Re: basilisk-browser

[Roberto C . Sánchez]

On Fri, Oct 19, 2018 at 11:30:05PM -0300, fmn...@fmneto.com.br wrote:
> On 2018-10-19 23:19, Ben Finney wrote:
> > Dominik George  writes:
> > 
> > > >> > [1] https://github.com/jasperla/openbsd-wip/issues/86
> > > 
> > > Seriously? They forbid linking against libraries if their code is not
> > > shipped with their sources?
> > 
> > They don't forbid that.
> > 
> > What they forbid is redistributing the modified work with the Pale Moon
> > branding.
> 
>Honestly they can do whatever they want. What's really obnoxious is to
> open a ticket on somebody else's git and *start* it by saying "You WILL do
> this and that", without even trying to establish some kind of dialogue.
> 
It is, however, an excellent lesson for teaching those who choose
software development as a vocation/career based on not having to deal
with people very much.  I frequently point out to my students that
programmers require "people skills" just as much as any other
profession.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: basilisk-browser

[fmneto]

On 2018-10-19 23:19, Ben Finney wrote:

Dominik George  writes:


>> > [1] https://github.com/jasperla/openbsd-wip/issues/86

Seriously? They forbid linking against libraries if their code is not
shipped with their sources?


They don't forbid that.

What they forbid is redistributing the modified work with the Pale Moon
branding.


   Honestly they can do whatever they want. What's really obnoxious is 
to open a ticket on somebody else's git and *start* it by saying "You 
WILL do this and that", without even trying to establish some kind of 
dialogue.


--Francisco

Re: basilisk-browser

[Ben Finney]

Dominik George  writes:

> >> > [1] https://github.com/jasperla/openbsd-wip/issues/86
>
> Seriously? They forbid linking against libraries if their code is not
> shipped with their sources?

They don't forbid that.

What they forbid is redistributing the modified work with the Pale Moon
branding.

http://www.palemoon.org/redist.shtml>

> That also seems like a security nightmare in the making.
> Mozilla themselves weren't even *that* ridiculous, were they?

It is true that the Pale Moon trademark policy is more restrictive than
what occurred with the Firefox trademark restrictions.

-- 
 \   “The best is the enemy of the good.” —Voltaire, _Dictionnaire |
  `\Philosophique_ |
_o__)  |
Ben Finney

Re: basilisk-browser

[Roberto C . Sánchez]

On Fri, Oct 19, 2018 at 12:28:16PM +0300, Reco wrote:
> 
> Ridiculous or not, but stable's firefox-esr contains their own private
> version of NSS - [1]. Same for the thunderbird.
> But they try to keep it sane, so at least firefox does not embed
> 'correct' version of GTK3, for example.
> 

That is very frustrating because there was a time when those
Mozilla-related packages used the system libnss.  Modifying the system
libnss to include an additional cetificate authority was the closest I
could get to deploying an internal CA within a network of Debian
machines (similar to how a Windows admin can push a CA to a bunch of
Windows machines via GPO).

However, they switched to bundled libnss at some point and my choices
became either rebuild each Mozilla-related package (FF, TB, etc.) or
have users manually install the CA.  Rebuilding those packages wasn't
worth the trouble.

It is really frustrating as this is one of those nagging inconveniences
(the lack of a standardized system-wide certificate store that is
actually used by all applications) of Linux that seems like it really
should have been resolved by now.

Regards,

-Roberto
-- 
Roberto C. Sánchez

Re: basilisk-browser

[mick crane]

On 2018-10-19 11:23, Reco wrote:

Hi.

On Fri, Oct 19, 2018 at 08:26:20AM +0100, mick crane wrote:

On 2018-10-19 07:58, Dominik George wrote:
> > > > [1] https://github.com/jasperla/openbsd-wip/issues/86
>
> Seriously? They forbid linking against libraries if their code is not
> shipped with their sources?
>
> That also seems like a security nightmare in the making.
>
> Mozilla themselves weren't even *that* ridiculous, were they?
>

I'm not understanding what "Official branding" refers to in that 
exchange.

If anyone has the time to explain.


It's the same as Mozilla's branding - [1].
Either you build the software the way upstream wants, or you lose the
right to call resulting software its official name (Palemoon in this
case).
Debian project was able to negotiate this with Mozilla some years ago.
In the case of Palemoon - well, OpenBSD project won't a Palemoon port 
in

a foreseable future.

Reco

[1] https://lwn.net/Articles/676799/


that's what -ESR is about then

thanks

--
Key ID4BFEBB31

Re: basilisk-browser

[Gene Heskett]

On Friday 19 October 2018 03:26:20 mick crane wrote:

> On 2018-10-19 07:58, Dominik George wrote:
> >>> > [1] https://github.com/jasperla/openbsd-wip/issues/86
> >
> > Seriously? They forbid linking against libraries if their code is
> > not shipped with their sources?
> >
> > That also seems like a security nightmare in the making.
> >
> > Mozilla themselves weren't even *that* ridiculous, were they?
>
> I'm not understanding what "Official branding" refers to in that
> exchange.
> If anyone has the time to explain.
>
> mick

I certainly have time to read it in that event.


-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: basilisk-browser

[Gene Heskett]

On Friday 19 October 2018 00:24:43 Ben Finney wrote:

> Doug  writes:
> > On 10/18/2018 04:49 AM, Reco wrote:
> > > Palemoon means extremely hostile upstream - [1].
> > >
> > > [1] https://github.com/jasperla/openbsd-wip/issues/86
> >
> > I would like to know what you mean by "extremely hostile upstream"
>
> Reco anticipated your wish to know, and provided a concrete example of
> the hostility. Did you read the discussion at that URL?

So did I, and it no longer exists on my system(s). It had worked well, 
about a year ago, but no updates and it was slowly falling apart.

I did goto their site a couple months ago looking for updates, and 
kindest I could say was that I went away insulted. W/o dl-ing any 
updates. That license (then) wasn't gpl-v2 or later, by a heck of a long 
row of apple trees. And I sure don't recall clicking thru anything like 
that originally. If I did, oldtimers has officially set in. :(

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: basilisk-browser

[Reco]

Hi.

On Fri, Oct 19, 2018 at 08:26:20AM +0100, mick crane wrote:
> On 2018-10-19 07:58, Dominik George wrote:
> > > > > [1] https://github.com/jasperla/openbsd-wip/issues/86
> > 
> > Seriously? They forbid linking against libraries if their code is not
> > shipped with their sources?
> > 
> > That also seems like a security nightmare in the making.
> > 
> > Mozilla themselves weren't even *that* ridiculous, were they?
> > 
> 
> I'm not understanding what "Official branding" refers to in that exchange.
> If anyone has the time to explain.

It's the same as Mozilla's branding - [1].
Either you build the software the way upstream wants, or you lose the
right to call resulting software its official name (Palemoon in this
case).
Debian project was able to negotiate this with Mozilla some years ago.
In the case of Palemoon - well, OpenBSD project won't a Palemoon port in
a foreseable future.

Reco

[1] https://lwn.net/Articles/676799/

Re: basilisk-browser

[Reco]

Hi.

On Fri, Oct 19, 2018 at 08:58:07AM +0200, Dominik George wrote:
> >> > [1] https://github.com/jasperla/openbsd-wip/issues/86
> 
> Seriously? They forbid linking against libraries if their code is not shipped 
> with their sources?
> 
> That also seems like a security nightmare in the making.
> 
> Mozilla themselves weren't even *that* ridiculous, were they?

Ridiculous or not, but stable's firefox-esr contains their own private
version of NSS - [1]. Same for the thunderbird.
But they try to keep it sane, so at least firefox does not embed
'correct' version of GTK3, for example.

[1] 
https://packages.debian.org/search?searchon=contents=libsoftokn3.so=exactfilename=stable=any

Reco

Re: basilisk-browser

[mick crane]

On 2018-10-19 07:58, Dominik George wrote:

> [1] https://github.com/jasperla/openbsd-wip/issues/86


Seriously? They forbid linking against libraries if their code is not
shipped with their sources?

That also seems like a security nightmare in the making.

Mozilla themselves weren't even *that* ridiculous, were they?



I'm not understanding what "Official branding" refers to in that 
exchange.

If anyone has the time to explain.

mick




--
Key ID4BFEBB31

Re: basilisk-browser

[Dominik George]

>> > [1] https://github.com/jasperla/openbsd-wip/issues/86

Seriously? They forbid linking against libraries if their code is not shipped 
with their sources?

That also seems like a security nightmare in the making.

Mozilla themselves weren't even *that* ridiculous, were they?

-nik

Re: basilisk-browser

[Reco]

On Thu, Oct 18, 2018 at 07:13:20PM -0400, Doug wrote:
> 
> On 10/18/2018 04:49 AM, Reco wrote:
> > Hi.
> > 
> > On Thu, Oct 18, 2018 at 10:02:42AM +0200, to...@tuxteam.de wrote:
> > > > I think its an good alternative to Firefox Quantum.
> > > > 
> > > > More Infos here: https://www.basilisk-browser.org/
> > > Indeed, it does look good.
> > No, it does not. UXP means Palemoon Browser.
> > Palemoon means extremely hostile upstream - [1].
> > 
> > Does Debian project really needs yet another Iceweasel incident?
> > 
> > Reco
> > 
> > [1] https://github.com/jasperla/openbsd-wip/issues/86
> > 
> > 
> I would like to know what you mean by "extremely hostile upstream"--
> I have been using PaleMoon Browser for several years and I like it.

Please note that I haven't qualified the browser itself.
Using Palemoon is OK for the upstream. More users = more recognition.
If it works for you - more power to you.


> Unlike Firefox, it doesn't change its stripes every few weeks. I am
> happy with an app that retains its interface for years and years and
> doesn't mess with my head. YMMV.

But, in this particular thread Palemoon or Basilisk qualities are not
relevant, as this discussion is about the possible inclusion of these
fine browsers into Debian main archive.

And for such inclusion certain criteria must be met, and one of those
is the ability to build the browser from the source the way that
maintainer sees fit. Upstream opposes that, see the link above.

Reco

Re: basilisk-browser

[Ben Finney]

Doug  writes:

> On 10/18/2018 04:49 AM, Reco wrote:
> > Palemoon means extremely hostile upstream - [1].
> >
> > [1] https://github.com/jasperla/openbsd-wip/issues/86
> >
> I would like to know what you mean by "extremely hostile upstream"

Reco anticipated your wish to know, and provided a concrete example of
the hostility. Did you read the discussion at that URL?

-- 
 \“[T]he great menace to progress is not ignorance but the |
  `\   illusion of knowledge.” —Daniel J. Boorstin, historian, |
_o__)1914–2004 |
Ben Finney

Re: basilisk-browser

[John Crawley]

On 18/10/2018 18.16, to...@tuxteam.de wrote:

What the world needs (badly) is more browser alternatives. I'm
seeing everything converging towards the dystopia where one huge
corporation controls the server and the client. We had that, and
it wasn't pretty; nowadays with smartphones, always-on, IoT and
perhaps worse, we are far more vulnerable to that (business?) model.


Have to sadly agree. Corporate unification has already been accomplished 
in the post-PC world of touchpads, but now on Debian we essentially have 
the choice of Firefox or Chromium. Nothing else looks safe. The modern 
web is so complicated that maintaining security patches for a browser is 
no longer something that small teams of enthusiastic amateurs can 
handle, IMO.


--
John

Re: basilisk-browser

[Doug]

On 10/18/2018 04:49 AM, Reco wrote:

Hi.

On Thu, Oct 18, 2018 at 10:02:42AM +0200, to...@tuxteam.de wrote:

I think its an good alternative to Firefox Quantum.

More Infos here: https://www.basilisk-browser.org/

Indeed, it does look good.

No, it does not. UXP means Palemoon Browser.
Palemoon means extremely hostile upstream - [1].

Does Debian project really needs yet another Iceweasel incident?

Reco

[1] https://github.com/jasperla/openbsd-wip/issues/86



I would like to know what you mean by "extremely hostile upstream"--
I have been using PaleMoon Browser for several years and I like it.
Unlike Firefox, it doesn't change its stripes every few weeks. I am
happy with an app that retains its interface for years and years and
doesn't mess with my head. YMMV.
--doug

Re: basilisk-browser

[Reco]

Hi.

On Thu, Oct 18, 2018 at 04:53:19PM +0200, basti wrote:
> On 18.10.2018 16:29, Reco wrote:
> > If only Debian project did something about Firefox privacy settings.
> > Let's face it - Mozilla are hypocrites. They loudly 'care about users'
> > privacy', but then force their 'opt-out telemetry' on you.
> > Debian's Firefox build disables some of the offending settings by
> > default, but not all of them.
> > At least at Google they are honest enough to say - 'we will spy on you
> > and we do not give a f*** about your option'.
> 
> Perhaps Waterfox find the way into re repo.
> (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885405)
> 
> Waterfox differs from Firefox in a number of ways by:
> 
> Disabling Encrypted Media Extensions (EME)
> Disabling Web Runtime
> Removing Adobe DRM
> Removing Pocket
> Removing Telemetry
> Removing data collection
> Removing startup profiling
> Allowing running of all 64-bit NPAPI plugins
> Allowing running of unsigned extensions
> Removing of Sponsored Tiles on New Tab Page
> Addition of locale selector in about:preferences > General
> Defaulting to Bing as the search engine instead of Ecosia, Google or
> Yahoo![7]
> 
> (https://en.wikipedia.org/wiki/Waterfox)

Too low aim, IMO. And how exactly M$ services are better for privacy
than Google's is anyone's guess.
Tor Browser (friendly upstream included) looking better here, especially
in the light of the fact that Tor Project builds Tor Browser for Debian
stable.

Reco

Re: basilisk-browser

[basti]

On 18.10.2018 16:29, Reco wrote:
> If only Debian project did something about Firefox privacy settings.
> Let's face it - Mozilla are hypocrites. They loudly 'care about users'
> privacy', but then force their 'opt-out telemetry' on you.
> Debian's Firefox build disables some of the offending settings by
> default, but not all of them.
> At least at Google they are honest enough to say - 'we will spy on you
> and we do not give a f*** about your option'.

Perhaps Waterfox find the way into re repo.
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885405)

Waterfox differs from Firefox in a number of ways by:

Disabling Encrypted Media Extensions (EME)
Disabling Web Runtime
Removing Adobe DRM
Removing Pocket
Removing Telemetry
Removing data collection
Removing startup profiling
Allowing running of all 64-bit NPAPI plugins
Allowing running of unsigned extensions
Removing of Sponsored Tiles on New Tab Page
Addition of locale selector in about:preferences > General
Defaulting to Bing as the search engine instead of Ecosia, Google or
Yahoo![7]

(https://en.wikipedia.org/wiki/Waterfox)

Re: basilisk-browser

[Reco]

Hi.

On Thu, Oct 18, 2018 at 08:40:51AM -0400, Roberto C. Sánchez wrote:
> > That would mean (in the context of Debian) that one would have to
> > (a) use the Basilisk-bundled libs (generally a no-no in Debian)
> > or (b) use a different name & brand. Yes, we know this story with
> > Firefox/Iceweasel. That'd mean that the packaging effort would
> > be a bit... more interesting.
> 
> The main distinction, however, was that in the Debian case, Mozilla
> objected to the backporting of security-sepcific fixes and then
> continuing to call the patched version "Firefox."  As I recall, all that
> was before they started offering ESR builds, so every version of Firefox
> was a quickly moving target with at most a few months of support.

It still is, for me at least.
I miss old days where they gave me one Iceweasel version for the
duration of stable release.


> Once the Firefox project started offering builds that made sense within
> Debian's stable release process, the Iceweasel branding could be dropped
> and builds could be included in Debian which both satisfied the needs of
> patching security vulnerabilities and the upstream branding
> requirements.

If only Debian project did something about Firefox privacy settings.
Let's face it - Mozilla are hypocrites. They loudly 'care about users'
privacy', but then force their 'opt-out telemetry' on you.
Debian's Firefox build disables some of the offending settings by
default, but not all of them.
At least at Google they are honest enough to say - 'we will spy on you
and we do not give a f*** about your option'.


> A project that says "you can't even change the build flags" strikes me
> as not especially inclined to display the flexibility that Mozilla
> eventually did.

Moreover, a project is x86-only. How exactly such upstream will react to
patches that, for example, fix segfault/sigill on armhf?


> In fact, since they are so concerned about "disastrous"
> library combinations and insist on their bundled/patched versions being
> used, I find it surprising that they do not specifically dictate which
> compilers are authorized to create branded builds.

Careful, they might be reading this ;)


> > > Does Debian project really needs yet another Iceweasel incident?
> > 
> > What the world needs (badly) is more browser alternatives. I'm
> > seeing everything converging towards the dystopia where one huge
> > corporation controls the server and the client. We had that, and
> > it wasn't pretty; nowadays with smartphones, always-on, IoT and
> > perhaps worse, we are far more vulnerable to that (business?) model.
> > 
> I agree.  I have already begun encountering sites which behave badly in
> Firefox, requiring me to switch to Chromium (and in case Chrome itself,
> uggh).  I definitely do not want to return to the bad old days where
> most websites had something like "Best viewed in Internet Explorer 5.5+"
> on every page :-(

It's happened already. The catch there is that you need Chrome to
display that 'best viewed in' badge.

Reco

Re: basilisk-browser

[Roberto C . Sánchez]

On Thu, Oct 18, 2018 at 11:16:54AM +0200, to...@tuxteam.de wrote:
> On Thu, Oct 18, 2018 at 11:49:44AM +0300, Reco wrote:
> > Hi.
> > 
> > On Thu, Oct 18, 2018 at 10:02:42AM +0200, to...@tuxteam.de wrote:
> > > > I think its an good alternative to Firefox Quantum.
> > > > 
> > > > More Infos here: https://www.basilisk-browser.org/
> > > 
> > > Indeed, it does look good.
> > 
> > No, it does not. UXP means Palemoon Browser.
> > Palemoon means extremely hostile upstream - [1].
> 
> Thanks for the link, very instructive.
> 
Yeah, that was ... something.

> That would mean (in the context of Debian) that one would have to
> (a) use the Basilisk-bundled libs (generally a no-no in Debian)
> or (b) use a different name & brand. Yes, we know this story with
> Firefox/Iceweasel. That'd mean that the packaging effort would
> be a bit... more interesting.
> 

The main distinction, however, was that in the Debian case, Mozilla
objected to the backporting of security-sepcific fixes and then
continuing to call the patched version "Firefox."  As I recall, all that
was before they started offering ESR builds, so every version of Firefox
was a quickly moving target with at most a few months of support.

Once the Firefox project started offering builds that made sense within
Debian's stable release process, the Iceweasel branding could be dropped
and builds could be included in Debian which both satisfied the needs of
patching security vulnerabilities and the upstream branding
requirements.

A project that says "you can't even change the build flags" strikes me
as not especially inclined to display the flexibility that Mozilla
eventually did.  In fact, since they are so concerned about "disastrous"
library combinations and insist on their bundled/patched versions being
used, I find it surprising that they do not specifically dictate which
compilers are authorized to create branded builds.

> I think both sides have their point, and the sad part for me is
> that they didn't manage to tackle the conflict in a more civil
> manner. Perhaps a lesson in humility for us all.
> 
Sadly, this sort of conflict seems to be increasing in frequency, rather
than decreasing.  I can think of two other large projects just in the
last two or so years that have been exceptionally hostile to downstream
packagers/maintainers.  So much so that the packagers/maintainers just
gave up.

What seems to be the impediment to civility and humility is that people
tend to become very emotionally invested in their work.  That
exaggerates very minor things to the point where there is a
disproportionate reaction from one side, which thusly triggers a
disproportionate reaction from the other side.  This then results in raw
emotions, public humiliation, etc.  Once the situation escalates like
that, it is difficult to diffuse and return a reasonable and collegial
discussion where the (usually very minor) root issue can be identified
and dealt with.

> > Does Debian project really needs yet another Iceweasel incident?
> 
> What the world needs (badly) is more browser alternatives. I'm
> seeing everything converging towards the dystopia where one huge
> corporation controls the server and the client. We had that, and
> it wasn't pretty; nowadays with smartphones, always-on, IoT and
> perhaps worse, we are far more vulnerable to that (business?) model.
> 
I agree.  I have already begun encountering sites which behave badly in
Firefox, requiring me to switch to Chromium (and in case Chrome itself,
uggh).  I definitely do not want to return to the bad old days where
most websites had something like "Best viewed in Internet Explorer 5.5+"
on every page :-(

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: basilisk-browser

[tomas]

On Thu, Oct 18, 2018 at 11:49:44AM +0300, Reco wrote:
>   Hi.
> 
> On Thu, Oct 18, 2018 at 10:02:42AM +0200, to...@tuxteam.de wrote:
> > > I think its an good alternative to Firefox Quantum.
> > > 
> > > More Infos here: https://www.basilisk-browser.org/
> > 
> > Indeed, it does look good.
> 
> No, it does not. UXP means Palemoon Browser.
> Palemoon means extremely hostile upstream - [1].

Thanks for the link, very instructive.

That would mean (in the context of Debian) that one would have to
(a) use the Basilisk-bundled libs (generally a no-no in Debian)
or (b) use a different name & brand. Yes, we know this story with
Firefox/Iceweasel. That'd mean that the packaging effort would
be a bit... more interesting.

I think both sides have their point, and the sad part for me is
that they didn't manage to tackle the conflict in a more civil
manner. Perhaps a lesson in humility for us all.

> Does Debian project really needs yet another Iceweasel incident?

What the world needs (badly) is more browser alternatives. I'm
seeing everything converging towards the dystopia where one huge
corporation controls the server and the client. We had that, and
it wasn't pretty; nowadays with smartphones, always-on, IoT and
perhaps worse, we are far more vulnerable to that (business?) model.

Cheers
-- t


signature.asc
Description: Digital signature

Re: basilisk-browser

[Reco]

Hi.

On Thu, Oct 18, 2018 at 10:02:42AM +0200, to...@tuxteam.de wrote:
> > I think its an good alternative to Firefox Quantum.
> > 
> > More Infos here: https://www.basilisk-browser.org/
> 
> Indeed, it does look good.

No, it does not. UXP means Palemoon Browser.
Palemoon means extremely hostile upstream - [1].

Does Debian project really needs yet another Iceweasel incident?

Reco

[1] https://github.com/jasperla/openbsd-wip/issues/86

Re: basilisk-browser

[tomas]

On Thu, Oct 18, 2018 at 09:01:21AM +0200, basti wrote:
> Hello,
> please add basilisk-browser to debian repo.

Wrong list :-)

The right way to do it is to file a RFP (== "Request for Package")
bug. The Wiki [1] has more details on that.

If you (or someone else) is interested in that, there's a bit of
legwork you could do in advance:

 - Is it already packaged? (it doesn't seem so, as this search [2]
   suggests)
 - Is its license compatible with Debian's guidelines (DFSG) [3]?
 - Can you build/install it on your Debian box?

Feel free to add to this list :)

> I think its an good alternative to Firefox Quantum.
> 
> More Infos here: https://www.basilisk-browser.org/

Indeed, it does look good.

Cheers

[1] https://wiki.debian.org/RFP
[2] 
https://packages.debian.org/search?keywords=Basilisk=names=all=all
[3] https://www.debian.org/social_contract

-- tomas


signature.asc
Description: Digital signature