfox auto-updates, but the question is, are the security-patches prompt enough and guaranteed to keep on being prompt enough, for the everyday enduser. If yes, in the eyes of the project-owners here, then okay. But for myself, and other commenters that have mentioned the patch-cadence issue, the answer is "leans nay" ...mostly because browsers are dangerous when not patched, even if only for a relatively brief while, because of automated attack-vectors designed by cracker-groups trying to build botnets and similar kinds of threats. We don't want to give everyday endusers something that will trade a slight increase in privacy for a slight increase in the risk of being pwn'd ...and at least in my view, don't want to give them a slight increase in political purity for a slight increase in risk of being pwn'd because I don't think that helps thwart mass surveillance (I think it backfires) 5. I don't think waterfox has more than one developer. Internet suggests the project has contributors, but only one fulltime developer. As a soft-fork of a huge complex project, which needs timely security-patches because of the nature of the project, this is a risk-factor. By contrast TorBrowser and BraveBrowser have more fulltimers, and Mozilla foundation has vastly more. My point is not to try and say "oh it is one person so it is no good" ...my point is to say "if it is only one person and the get pneumonia then security-patches might stop shipping with a ten-day-delay and start shipping with a twenty-day-delay or longer". Since the project has been ongoing since 2011 it is unlikely to halt, but it has changed directions before (see point#2 above) and could do so again: direction is up to the sole dev. For similar kinds of worries, see #832 which is another long-running-but-sometimes-changing-direction-just-one-dev project with lots of complex goals. 6. If you do not already understand the rudeness of "rhetorically" accusing the people that run the website, of being paid shills of some unspecified mega-corporation or somesuch, out to trick the masses and subject them to mass surveillance, while pretending to help them avoid mass surveillance, then I cannot help you understand it. What you said is inherently rude: "Perhaps they're taking money." You were not speaking of the proliferation of browsers, and you were not speaking of people that write browsers, either, you were speaking of the people that run www.privacyTools.io and make decisions about what to recommend and what not to recommend. And saying -- perhaps they are corrupt. In the middle of asking them to take your suggestion, which I can point out is not the best tactical strategy to getting your way... but the rudeness is my concern. And well, I can now add the additional concern, that you seem to not SEE the rudeness even exists.
I find it dishonest to claim that we have not many arguments as to why other browsers are "relatively better in all key aspects" than Firefox for an average user's privacy
I see you making arguments, sure, just -- not ones that address the aspects that I think need addressing :-)
You have argued that "Gab made an extension, and Mozilla censors it? This is going too far... Part of 'privacy' is what you're allowed to see". Which I disagree with, see explanation of the slippery slope you are on upthread. You also argue "Waterfox even has a major following", see proxy-metric pageview numbers upthread, it has 3x the following of ELinks but perhaps half the following of BraveBrowser. You say "Firefox is not defaultly as private as other browsers" which is 100% true... but you imply that those other browsers are 100% equal to firefox, which is false, see every other paragraph in this comment-post for how it differs and why that matters. Yeah, default config matters, absolutely, but it is not the only thing that matters. You have argued that "quicker security patches [is not] an argument for it to stay in the recommendation list no matter what" which is correct, if the final three words are emphasized. Quicker patch-cadence does matter, and who does it also matters. You have gone further, and argued that "well supported alternatives like Waterfox" is a correct description, but I think we just differ on what the words well-supported mean in this context. People that are hardcore nerds will have no trouble getting waterfox installed, and keeping it operational, with the size of the waterfox-support-community... but everyday folks that are not in that classification will sooner or later hit a snag. When there is a snag in your encrypted email, you can fall back on encrypted IM, and if there is a snag in *that* you can fall back on encrypted VoIP, or a face-to-face conversation. > Again, why is Waterfox so "hardcore?" I don't think basic privacy respect is hardcore. No, I am talking about the enduser being hardcore, not about waterfox being hardcore: if they are a hardcore privacy-nerd, then sure, waterfox might suit them, because they understand the patch-cadence thing and can monitor the CVEs and then understand the codebase-vetting and can do their own source-audits, they are crystal-clear on how sha256sum from the command line functions when dealing with a potentially-untrusted distribution chain, and so on and so on ad infinitum. The problem is not that *waterfox* is hardcore necessarily, the problem is the enduser ***has*** to be hardcore when they run into a hiccup with waterfox-and-some-website-they-need-to-work at any point. When there is a snag in your browser... the ramifications are more severe then a snag in your encrypted webmail selection, *especially* if you are not-super-tech-savvy (aka not hardcore). Websites don't email, text, call, or f2f. If browser X is not DTRT on some website the non-hardcore enduser *needs* to work, browser X gets closed and browser Y gets opened, or in the worst case browser Z. We are talking, for most everyday endusers here. The sequence implied by the privacyToolsIO listings right now: TorBrowser=X, FirefoxWithTweaks=Y, BraveBrowser=Z, which is a reasonable ordering, because reliability/compatibility probability goes up with each step. Waterfox does not seem to fit anywhere in that listing, unless one believes it is indistinguishable from FirefoxWithTweaks.
if Waterfox is Firefox minus some privacy-leaking behaviors, then how is it not self-evidently better?
Because waterfox and firefox are not equal -- by any definition of what the word 'is' is. One is a soft-fork and the other is the upstream of that soft-fork. Waterfox removes some telemetry, slows down the patch-cadence, inserts some deprecated code for old extensions API support, and has a small teamsize (possibly equal to one fulltime human).
To be clear, I think waterfox is not a bad candidate for adding to the worthMentioning area... but it is not better than TorBrowser at achieving a high degree of privacy out-of-the-box, it is not better at chromium-compatibility than braveBrowser, and it is not as well-suited to everyday-endusers as firefox+ezAddons. To be even more clear, I don't have commit-access so I don't have any authority whatsoever, beyond being a fan of privacyToolsIO. I give it out to people that need digital-privacy-advice, when I don't have time to help personally; it is a good starting-point for them, regardless of whether they need a lot of privacy with a modicum of hassle (TorBrowser) or a modicum of privacy with not much hassle (Firefox plus three addons or thereabouts). I would still be a fan if it recommended ELinks + UngoogledChromium + WaterfoxWith77Tweaks, but it would no longer be a site suitable for everyday folks.
Waterfox is not widely-vetted, it has an extremely small userbase and an even smaller number of developers.
Waterfox is a fork of code you're claiming to be well vetted, which means the code has had the eyes of its own project plus the eyes of the parent.
"The code" in waterfox is several things: * very old firefox code to support deprecated addon-types, now maintained by waterfox devs * somewhat-new firefox code where the soft-fork occurred, now maintained by the waterfox devs * new code (security-patches mostly) taken from the latest firefox and then backported by waterfox devs to be applied to the stuff mentioned previously * different distribution-chain which needs to be secured and cultivate a reputation/etc Maybe other stuff, I have not analyzed waterfox in depth. By contrast librefox avoids three of those four: they don't support deprecated extension APIs intermixed with modern ones, they don't soft-fork at all, and they let mozilla foundation do the security-patching work (no need to backport because librefox is not a soft-fork). They do complicate the distribution-chain, and they do alter the reliability/usability of stock firefox with their changes... but trying to argue about the SQA-level of well-vetted field-hardened configs is going to have to wait for another day since we are still stuck on *code* repos, let alone codepath tweaks. This is the heart of 'well-vetted' versus 'widely-vetted' however and ideally a project wants both a lot of competent devs eyeballing it as a whole, and a lot of endusers field-testing the specific desired config as a whole. Also a strong contrast, TorBrowser avoids the majority of those four: they don't try to support very old firefox code, but they also don't try to support somewhat-new firefox code either, TorBrowser specifically targets somewhat-old firefox ESR which is maintained mostly by the LTS distros: IBM RHEL/CentOS and Canonical UbuntuDesktopLTS and their mainly-corporate clientele. This means there **is** backporting of security patches to TorBrowser... but for the most part the backporting work is done by huge teams at IBM and ShuttleworthFoundation, not by the TorBrowser team, who benefits from that upstream effort. Like with librefox, torbrowser complicates the distribution-chain and the security/reputation/etc thereof. When you have a project like firefox, and IBM and Canonical work (with help and cooperation from Mozilla Foundation folks) to make downstream soft-fork FirefoxESR and backport security-patches to it, the ESR flavour as a *whole* is eyeballed only by the IBM and Canonical folks, and vetted by them. You do not add the firefox-rolling-release eyeballs onto that, because they are not looking at the same thing at the same time. ESR is a soft-fork, and must supply their own vetting/reputation/distribution/etc. They benefit from **starting** with a well-vetted codebase, but they do not inherit the associated properties whole-cloth, and how they use what they started with is more critical than what they started with usually... except in rare situations where the downstream entity dwarfs the nominally-upstream entity (e.g. MongoDB-on-AWS versus MongoDB -- cf the SSPL controversy).
Usually when you have a bunch of people that are hard at work on project baz, and then a small team decides to soft-fork project baz and create project qux, the result is not that qux is less buggy than baz, that qux is more secure than baz, that qux is better maintained than baz, and so on and so forth. Quite the opposite usually! Qux is fubar, despite starting from well-vetted field-tested baz. This is the inherent nature of the soft-fork: it takes a lot of careful painstaking effort just to keep abreast of all the stuff happening upstream, let alone improve on what upstream is doing. Especially if upstream has a larger teamsize. Especially-especially if the soft-fork has a lot of disagreements with upstream and makes a lot of alterations.
Analyzing which projects are more well-vetted, which project-configs are more widely-field-proven, and so on, is not simple, but it is not THAT difficult either. Everyday endusers don't understand any of the stuff we are discussing here, and to me, that is why it is worth discussing: we want to recommend something to them, that won't have them backsliding to GoogleChrome. This means we have to pay attention not just to a hypothetical privacy-features checklist -- which is important -- but also pay attention to some other concerns that have usability ramifications and project-stability/-reputation ramifications.
angela-d
commented
5 years ago You were on the verge of getting something committed, but you insisted on a copyright-license that was incompatible with what the site was using at the time
Did you miss the part where I replied saying I did not commit a license with my PR; PTIO changed their license AFTER my commit was submitted.
My PR was submitted in December of 2017, they changed their license in April of 2018. If the moderators had any intention on merging it at all, they'd of done so much sooner than that.
Shifterovich:
Any updates? We should resolve this PR.
To which I replied:
What kind of updates were needed?
Shifterovich:
I'd like add this section to the website. So I'd like to see this discussion resolved.
He did not cite PTIO's license change as incompatible with my (older) PR.
I am not sure if you're entirely familiar how licensing works, but you can relicense projects and license your contributions independently of the project (unless the project leaders explicitly forbid it).
There is nothing in the GPL that forbids relicensing contributions. So this is a moot point and was not why the PR wasn't merged. This PR was one example that was closed silently with no reason given for the rejection.
I cannot use your stuff in my efforts because it is incompatibly-licensed
So what you are saying is that all of the PR's prior to this license change need to be relicensed? Not a single person did that with their contributions. This is blowing smoke.
five-c-d
commented
5 years ago I'm just interpreting what I saw, and cannot speak for why the thing was closed. But my reading/interpretation is that it was closed because the license of the contribution was incompatible with the project-licensing.
And yes, I realize there was some timing-related difficulty: when you submitted your work in Dec'17, it WAS under the license of the privacyToolsIO content at the time you submitted. When the offer was made to merge in Nov'18, however, the license had been changed. And I believe it has changed again, seems like it was GPLv3 "codebase license" and then CC-BY-SA-4 "wikipedia license" and is now WTFPL aka "hyper-permissive" ...my understanding is that CC0 would be legally safer compared to WTFPL which has some downsides in certain jurisdictions so maybe the license will change again by the time you and I finish our conversation here :-) :-) :-)
you can relicense [contributions to] projects and license your contributions independently of the project
Absolutely, if you are the contributor, and your work was an original and not a derivative-work of some existing effort.
nothing in the GPL that forbids relicensing contributions
That is only true if you are the original contributor! :-) I cannot relicense your original work on the comparison-table, because I received it as a GPLv3-licensed work. Any effort that I put into improving your original work, would therefore be a derivative-work, and by the terms of the copyright-license you granted me for the original, my derivative would also need to be GPLv3. Which I'm fine with, and I thank you for licensing thataway.
But if I want to get a comparison-table merged into the currently-WTFPL-maybe-someday-CC0-repo of privacyToolsIO, then I either need to start from scratch on my own comparison table (so that it is not a derivative work and I can set the license to be compatible with what privacytoolsIO is using nowadays), or I need permission from the original creator of the GPLv3 work -- @angela-d being the original creator in this case -- to relicense their contribution to WTFPL, or dual-license-GPLv3-and-WTFPL, or tri-license GPLv3-and-WTFPL-and-CC0, or something like that.
all of the PR's prior to this license change need to be relicensed?
No, I wasn't saying that, but then, I'm not positive whether that is actually wrong. Is there not some kind of contributor-license-agreement, where privacyToolsIO contributors say "I hereby give copyright for my GPLv3 work of 2017 over to the people running privacyToolsIO website" or something like that? If not, then yeah, the project-license cannot be changed from GPLv3 to CC-BY-SA-4 to WTFPL just because the project-owners want it... they have to get sign-off from the contributors, either pre-emptively via clickwrap contributor-agreement type thing, or retroactively via explicit sign-off. I will see if I can find what is going on here, and if not, will open a separate issue about it.
If the moderators had any intention on merging
I think they did
I'd like add this section to the website
Here is the key bit == https://github.com/privacytoolsIO/privacytools.io/pull/379#issuecomment-442154952 and to me that was why the PR was closed, a licensing-conflict. I have the same understanding of the trouble, as @gjhklfdsa seems to have.
p.s. And before you ask, no they are not my sockpuppet, no they did not pay me to have the same opinion as them, no I'm reasonably positive we do not know each other in real life or elsewhere on the internet, and no I have no clue who they really are. We just have the exact same understanding of how copyright-licensing works. And we are both 100% correct about it as well ;-) Seriously though, it was closed because of a licensing-conflict, nothing more and nothing less.
@Shifterovich can you confirm you are still in favor of adding a comparison table perhaps, and that Angela relicensing her contrib would not be moot necessarily? I have not looked at her table, since I don't want to inadvertently infringe on the GPL license if I have to make my own from scratch, so I cannot comment on the table-contents, but you apparently liked them back in November 2018 from the "I'd like to add this" comment, so I assume the offer still stands, if the nobody-at-fault-here licensing snafu can be worked out?
angela-d
commented
5 years ago But my reading/interpretation is that it was closed because the license of the contribution was incompatible with the project-licensing.
The user that bought that up was one of the empty Github-profile users. He wasn't a moderator and cannot approve/merge commits.
if I want to get a comparison-table merged into the currently-WTFPL-maybe-someday-CC0-repo of privacyToolsIO, then I either need to start from scratch on my own comparison table (so that it is not a derivative work and I can set the license to be compatible with what privacytoolsIO
Can you point me to where it states this, officially?
Here is the key bit == #379 (comment) and to me that was why the PR was closed, a licensing-conflict. I have the same understanding of the trouble, as @gjhklfdsa seems to have.
gjhklfdsa's profile is nothing but forks of projects. Another anonymous identity. His comments, actually, were the first to raise suspicion of controlled opposition involving themselves in PTIO. Why would a new, zero-history user give a toss about the licensing of an elderly commit that was submitted long before they even had a Github account?
Seriously though, it was closed because of a licensing-conflict, nothing more and nothing less.
Shifterovich made no mention of such being the issue. Again, the only person that even bought it up was an anonymous user that didn't exist when that PR was initially submitted.
I don't want to inadvertently infringe on the GPL license if I have to make my own from scratch
... Have you read the GPL?
Have you looked at my fork? (It's long since been deleted!) - so again, what's the issue with the licensing..? As of now, that commit is in public domain. Its parent fork does not exist.
I assume the offer still stands, if the nobody-at-fault-here licensing snafu can be worked out?
I'm exceptionally curious why you and gjhklfdsa are harping so much on the issue of a fork's license.
Pretend for a moment, gjhklfdsa didn't comment in that thread. Why then, was that commit not merged?
Shifterovich has said in other threads, "Pale Moon is too small to be added to PTIO" - and then regarding Brave (when project size is bought up): "We recommend many projects with less contributors."
Which lends weight to the fact if the moderator simply doesn't like something, it doesn't get merged, even if it may be useful to PTIO's audience. Likewise, if a moderator likes a project and even if its a bit of a disservice to PTIO's userbase, the project will get recommended by PTIO.
I don't disagree that this is PTIO's prerogative; it's their project - they are free to decline or accept any commits they want.. but it is disingenuous to close issues without an explanation, or inform users what needs to be changed in order to be accepted. In recent submissions, I seen Mikaela doing just that (requesting changes) so perhaps the leadership has begun cleaning up.
five-c-d
commented
5 years ago I don't have any forks in my github profile, but yes, I understand how forks work, and how pull-requests work, and what is a derivative work, and what is not, under copyright law. And yes, I've read the GPL, the first time was in the previous millenium ;-)
Any time you have multiple people contributing to a project, and all the contributions are getting merged together into a unified whole, and the *point* is to then redistribute that newly-upgrade whole under a specific copyright-license... you HAVE to do it properly, or you open the project up to risks at a later date. Specifically, the following sequence is definitely going to result in a copyright violation: 1. person A has a project that is distributed under the WTFPL 2. person B write an original work under GPL 3. person C creates a derivative work of B's original work, which is also GPL 4. person C tries to relicense their derivative work under WTFPL 5. person C creates a pull-request to get their derivative work merged into A's project The failure is at step#4 ... C cannot legally relicense until they get permission from B. That is why gjhklfdsa and myself have asked that you please re-license your GPL'd 2017 effort, because it is not possible to perform the five steps above, unless you have this as step#4: 4. person C successfully relicenses their derivative work under WTFPL by getting permission from person B, in the form of person B licensing their original work under WTFPL The other viable pathway is to have step#1 stay the same, step#2 stay the same, step#3 completely changed (person C is best not to even *look* at the GPL'd codebase -- they have to create their own original work completely from scratch aka do it all again from nothing), the simpler version of step#4 is now possible because step#3 produced an *original* work. But those are the only two options: either get relicensing-of-the-original permission from the original author of the GPL'd piece **prior** to attempting to create a WTFPL'd derivative work thereof, or completely start from scratch and do not touch the GPL'd work *ever*. Otherwise person C is going to get project A in hot water, with tainted licensing fubar headaches. > Pretend for a moment, gjhklfdsa didn't comment in that thread. Why then, was that commit not merged? I think the commit was not merged because of the license-incompatibility that gjhklfdsa correctly pointed out. It is a violation of copyright-law, for Shifterovich to accept a GPL'd pull-request, for Shifterovich to re-license the work as WTFPL, and for Shifteroverich to then merge the just-relicensed work into the larger existing WTFPL project. Only the original author of the pull-request can authorize the re-licensing step because *they and only they hold the copyright*. This assumes that the pull-request was entirely original though! If the pull-request was not entirely an original work, then the author of the pull-request is not the copyright owner of their own from-scratch original work, they are the partial-copyright-owner of a derivative work that they based on an earlier work. Eventually if you follow the chain of authorship back far enough, you get to what is legally an original work, the source of all the derivative works that came thereafter. Signoff from each author in the chain is needed, if you want to fully protect the project against legal challenges -- such as DMCA takedowns which are the typical way copyright violations are handled on the interwebz nowadays. > Have you looked at my fork? No, as I explain above, it would be foolish for me to look at your proposed PR, because *I am person C* in the example. If you won't relicense your GPL'd original work under WTFPL ***before*** I look at it, then I'm going to have to start from scratch and write everything myself, carefully avoiding my efforts becoming any sort of derivative work, of your efforts those many months ago. Copyright is enforced decades later, and is implicit. > As of now, that commit is in public domain. Are you saying, that you believe this happens automatically because the repo under your username was deleted? That is not how copyright-law functions. Alternatively, maybe you are saying that you ARE explicitly re-licensing your December 2017 pull request contents, from GPL to place them entirely in the Public Domain? If so, that would be great, because WTFPL is a compatible license with PD, so I would be able to create a derivative work without headaches and without starting over. But I cannot tell for sure if that is what you are offering, or if you were just talking about copyright-law in general.
Can you point me to where it states this, officially?
More details here == https://stackoverflow.com/questions/5419923/can-gpl-be-re-licensed And no, I'm not Flimm and I'm not Ted, but they both have a solid grasp of copyright law and copyright assignment difficulties. See especially "Jack speaks with the judge." And the related comments about why Linus Torvalds cannot simply relicense the entire Linux kernel despite being the namesake: he is not the copyright-assignee of large chunks of the codebase. See also https://en.wikipedia.org/wiki/Software_relicensing which gives examples of where large projects successfully relicensed, and from 2002 this draft, http://www.catb.org/~esr/Licensing-HOWTO.html#compatibility
disingenuous to close issues without an explanation, or inform users what needs to be changed in order to be accepted
I agree, sure, but I don't think issues ARE being closed without explanation. In your pull-request, specifically, the explanation of the problem -- licensing-conflict -- was pointed out by gjhklfdsa ("...it cannot be merged...without [the copyright-holder Angela first] changing the license...Would you be so kind [, Angela, as] to re-license your work?") And you replied "modifying anything at this point seems futile" which means "no I will not". After that Shifterovich closed the issue -- without additional comment -- because it was impossible to merge without a relicense, and you didn't indicate interest in relicensing. That's my retroactive interpretation of what happened at least.
Reading it closely, maybe you were just wanting to get some encouragement that relicensing would NOT be a futile move. If so, then I encourage you: please relicense, one of the six people with commit-access already wanted to merge your change, I'll try and help push the merge to completion, because I also want to merge the change. (Even though I haven't seen it... I know I want something like it... because once we get it in there it will make my life easier, small changes are easier to merge than big ones, and a comparison-table is just flat-out a Good Idea.)
"Pale Moon is too small to be added to PTIO"
Arguably it is, yes. Because it is a hard-fork, and because it is a browser, and while a small team can maintain a note-taking app like Turtl, the same cannot be said for browsers, they are insanely more complex, and a small security-flaw in a browser unpatched for six weeks is far more serious than a similarly-severe security-flaw in a note-taking-app unpatched for the same length of time. There are literally hundreds of attack-vectors against browsers, many of them automated-in-the-wild.
regarding Brave (when project size is bought up): "We recommend many projects with less contributors."
BraveBrowser is roughly 2x the size of PaleMoon in terms of mindshare (see my proxy-metric calculations above), and in terms of contributors has a team of 75 people of which half are programmers led by Brendan Eich. From their github there are three people with triple-digit commit counts, and a dozen people with double-digit commit-counts. https://github.com/brave/brave-browser/graphs/contributors More importantly, though, the architecture of the project is extremely close to upstream now: prior to 2018 braveBrowser was envisioned as an electron-front-end-hardfork and built on an electron-back-end-engine-soft-fork. This led to patch-cadence delays of up to six weeks from the stable-chromium. The APK version of braveBrowser began mirroring the front-end-chromium as well as the backend-chromium-engine (switching the upsteam one and two notches closer to the wellspring respectively) in late 2017 or something, and the desktop-flavour of braveBrowser intended to follow suit as of sometime during 2018 (not sure if they are 100% done yet though it seems they mostly made it prior to 2019). In particular, the endgoal is expected to be a chromium-native browser with some relatively light soft-fork patching to implement the C++ code that does adblock, and removal of google-phone-home-telemetry, with the explicit stated goal of patch-cadence that is "should take less than a day" aka brave gets a security-fix within 24 hours of when chromium gets a security-fix, and explicitly tracks stable-channel rolling-release chromium (i.e. the same thing as what most rolling-release linux distros track... and unless I'm confused also what ALL linux distros that offer chromium do because the auto-update system built into chromium will start rolling as soon as it is installed from the distro repo). Point being, they have a few dozen uber-hotshot engineers and they are now hewing pretty damn tightly to the stock-chromium flavour which means they share hotfix efforts with most linux distros. Firefox is still the *default* browser on most linux distros, last I checked, but plenty of people install chromium-or-braveBrowser side by side with (or instead of) their stock firefox. I don't know if they're hitting the sub-24-hour patch-cadence target but I don't have any question they *can* hit that target with the devs and money and soft-fork architectural choices they have made. If they don't I expect they'll keep pouring resources into the gap until they close it, because Brendan Eich is a sharp knife. https://news.ycombinator.com/item?id=18154545 especially the portion where @ohmygodel is grilling him is especially beautiful :-) [Edit: ahhh... ohmygodel is one of the core people listed at TorBrowser though I believe they are listed at the top because of alphabetical order and being named Aaron, rather than because they are the head-of-the-project or anything.] PaleMoon has half the mindshare per my upthread proxy-metric calculations, five devs with triple-digit-commits, seven more devs with double-digit commits. However, they have to split their efforts across two projects that are significantly distinct at the architectural level, PaleMoon and Basilisk, and they have an architectural strategy which means nobody else can really help them and they have to maintain their mostly-hardfork of two different eras of the firefox codebase themselves, including backporting security-fixes to their two main named branches (not counting beta branches assuming they have those). Basilisk is only available for Windows+Linux with no OSX+Android+iOS officially supported, which reduces the pressure on developers but also makes the privacyToolsIO recommendation harder to capture since -- my unofficial and completely non-authoritative observations only -- tools that support many platforms are strongly preferred in the top3 listings. (And for browsers in particular that seems important since people need a browser on almost every device they own and should not have to use a non-privacy-oriented browser if possible regardless of their device-on-hand at any given moment.) p.s. Sounds like brave is explicitly planning to keep pace with UngoogledChromium feature-set, and vice-versa -- https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#how-does-brave-compare-to-ungoogled-chromium From skimming they don't always agree with each other on whether specific patches are necessary, or exactly how to mitigate: UngoogledChromium eliminates all SafeBrowsing code whereas BraveBrowser proxies all SafeBrowsing via servers owned by Brave (stripping IP address and all other info of enduser prior to massblasting the info to google-servers and then mux'ing out the result-payloads back to the individual braveBrowser endusers). This is a situation where privacyToolsIO could provide a new online service at safebrowsing.privacyTools.io whereby people that wanted to double-proxy their braveBrowser requests could do so? This would add latency for endusers and I think this is at a critical point in pageload so it might not be worth doing, especially since endusers are trusting brave's code and auto-updates -- including client-side machine-learning algos -- and it might thus be pointless to double-proxy the safebrowsing thing. However, the ungoogledChromium folks *might* be interested in using safebrowsing.privacytools.io as a single-proxy solution to let them put the SafeBrowsing component back into their soft-fork? Probably what first needs to happen is that somebody proposes UngoogledChromium as worthMentioning though, before privacyToolsIO donation-bucks are expended on supporting that hypothetical scheme :-) And of course, no point in building such a thing if the UngoogledChromium devs don't even want to bake it into their browser-soft-fork, obviously.
Mikaela
commented
5 years ago Would be nice if the folks that thumbed down my post (Mikaela, lumbo7332, abbluiz, ookangzheng) would state their reasons why. I don't see how to @ them though.
I think removing Firefox would be a very bad idea as the forks cannot guarantee similar level of security (being always behind) and other browsers have too small teams or worse issues than Firefox making it the least evil.
Somewhat offtpic I am surprised that I don't find Pale Moon being listed on https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor being mentioned here with CTRL + F.
In recent submissions, I seen Mikaela doing just that (requesting changes) so perhaps the leadership has begun cleaning up.
I have been uncertain on the codebase (I think I would feel more comfortable with markdown) and still am somewhat, even if it has improved and the preview builds make me more confident. I am a bit lost on my role (see https://github.com/privacytoolsIO/privacytools.io/issues/848), but I am doing my best.
dm17
commented
5 years ago @Mikaela There were some arguments above addressing the idea that all the Firefox forks are less secure that Firefox - you think they're all invalid? There is also an argument stating why it is unfair to say, for example, that Waterfox = 1 developer, while Firefox = dozens of developers... Since Waterfox encapsulates Firefox to a large degree, and that "1 developer" is dedicated to privacy improvements. Why is that argument invalid?
Mikaela
commented
5 years ago Would you mind linking me to the relevant comments directly? This is the 40th comment according to GitHub (excluding the original post) and I think reading them all from the beginning again would take a very long time. I have tried to read them as they arrive in my inbox, but I don't remember everything.
How long does it take for Waterfox to update when a new Firefox version is released (is it tracking Firefox ESR by the way?) and what happens when that person is hit by a bus?
dm17
commented
5 years ago This is exhausting. Who exactly needs to agree in PTIO before any chances in recommendations can be made? If he gets hit by a bus the Waterfox eventually becomes as privacy-violating as Firefox... And PTIO can change their recommendation again.
@Mikaela I summarized the arguments in the very last comment.
five-c-d
commented
5 years ago This is per @libBletchley 's preliminary research into the question
...Waterfox has had lags of ~9-14 days on security updates
My own research into the type-of-forking indicates that Waterfox does not "closely" track ESR (like TorBrowser does), and does not track stable-channel-rolling-release-latest-version either (like LibreFox does), instead Waterfox is in a grey area where they start with ESR but then medium-soft-fork to add some deprecated code back in (older extension-API stuff to allow classic addons which are no longer receiving code-upgrades to still be installed). Waterfox dev backports security-fixes from mainline, but also I believe backports selected feature-upgrades as well. So it is not a medium-hard-fork like PaleMoon-and-Basilisk, but it is definitely not a light-soft-fork like BraveBrowser-of-2019 either.
Waterfox is more similar to the way Brave4desktop-of-2017 when it still was a partial-soft-fork-of-Muon. See comment here, "Project-reputation is not transitive in that way" portion. I am not positive there is just one waterfox dev, but reddit comments strongly indicate there is only one fulltime person involved. The focus on privacy is a fairly recent (but welcome of course) shift in emphasis... waterfox-in-2017 was still mostly about "supports classic addons API"
Who exactly needs to agree in PTIO before any chances in recommendations can be made?
Mikaela is one of the project-leads. Who prefers markdown more than the complicated system of server-side-transcludes that some of the other project-leads who are sysadmins like to implement :-) So you are talking to the boss now, who could commit your suggestion in a few seconds, if you can make the case. There is some kind of internal-project-committer teamchat where they consult with each other internally, and things don't necessarily happen instantaneously ... especially when the suggestion would overturn longstanding precedent.
One question here is whether Waterfox ought to be WorthMentioning (which I think is a good one -- around since 2011 and privacy-oriented since 2018 or maybe earlier -- albeit with a caveat about "small teamsize so please also install a backup-browser" and maybe a caution to always sha256sum the binary prior to installing waterfox... or any similar thing for that matter).
Different question is whether Firefox ought to be demoted from top3 to WorthMentioning, and if so, followup-question is what ought to replace it (if anything... in rare cases there is only a top2 listing.)
p.s. Other threads should be opened for these, but some comments above discuss them. Yet another question is whether PaleMoonAndBasilisk are worthMentioning (my take is 'nay' and at one point PaleMoon devs explicitly said they did not want to be in any listings here). Librefox and UngoogledChromium have also been mentioned. And there has been a suggestion that BraveBrowser get demoted or doghouse'd as well, belongs in another thread.
angela-d
commented
5 years ago @five-c-d
More details here == https://stackoverflow.com/questions/5419923/can-gpl-be-re-licensed And no, I'm not Flimm and I'm not Ted, but they both have a solid grasp of copyright law and copyright assignment difficulties.
These are not related to PTIO. Since PTIO changed their license from GPL to "do whatever the fuck you want" I think it is certain they don't care about copyright of PTIO. All previous commits fell under this new license when it was re-licensed, I didn't see a single contributor re-submit their work or sign something stating they approve the change. I fall into this same group - while I appreciate the GPL, nobody contributes their efforts to something like PTIO and intends to keep close watch over who re-licenses their commits. This stuff about the license is pure nonsense.
the explanation of the problem -- licensing-conflict -- was pointed out by gjhklfdsa ("...it cannot be merged...without [the copyright-holder Angela first] changing the license...Would you be so kind [, Angela, as] to re-license your work?") And you replied "modifying anything at this point seems futile" which means "no I will not"
I will say it again: gjhklfdsa is an anonymous user. He is not a PTIO team member. His suggestion was weird and off-putting, considering the age of the commit! Changing the license would not have gotten it accepted, else Shifterovich would have stated such when he closed it. It was denied for other reasons; most likely because he didn't like the forks as evidenced in my prior reply in this thread.
At this point, everything you and I say is speculative and it doesn't matter at this point. The site structure has changed since that commit was submitted, even if he had a change of heart, someone needs to re-write it with the new layout. I will not be wasting my time submitting anything unless I'm made aware before hand the commit will be retroactively accepted.
I'll try and help push the merge to completion, because I also want to merge the change.
You are not a member of PTIO and this is the point I am trying to get across with gjhklfdsa's comments. You do not have the power to merge anything. You can submit a commit (as I have), it is up to a member of PTIO to accept and merge it.
Arguably it is, yes. Because it is a hard-fork, and because it is a browser, and while a small team can maintain a note-taking app like Turtl, the same cannot be said for browsers
What's considered too small and who has that authority? I am a regular Waterfox user and have been for years; I am fully aware of how large the project is. To me, it isn't too small. I'm aware of my threat model and for me, it is fine. IMO, this is where something like a comparison chart would be useful. Whereas someone like me who wants to simply dodge advertisers and trackers - Waterfox is sufficient. Something like Tor is overkill.
On the subject of Tor: Recommending this as a top suggestion to privacy newbies is a bad idea. You don't know who owns the node you're running on - what if someone logs into their bank account while on Tor and there's a bad guy on the other end? Tor is good for certain types of privacy, but users should be aware of potential risks while using the network, too. For a whistleblower sending things around that could get them killed, perhaps they'd need something more finely tuned for their threat model.
Arguments on Tor:
Cybersecurity experts have noted for years that while Tor may be technically anonymous in theory – the ‘exit nodes’ where traffic leaves the secure “onion” protocol and is decrypted can be established by anyone – including government agencies. ... In 2007 Egerstad set up just five Tor exit nodes and used them to intercept thousands of private emails, instant messages and email account credentials. https://www.mintpressnews.com/foia-requests-reveal-tor-projects-close-ties-to-us-government/238393/
If Pale Moon and Waterfox are indeed deemed too small for PTIO, perhaps the PTIO team members should create guidelines for project sizes? Thresholds clearly outlining what a project needs to have met in order to be listed? This is something that rides a fine line between personal preference and objectiveness and PTIO isn't clear on their overall consensus.
Likewise, where are the stats going to be obtained from? Registered members on the projects' Github, or what about contributors; patch submissions?
Yet another question is whether PaleMoonAndBasilisk are worthMentioning (my take is 'nay' and at one point PaleMoon devs explicitly said they did not want to be in any listings here).
I suspect that was largely due to some of the childishness is that thread with personal attacks against a developer that joined the conversation.
jonaharagon
commented
5 years ago This is exhausting. Who exactly needs to agree in PTIO before any chances in recommendations can be made?
It seems like it would be a rash decision to change our recommendation of Firefox (or Signal for that matter) without discussions at least coming to a close on both sides, and these are clearly very polarizing topics because many arguements are still being made both for and against removing/replacing our recommendations. I don't think we should make any decisions while discussions are actively ongoing.
If he gets hit by a bus the Waterfox eventually becomes as privacy-violating as Firefox... And PTIO can change their recommendation again.
In an ideal world, users should not have to be constantly staying perfectly up to date with the recommendations on privacytools.io, because the services currently being recommended are in theory relatively stable. If Waterfox is possibly a bit more private now, but Firefox is far more likely to be protective of it's users' privacy and security overall in the long term, because it isn't just going to... disappear one day, then in my opinion it makes more sense to recommend Firefox at this time.
at one point PaleMoon devs explicitly said they did not want to be in any listings here
Link? Didn't notice that anywhere.
Atavic
commented
5 years ago ghost
commented
5 years ago I don't think we should make any decisions while discussions are actively ongoing.
I think it's a good idea to make decisions before and after conclusion of an investigation. Consider the take-down request scenario. When content is claimed to be in violation of copyright, a hosting service would be taking an unreasonable legal risk if they maintain the publication while investigating. To mitigate legal liability, it's critical that a hosting provider complies immediately (before they even know if copyright is really at issue), and then decide at the end of the investigation whether the content can go back online.
PTIO isn't dealing with take-down requests, but it's still useful to be able to react quickly, knowing that eventually the right long-term decision will be reached. So it's really a question of: is it more damaging to fail to make a good recommendation, or to make a positive recommendation for something that is harmful? And while some people may be on the fence about that, the next question is: which carries more legal liability? I think neglecting to make a good recommendation is less harmful and less legally risky than recommending something that is harmful.
In reality, I can't imagine that anything PTIO recommends or fails to recommend would result in legal action. But just in terms of being diligent, being able to instantly remove something and restore it later after the discussion would demonstrate due diligence. At the same time, you wouldn't want to take that course on every minor flaw being reported. In the case of Waterfox there was no real drive to act quick. But if serious bugs are discovered being able to make a quick change is a good thing.
I suspect mattatobin is a kid who is more of a business person and not really a privacy ethics proponent. He has too much respect for advertising. Pale Moon is like Duckduckgo - uses false positioning to get a piece of the privacy market when the product they pimp isn't suitable for it. Unlike DDG, Pale Moon struggles to maintain the pro-privacy narrative. But I would not simply write him off as a kid and disregard. He makes a good point about PTIO lacking credibility and the perception of that. He knows his Pale Moon has the same problem, and so he doesn't want to be further defined by PTIO. It's mutually beneficial if PTIO not endorse Pale Moon. From there, PTIO credibility will improve as some of the junk references get pulled, but Pale Moon will remain trapped in fake privacy.
Mikaela
commented
5 years ago Mikaela is one of the project-leads.
I am not, I am just the newest member and possibly the most unsure one (https://github.com/privacytoolsIO/privacytools.io/issues/848)
Who prefers markdown more than the complicated system of server-side-transcludes that some of the other project-leads who are sysadmins like to implement :-)
I would like to think of myself as sysadmin, but as HTML isn't considered as coding, I probably cannot blame coders or devops on it.
So you are talking to the boss now, who could commit your suggestion in a few seconds, if you can make the case.
I think the boss would be @BurungHantu1605 and my personal todo commits in other projects can also take days and I kept this email thread unread for three days (and I still didn't feel like going through it).
There is some kind of internal-project-committer teamchat where they consult with each other internally, and things don't necessarily happen instantaneously ... especially when the suggestion would overturn longstanding precedent.
It actually has 4 of 9 people currently and I haven't seen one since I joined.
Different question is whether Firefox ought to be demoted from top3 to WorthMentioning, and if so, followup-question is what ought to replace it (if anything... in rare cases there is only a top2 listing.)
The top 3 seem to currently be Tor Browser, Mozilla Firefox and Brave in that order and I wouldn't start changing them.
In an ideal world, users should not have to be constantly staying perfectly up to date with the recommendations on privacytools.io, because the services currently being recommended are in theory relatively stable.
:+1: I have heard many people telling that they have had problems getting their family and friends from WhatsApp or Telegram to Signal or Riot and later when some services have went down or gotten hacked, they have had more trouble keeping the people on those platforms or trying to switch them to something else that they may not have ever heard of before.
I worry that some users would take Waterfox as recommendation and then bus factor happened and it would be unmaintained with many users thinking it's fine or secure, because it was recommended by Privacytools.io whenever they happened to read it. I don't know how often people generally check the site, but I know I wouldn't look at it this often if I wasn't actively discussing here.
PTIO isn't dealing with take-down requests
Not yet, but I fear article 13 17 may cause them towards services and who knows when there will be a takedown request due to terrorist content?
Europeans, remember to vote next month!
Atavic
commented
5 years ago Pretty long thread. I trusted Mozilla for years, but they have lost the original path. Alternatives aren't lacking, but the userbase and devs aren't so many. I personally use forks as Palemoon, as I still trust their choices. I want to make a point here: the trend of accusing any dev of being behind mozilla releases has a big flaw. Firefox releases are fast and tend to give new feats and experiments instead of closing real bugs and following users requests; so a fork that's some version behind upstream development seems lacking alot, while in reality is just a few bugs/corrections behind.
So, I don't mean to run outdated versions, but to run the versions that satisfy your needs.
You can look at Firefox release notes and see if the latest bugs/modifications apply to your own personal usage.
Most of the times these new feats doesn't bother me at all, so I stay on current ESR or even older ESR versions.
Mikaela
commented
5 years ago Would it be acceptable to change Firefox recommendation to Firefox ESR (https://github.com/privacytoolsIO/privacytools.io/pull/881)?
five-c-d
commented
5 years ago PrivacyToolsIO already recommends FirefoxESR as the top#1 pick, because TorBrowser is a lightly-modified FirefoxESR. (Shifterovich suggested at one point that it might make sense to recommend TorBrowser-with-TorNetwork-integration-disabled as the top choice ... because some sites block Tor and whatever.) So I think recommending Firefox ESR would increase stability for an enduser, but does not really increase security. And except in situations where Mozilla Foundation is pushing non-addon-related changes into the core of firefox-latest-stable-rolling-release that impact privacy, I don't believe Firefox ESR offers any privacy-increase over firefox-stable... and it does risk site-breakage, in small ways.
It might increase privacy, *if* Mozilla Foundation does something stupid ... as they have done over the years, from time to time. But ESR is really just a slightly-older-version of firefox, a soft-fork which is very light and also very-well-staffed -- it basically just pins a particular firefox version as 'the ESR' for 2018 or whatever, and then a fairly large bunch of people (IBM CentOS/RHEL + Canonical UbuntuLTS folks primarily) cooperate to backport security-fixes in a timely fashion. You can get a download in English for Linux/OSX/Windows in dozens of languages -- including @JonahAragon 's own country where Aragonese is spoken apparently! -- https://www.mozilla.org/en-US/firefox/organizations/all/ is the main place to get binaries direct (though if you run Linux your package-system also usually has a 'better' way to get firefox ESR rather than firefox-rolling-release-latest). As the page says, ESR is intended for "schools, governments, and businesses" aka people that care more about the switching-costs of maintaining their hundreds/thousands of PCs than about people who want every website to Just Work(TM). That is the price of ESR, which it definitely does pay: most website-developers test in the browsers that are widely used, and Firefox-stable only has single-digit marketshare these days. If the website *does* get tested in Firefox, at all, it will only be firefox-rolling-release which gets a bit of SQA love, unless the website is aimed at exclusively government subcontractor employees, or something. So there is a stability-upside to running the ESR soft-fork, in terms of not getting something sprung on you by Mozilla Foundation ... and because large entities like IBM/Canonical/etc which use ESR in their enterprise-flavoured Linux distro respins handle the backport-effort there is zero BusFactor and security is not lowered ... but there is definitely a "risk that normal website XYZ will not function quite right". The main goal of *this* thread is to replace Firefox with Waterfox, which I don't think is wise... though I don't think it is *unwise* to list Waterfox as worthMentioning (currently it is not), maybe that should become a different github-issue. The alternative suggestion that FirefoxESR should replace Firefox in the 2nd-recommendation-slot, does not seem to address the concerns of "mozilla is pushing political agenda when they remove addons" at all because both the rolling-release and the ESR release depend upon the same addons.mozilla.org location I believe. (Whether the addon-developers **test** their stuff on ESR is, much like with whether website devs SQA their websites on ESR, pretty unlikely... and because privacyToolsIO has a lot of addons strongly recommended, this is an important consideration methinks. Most addons will tend to work on ESR, because they used to *work* on Firefox 60, the current ESR base-version, back when it was first released... but presumably it is rare that addon-devs *keep* testing on Firefox 60, they just test Firefox alpha-channel and Firefox rolling-release-latest-stable if they test more than one variant, I would guess.) And although ESR has more security guarantees (patch-cadence speed and eyeballs and vetting of the backports and the hit-by-a-bus-factor) compared to waterfox, *unlike* waterfox ESR is not really privacy-oriented... it is just stability-oriented / sysadmin-friendly for deployment onto thousands of systems in schools/govt/corporate environs. Usually deployed side-by-side with 'spyware' mandated by the school/govt/corporation to make sure none of the students/bureaucrats/employees are downloading malware (captive portal that strips SSL and desktop-IDS-agent and whatnot).
There are some advantages to listing TorBrowser first: the more people utilize it with the stock settings, the more the TorBrowser userbase will be anonymized, because there is safety in numbers. But because it is using TorNetwork, and because it is based on a soft-fork of firefoxESR (which itself is a very light soft-fork of firefox-latest-stable), there are definitely some websites which TorBrowser "breaks" aka the site does not work properly. Endusers need a way to fallback to a more mainstream browser-offering, in such situations... and I think Firefox is a better pick for that job, than FirefoxESR, because of the testing-thing and because of the addons-testing-thing outlined up above. (When the website breaks even in firefox-rolling-stable then the fallback is BraveBrowser since it is chromium-based.)
p.s. It looks like @Shifterovich has already approved the commit in pull#881, but I am unclear on whether that was to the netlify thing, or to the full repo which will go live?
It seems like it would be a rash decision to change our recommendation of Firefox (or Signal for that matter) without discussions at least coming to a close...
This seems reasonable, on paper. But there is a catch.
> ...on both sides, and these are clearly very polarizing topics It is pretty safe to say that @libBletchley will never agree that Jami is not the best of the best, until some other esoteric tool arrives they love even more. I also get the strong vibe that @Mikaela will never agree that OMEMO is not the best of the best. Both those have been around for at least a dozen years, never gaining traction, and though I *might* one day decide signalapp is not the best-shot-at-actually-taking-out-skype-and-whatsapp-and-friends and therefore giving a reasonable chance of thwarting **mass** surveillance (by reaching the masses), I think it is completely and totally implausible to hope that Jami or XMPP can ever catch up with *wireapp's* everyday-person userbase, let alone signalapp's, let alone **facebook** and their gigantic whatsapp+instagram+fbookMsgr walled garden. Messengers are a network-effect industry and usability is the key. But these are arguments about the future. They are important arguments, but they are not something that one can prove with a line of code. They are predictive in nature, which makes them inherently subject to doubts... and therefore, neverending discussion. Mikaela also wants to boycott BTC because climate change. LibBletchley also wants to boycott AWS (which includes github + signalapp + wireapp) because Amazon. Those are not arguments about code, those are *purely political* arguments about ethical stances, which *inherently* will cause neverending discussion. > because many arguements are still being made both for and against I think you just perfectly outlined why the people with commit-access CANNOT afford to just let things be discussed. It would be endless, exhausting, marathon word-battle, signifying nothing but emotion and political pre-conceptions. Factional infighting and a corrosive atmosphere would result, eventually poisoning the listings themselves. There must be a process. There must be a referee who can step in and keep the debate productive, rather than repetitive endless "uhHuh nuhUh uhHuh nuhUh" to infinity. Github is not the place for such things, bickering about politics is for twitter and other stupid places like that, please please please :-) If the people leading the project -- which absolutely positively includes Mikaela despite being unsure of the role which best suits their talents yet -- fail to keep the discussions from going off the rails, and critically, help discussion reach *the PROPER conclusion* for the intended readership of the website, sooner or later the project will fail due to infighting. Decide on the intended readership: is it section1 for everyday people looking for an alternative to Chrome, and section2 for people that don't mind waterfox and have a threat-model that accounts for the hit-by-a-bus-factor, and section3 for people that will hand-compile ungoogledChromium and use LibreFox+NoScript from the air-gapped OpenBSD when ELinks fails them? Figure it out please, and then *document the decisions*. Nobody wants to read huge discussions that are always going off-topic -- so exercise the github project powahz and when something is off-topic, edit the post as the site-moderator. (Ideally move the info to the 'right' location ... which might be forum.privacytools.io or might be "take your issue off OUR github and blog elsewhere" type of thing ... but keep github which is intended to help improve the contents of the listings, for the intended audience of those listings, get sidetracked.) Nobody wants to contribute into a vacuum -- so try not to close something without at least a terse rationale. (Even the "obvious reason" is not obvious to all the people all of the time!) But DO NOT just let the discussions rage endlessly, please, devolving into name-calling and bickering and all manner of weak argumentation propped up by appeal to factionalism. This is github, not facebook. Please. And when something is not going to happen, *close* the issue and set a deadline for when it can next be re-opened, but give people an outlet where they can continue the discussions -- as long as they ARE discussions using logic not name-calling and objectivity not biased selectivity -- such as forum.privacyTools.io or chat.privacyTools.io or whatever the people *leading the project* decide is the place for such things. My recommendations are long and verbose, but my TLDR is simple: the people with commit-access are the leaders of the project. Set the parameters that will **help you** run the project well. And then enforce them, as necessary, acting as the referee and the moderator when needed, and then putting on your "individual contributor" hat whenever you want to participate in the discussion. But keep it a proper discussion, a logical debate about how to best present the website-listings that is centered around "is this html snippet an improvement versus this other one," and if yes why, and if no why not. Try to keep the political aspects out of github -- by which I mean, it is fine to state "wireapp should be demoted because it runs on AWS and here is a link to why Amazon is evil" and it is fine to state "BTC is morally wrong because it uses proof-of-work which is more energy-intensive and here is a link to why climate change threatens us all". But the moment that those briefly stated rationales about "change line X of HTML to Y because Z" start to become *arguing about the validity of Z* aka bickering about **the rationale** rather than just stating a counter-rationale, github at that instant has turned into facebook/twitter/etc. The referee hat *must* be put on, to stop that inherently-never-ending infightin, from happening. If the people with commit-access refuse to exercise moderator-powers and perform the referee function, the political discussion is allowed to happen. But this is github, and that is not the place for political bickering: the result will be an endless battle about IPCC'05 predictions versus recent research into ice cores from greenland, and *in the very same github-issue*, comparisons of Linode uptime versus OVH, and **none of that** belongs on github when discussion is supposed to be ABOUT whether to replace signalapp with jami or replace firefox with waterfox ... or at least, not if you want to avoid infinitely-long discussions that result in poor decisions. > it's a good idea to make decisions before and after conclusion of an investigation As usual @libBletchley and myself disagree ;-) Treating the listings as if they were subject to Political Transgression Takedown Notices would completely destroy the usefulness of the website listings. But I do agree that, when a listing is being challenged for removal, it makes sense that there should be a little annotation attached to the listing which says something like "being discussed" and a hyperlink to the discussion. I suspect libBletchley would prefer the annotation be in 200pt blink-tag "WARNING: Under Investigation For Suspected Links To Privacy Abusers" given that they wish every github issue would immediately delist the tool in question :-) So I'm against that. But it does make sense that when Ricochet is 'being discussed' or when firefox is 'being discussed' or whatever, that a note can be added to their listings. This needs to be a logical and moderated/referee'd objective conversation, though, and arguably, the 'being discussed' annotation should not be added until a discussion was open at least a week, and be immediately removed when the project-leadership (meaning anybody with commit-access) decides the discussion is no longer worth **highlighting** from the listings themselves. See above notes about "discussions that are endless in nature should be moved from github to a more suitable venue for the off-topic-in-github point of contention".
And on that note, since this is a thread about removing firefox, I'll shut up about meta-discussion for how to run the thread about removing firefox, and the other contentious github issues in similar vein ;-)
Description
Pretty unfair that you're recommending Firefox and not Waterfox. Especially since FF has recently banned free speech extensions from its repo. Twitter censors everyone, so we have Gab. Gab made an extension, and Mozilla censors it? This is going too far... Part of "privacy" is what you're allowed to see & use (in the privacy of your own computer)!