Hacker News new | past | comments | ask | show | jobs | submit login
Pale Moon Browser Continues Support and Development of XUL (palemoon.org)
43 points by ronsor on March 16, 2019 | hide | past | favorite | 70 comments

>*BSD: Due to resistance from the BSD community to adhere to normal free software development practices, we currently have no plans to have official Pale Moon releases of any kind on the range of BSD operating systems.

What a load of crap. Some guy in his free time tried to port palemoon to one of the bsds (i think it was open), and they got all up in arms about use of their name before the guy even published anything. He was hacking in his own github repo, and these clowns created a scene there.

Funniest thing I've ever seen on github.


My favorite statement from apparently one of the Palemoon devs:

> Hopefully, in the future everyone can learn from this incident

Yeah, I know I sure learned something. I learned that Palemoon and its development team are hostile as hell.

What an enlightening conversation. Before it I actually considered Pale Moon a nice Mozilla-free Firefox fork.

The search continues.

I’d love to see that fork rip out all the crazy technical/branding requirements while it was at it.

Then Mozilla could be free as in freedom and stuff. (If you don’t know what I mean, go read the hoops the license created for the packagers in the github issue. Now I see why the whole ice weasel debacle happened!)

Have you considered Waterox?

I've just read the thread and I agree with the Pale Moon devs. The redistribution conditions were clear and the build system easily allows you to disable the official branding.

The Pale Moon devs weren't super polite about it, but they were objective and clear in their statements.

> The Pale Moon devs weren't super polite

The weren't super polite. In fact, they weren't polite at all. They were rude and demanding. I can't blame anyone for not wanting to collaborate with them after reading that thread. I wouldn't.

It was a work-in-progress tree and they weren't redistributing any binaries/sources from there. The Pale Moon devs were both wrong and remarkably hostile.

Additionally, (pardon me if I misunderstood) the Pale Moon developers consider it “normal free software development practices” to bundle libraries with an application and use them instead of the system ones? This seems to be the opposite of how most software libraries and prevents browser libraries from being updated as usual through the package manager.

This is purely a trademark dispute. They want you to rename the browser if you deviate from their franken-patchset of firefox + all the other weird old libraries they use. Such a thing would obviously not fly in a security focussed OS like openbsd (or any OS for that matter). So you can rename the browser if an agreement is not reached, which is fine. The issue, however, is that these guys are so protective of their name (really, who even has heard of it?), that they thwarted a WIP attempt by someone to port this mess before the ported product even saw the light of the day.

The astonishing thing to me is that, as mentioned elsewhere, this mess in the GitHub issue happened after the person doing the port politely asked the Pale Moon people about the right way to do things with regards to patches and branding: https://forum.palemoon.org/viewtopic.php?t=18256

> I've just read the thread and I agree with the Pale Moon devs.

Well there were 2 "issues" in that case. Being right about one certainly doesn't justify the other. One was the "technical" one of the conditions of redistribution. The other one was that one guy decided to start off the discussion as a grade A a-hole, rude, arrogant, dismissive, confrontational, and probably a few more. Discussions can degenerate but how often is it productive to start one with such a hostile attitude, especially in public?

Right as he may have been I wouldn't touch such a toxic person with a 10-foot pole. Such an attitude sabotages any amount of skill until the net contribution is actually lower than that of a less skilled person you want to work with. Case in point, so many devs actively stay away from the project (or more likely the person).

s/weren't super polite/were obnoxious, entitled and demanding about it/

That thread burnt most of my goodwill toward Palemoon which wouldn't have happened if they'd at least approached them civilly in the first place. Even if it had escalated from there.

They were also, apparently, correct! The mozconfig was indeed revised to remove the offending lines after the issue was raised! (by nuking the port work entirely)

Being correct definitely didn't justify the crappy attitude. The end result is most devs stay away from the person and the project.

A bit of a self-fulfilling prediction, but mission accomplished, right?

Pale moon forums is full of conspiracy theories on how Mozilla has been taken over by "SJWS." That, along with the horrible temper of the author, really discourages me from using or trusting it.

The same browser that blocked an extension they didn't like.


on HN(2017): https://news.ycombinator.com/item?id=15112524

Oh no! An about:config option has to be toggled from 2 to 3! Getting Pale Moon set up to be user friendly is much easier than all the crap you have to do with Firefox.

What things about Firefox are not user friendly? I'm genuinely asking, I'm not defending Firefox. The only one I know of is that you have to go to about:config to disable Javascript.

> The only one I know of is that you have to go to about:config to disable Javascript.

And I frankly don't see any problem with that.

The modern Web requires Javascript. Most major web sites will fail to work properly without it, often in confusing ways. (For example, Youtube will just display as a bunch of gray boxes.) Hiding a setting whose effect, for most users, is effectively to "break" the browser, is entirely appropriate.

People who are genuinely serious about blocking JavaScript (like me, and I’m sure many others in the HN crowd) are happy to install NoScript, especially since it gives you much more fine-grained control than simply on/off. I agree that hiding it behind an about:config switch is perfectly fine, considering that there is rarely a legitimate reason to use the setting.

> The modern Web requires Javascript.

I disagree.

There is nothing about the "modern" web which necessitates the use of JavaScript. I can understand the argument that, due to JavaScript's ubiquity, interfacing with some websites may prove impossible. But even then, that shortcoming isn't anything to do with the "modern" web; developers simply chose not to engineer a system capable of gracefully degrading.

> > The modern Web requires Javascript. > I disagree.

The argument was not that the modern web requires devs to over-rely on JavaScript, forsaking all others and creating experiences which fail to function without it. The argument was that for the majority of users to interact with the majority of modern websites, JavaScript is required to be turned on. Which it is.

I understood and addressed the argument in my initial reply.

> ... for the majority of users to interact with the majority of modern websites, JavaScript is required to be turned on.

This is a self-inflicted wound.

Firefox is anti-user. It prevents users from controlling their own software. It uses a ineffective walled garden model where there's an automated system to submit all add-ons to to get them signed by moz. Then you are allowed to install them in "your" browser. The only work around is to use the buggy version embodied in the beta or dev (aurora formerly) versions.

Pocket to start. Phoning home to check certs. Things like that. It's so bad guides have been featured on hackernews before, https://news.ycombinator.com/item?id=16135875

>Phoning home to check certs.

You mean OCSP/CRL? Every browser does that.

I still use Firefox rather than Pale Moon, despite Mozilla's recent slip ups. One of the main reasons for that is that Firefox of today is surely a lot faster and more secure than Firefox of the past, even if it's not perfect. Innovations like WebRenderer and Quantum were part of the reason for the move toward WebExtensions, no doubt. And the move toward WebExtensions definitely did reduce some control for extension authors, but for it we trade more stability and security.

I'm not sure if XUL and XPCOM really makes sense the way that it did when it emerged sometime in the history of Firefox (or Mozilla or Netscape - I'm not sure.) If I were to use a Firefox fork, I think the most I would ask is one that is more defensive and less full of services I don't care about. I don't trust studies or experiments anymore, and I don't care about Pocket.

> I'm not sure if XUL and XPCOM really makes sense the way that it did when it emerged sometime in the history of Firefox (or Mozilla or Netscape - I'm not sure.)

XUL and XPCOM start with Netscape Navigator 6, the bulk of whose code was made open source and would eventually become Firefox (and Thunderbird). So we're talking about stuff that was designed around 1998 and never really updated to track the latter development.

For its time, XUL was really a major departure from HTML. But several of its ideas were eventually implemented in HTML: the Web Components specification originates from an attempt to standardize some of the custom component work in XUL, and the CSS box model explicitly listed the XUL box model as prior work. But, given the influence of the other browser engines in their development, the resulting specifications aren't XUL, and there's important but subtle differences in how they work. And maintaining two very similar but actually different ways to do the same thing is a recipe for bugs and security holes. At the scale of Mozilla, that unused code can be a very fruitful way to hack users' computers--the NSA actually used a vulnerability related to unused features in JS (specifically, E4X) to track Tor users, since Tor was using an out-of-date version of Firefox that wasn't getting security updates.

And pledging to continue supporting NPAPI definitely doesn't make sense.

NPAPI is dead. There are no longer any mainstream browsers which support it; as such, upstream development of NPAPI plugins has largely ceased. NPAPI plugins present a significant attack surface, especially ones which interpret code like Flash and Silverlight, so continuing to support them presents a significant risk to users.

That's true, but it's just a shame for the millions of pieces of content out there in flash that risk becoming lost.

That may be true, but it needs to be dealt with in some way that won't expose an outdated and insecure plugin to potentially malicious content. (Especially since plugins aren't even sandboxed in these browser forks.) If there's really interest in preserving old Flash content, then perhaps people need to work into forward-looking ways of preserving that content, like a JS-based viewer.

We really need to resurrect Shumway: https://github.com/mozilla/shumway At this point I consider Shumway to be a retro console emulation project.

Shumway is in a spot where they need ActionScript 3 support to play more complex content. ActionScript 3 is based on ECMAscript 3. ES3 has support for some depreciated features such as E4X. To do this someone would need to compile the Tamrin AS/ES engine using something like WebAssembly.




BSD: Due to resistance from the BSD community to adhere to normal free software development practices, we currently have no plans to have official Pale Moon releases of any kind on the range of BSD operating systems.

Anyone got the story on this one?

Yeah, but rather than "resistance from BSD community" I would call it "Pale Moon developers being huge d* * *s" https://github.com/jasperla/openbsd-wip/issues/86

Wow, that got out of hand quickly. Like in a matter of minutes.

At first I was thinking, "Oh, neat. A browser I know nothing about. Maybe I'll give it a try."

After reading how multiple Pale Moon people acted in that thread, I'll pass. I've worked with people like that in the past, and I don't want to support them in any way, or validate their work.

As far as I can tell, they don't even have a trademark on Pale Moon

(EDIT): Ah shucks, USPTO TESS links don't work correctly. Anyway just search for "Pale Moon", I couldn't find anything relevant. http://tmsearch.uspto.gov/

Wow, those guys sure know how to not make friends. Last I checked choice of bundled or system libraries is normally reserved for distro packagers, and one would really hope the system libs win out wherever possible!

The palemoon author threatened to sue OpenBSD 3 hours after a trademark violation request was submitted. https://github.com/jasperla/openbsd-wip/issues/86

Worse than that: he threatened to sue OpenBSD 3 hours after the OpenBSD developer working on the port specifically asked for permission to use different compile flags on Palemoon forums!

Wait, this just gets weirder the closer you look at it.

Pale Moon's developers will threaten legal action if you use the wrong compile flags for their software??!

Mozilla Firefox also has a similar clause in their license agreement. Modified versions of the browser are not allowed to use the Firefox trademark, which is why Debian for years would use the Iceweasel name instead.

I don't think MOzilla ever threatened legal action out of the gate like that though.

Adding custom flags to a configure script is just so far outside the norms of free software development, what else can they do?

I'm also curious about their reasoning, since they have an OS X release in development. What is it about BSD that doesn't adhere to normal free software development practices, but OS X does?

It wouldn't be worth dealing with these people even if they were developing a good technology, but XUL???

Do you think they’re doing it because they love XUL, or because of the number of extensions that require XUL and no longer work in Firefox?

Hmm, funnily enough, despite saying they're not going to support DRM... they seem to be doing exactly that: https://github.com/MoonchildProductions/UXP/issues/962.

Best of luck to them but it is an uphill battle. The number of addons that are still updated for the pre-webextension system is really small. The last time I tried to use Pale Moon for an old extension I found that it wasn't worth it because so many other extensions were either out of date or just unavailable. I keep Waterfox around for the rare times I need to use an old extension since it can also use current ones as well.

I used to use Pale Moon because Pentadactyl still worked on it. But then it broke even in Pentadactyl, and I moved back to Firefox with Trydactyl (which is nowhere near as good as Pentadactyl, but it's better than nothing).

I've also tried qutebrowser, which is nice, but it's missing uMatrix/NoScript, RequestPolicy, and uBlock Origin-like extensions. So I'm stuck with Firefox for now.

Waterfox - it's like Pale Moon but started as a 64 bit version of Firefox.

They can pry my NPAPI plugins out of my bare hands.

No they won't pry them away from you; it's a great attack vector. If Homestarrunner ever let's his domain lapse, it'll be a malware goldmine.

Out of curiosity - what NPAPI plugins are you using?

I can't speak for the OP, but personally - DownThemAll, Classic Theme Restorer, Session Manager among others.

These 3 are the main reason I still have a semi-legacy browser (Waterfox)

Aren't those XPCOM / XUL extensions? NPAPI is only for purposes of Silverlight and Flash AFAIK.


Slightly OT, but I think it's time to move on from using "retard" as a derogatory term, in the same way we've all moved on from "gay" and "spastic". It's just offensive.

Please don’t use that word.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact