| View previous topic :: View next topic |
| Author |
Message |
saturnalia0
Apprentice
Joined: 13 Oct 2016
Posts: 150
|
 Posted: Mon Jul 15, 2024 3:11 pm Post subject: Firefox patches and privacy? |
 |
|
I've recently read this blog post about a dubious opt-out feature added to Firefox 128 (current version in Gentoo):
https://blog.privacyguides.org/2024/07/14/mozilla-disappoints-us-yet-again-2/
I'm a user of firefox-bin so I don't expect it to be patched in any way, so I simply disabled it.
I was wondering, does Gentoo have any opinionated patches to www-client/firefox, like enabling or disabling certain features for privacy reasons?
Looking at the ebuild I see things like --disable-crashreporter and --disable-gpsd, though I'm not sure what the motivation is as the git history is a bit hard to navigate (can't simply git blame on those lines as a new file is created for each version, plus the history is very large). |
|
| Back to top |
|
 |
CooSee
Veteran
Joined: 20 Nov 2004
Posts: 1461
Location: Earth
|
|
| Back to top |
|
|
Juippisi
Developer
Joined: 30 Sep 2005
Posts: 738
Location: /home
|
| Posted: Tue Jul 16, 2024 6:03 am Post subject: Re: Firefox patches and privacy? |
|
|
| saturnalia0 wrote: |
I was wondering, does Gentoo have any opinionated patches to www-client/firefox, like enabling or disabling certain features for privacy reasons?
|
Not at the moment and I'm personally very much against trying to maintain these on distro-level. I have tons of settings from https://github.com/arkenfox/user.js in my profile, and I still carry some custom-patches in /etc/portage/patches. But the more patches we add on a distro-level the harder maintaining Firefox becomes. Something breaks _every_ release, and it often takes hours just to update the current patches we're carrying. In fact I'd really like to get as close to upstream "vanilla" builds as possible. The browser development is just getting faster and faster, and the codebase more complicated. That's why it's hard to keep up and I'm _very_ reluctant adding any custom-patches that can't be upstreamed.
What I like about Firefox though is they give you the option to configure these settings. Even with this adtech mess, you can opt-out either from graphical settings or about:config. If I/we were to meddle with these settings from the ebuild, we'd have to print some message saying "these options have been set - check whether you want to change them" polluting the postinst log. People who care about that stuff, will find the settings they can change. Oh and the "telemetry" use flag does massive work on its own already - again, glad Mozilla gives this option when building Firefox.
| Quote: |
I see things like --disable-crashreporter and --disable-gpsd,
|
I don't know if you threw these two just as examples or if you're really curious about them, but:
I think crashreporter depends on gconf2 that was somewhat recently removed from Gentoo. Also if I remember correctly it depends on dbug being enabled (which makes sense when you think about it). Mozilla is working on rewriting the crashreported in rust, so when that's finished it can most likely be enabled in the ebuilds. Maybe. There could be some historic reason to disable it since we may introduce some Gentoo-only bugs with our builds.
gpsd depends on libgps which - to my knowledge - has never been available in Gentoo. It uses libgps to track geolocation. But Firefox uses, and has used, built-in geoclue (I think it's built-in?) for ages now. gpsd might be a legacy thing that no one removed from the codebase, even though it's not used anywhere. |
|
| Back to top |
|
|
kimchi_sg
Advocate
Joined: 26 Nov 2004
Posts: 3029
|
| Posted: Tue Jul 16, 2024 6:17 am Post subject: Re: Firefox patches and privacy? |
|
|
| Juippisi wrote: | In fact I'd really like to get as close to upstream "vanilla" builds as possible. The browser development is just getting faster and faster, and the codebase more complicated. That's why it's hard to keep up and I'm _very_ reluctant adding any custom-patches that can't be upstreamed.
|
Thank you for trying to keep up with upstream... the amount of stuff going on inside the firefox ebuilds is quite the eye-opener. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22289
|
| Posted: Tue Jul 16, 2024 2:32 pm Post subject: |
|
|
| With regard to patching and the maintenance burden it carries, I will note that Gentoo already applies through the ebuild quite a few default-preferences. However, since these are written to a dedicated file, if one of them goes obsolete, it will just silently stop working instead of breaking the build. I like that someone else has done the work of researching what preferences a privacy-oriented individual would want. I would prefer that there be an easy way to pull all that into Firefox, so that I can get equivalent changes on all the systems I maintain, but I recognize that supporting that - and deciding on exactly which preferences to include - could be a notable burden. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20281
|
| Posted: Tue Jul 16, 2024 3:04 pm Post subject: Re: Firefox patches and privacy? |
|
|
| Juippisi wrote: | | People who care about that stuff, will find the settings they can change. |
Awareness is the main blocker there, but I can appreciate the patch burden. That they've decided to remotely change user settings is disturbing.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Juippisi
Developer
Joined: 30 Sep 2005
Posts: 738
Location: /home
|
| Posted: Wed Jul 17, 2024 5:55 am Post subject: |
|
|
| Hu wrote: | | I would prefer that there be an easy way to pull all that into Firefox, so that I can get equivalent changes on all the systems I maintain, but I recognize that supporting that - and deciding on exactly which preferences to include - could be a notable burden. |
/etc/firefox/syspref.js should be closest to achieving that in a safe location. You then deliver/control the file with same tool you control all these instances. |
|
| Back to top |
|
|
lars_the_bear
Guru
Joined: 05 Jun 2024
Posts: 300
|
| Posted: Wed Jul 17, 2024 7:44 am Post subject: Re: Firefox patches and privacy? |
|
|
| pjp wrote: | | That they've decided to remotely change user settings is disturbing. |
Have the Mozilla folks just set the controls for the heart of the Sun now?
My gut feeling is that the many (most?) people who use Firefox on a regular basis do so because they don't really trust the underhanded behaviour of the alternatives. I don't know how big a problem this PPA thing is, because I don't really understand how it works. The fact that it was sneaked in, accompanied by the patronizing attitude of the Firefox developers ("You wouldn't understand it even if we told you") has to make it a cause for concern.
This is just one in a history of worrying changes in Firefox. Assuming that everybody uses pulseaudio, and assuming that everybody uses NetworkManager are other examples. I've always supported Mozilla but -- good grief.
BR, Lars. |
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 412
|
| Posted: Wed Jul 17, 2024 9:11 am Post subject: Re: Firefox patches and privacy? |
|
|
| pjp wrote: | | Juippisi wrote: | | People who care about that stuff, will find the settings they can change. |
Awareness is the main blocker there, but I can appreciate the patch burden. That they've decided to remotely change user settings is disturbing. |
Who decided to change remotely which user setting?
Firefox introduced a new option with a default value. The main question here is whether the default value is the "right" or "wrong" value. Is the default value a violation of privacy or not? Based on my understanding of privacy I dare to say that the default value is not a violation of your privacy. Because I try to share as little data as possible I opted-out. But sharing as little data as possible is not the same as "protecting privacy". |
|
| Back to top |
|
|
lars_the_bear
Guru
Joined: 05 Jun 2024
Posts: 300
|
| Posted: Wed Jul 17, 2024 12:31 pm Post subject: Re: Firefox patches and privacy? |
|
|
| sMueggli wrote: | | But sharing as little data as possible is not the same as "protecting privacy". |
No. But perhaps it's a necessary first step? The problem is that 'Internet privacy' encompasses a bunch of complex, interrelated issues. I suspect that few people fully understand the implications of this Firefox change. As a matter of routine, I turn off all forms of telemetry that I can exercise any control over. Whether it does any good, I'm not sure. My gut feeling is that it does no harm.
BR, Lars. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20281
|
| Posted: Wed Jul 17, 2024 4:55 pm Post subject: Re: Firefox patches and privacy? |
|
|
| lars_the_bear wrote: | | pjp wrote: | | That they've decided to remotely change user settings is disturbing. |
Have the Mozilla folks just set the controls for the heart of the Sun now? |
| sMueggli wrote: | | Who decided to change remotely which user setting? |
| Code: | elog "Upstream operates a service named Normandy which allows Mozilla to"
elog "push changes for default settings or even install new add-ons remotely."
elog "While this can be useful to address problems like 'Armagadd-on 2.0' or"
elog "revert previous decisions to disable TLS 1.0/1.1, privacy and security"
elog "concerns prevail, which is why we have switched off the use of this"
elog "service by default." |
https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/firefox-bin/firefox-bin-115.13.0.ebuild
| lars_the_bear wrote: | | My gut feeling is that the many (most?) people who use Firefox on a regular basis do so because they don't really trust the underhanded behaviour of the alternatives. |
I've never had the experience of others that Chrome is faster / better. so I've stayed with Firefox. The only other option is not using the web as none of the other Chromium based browsers solve the usability problems inherent in Chrome.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
lars_the_bear
Guru
Joined: 05 Jun 2024
Posts: 300
|
| Posted: Wed Jul 17, 2024 6:02 pm Post subject: Re: Firefox patches and privacy? |
|
|
| pjp wrote: | | I've never had the experience of others that Chrome is faster / better. so I've stayed with Firefox. |
I have the opposite experience: I find Chromium works better than Firefox for almost everything I do. And it supports ALSA audio directly, without needing to be built from source, which Firefox generally does not any more.
I stick with Firefox because I don't feel I can trust anything that's associated in any way with Google. I don't know what risks I run, using Google products and services; maybe there are none, and I'm being paranoid. And there are plenty of nasty security vulnerabilities, even in software that has always been open source, and maintained with the best and noblest of intentions.
I know I'm a zealot. I'm not proud of it; it's just the way I am. But dealing with anything Google makes me feel... icky. Like I need a hot shower. Heaven help me if Firefox goes the same way; I'll have to go back to Gopher.
BR, Lars. |
|
| Back to top |
|
|
|
Other Things Gentoo
