Hacker News new | past | comments | ask | show | jobs | submit login
LibreWolf – A fork of Firefox, focused on privacy, security and freedom (librewolf-community.gitlab.io)
205 points by transportheap 73 days ago | hide | past | favorite | 306 comments

Author of Mozilla telemetry here. You can accomplish this with official firefox by blacklisting incoming.telemetry.mozilla.org domain, per https://searchfox.org/mozilla-central/search?q=telemetry.moz...

Let's stop making privacy a techie-only thing, though. This should be a question a user chooses the first time they boot the browser, and Firefox should do its hardest to honor it.

Telemetry isn't inherently bad or privacy violating.

I suspect that for every scenario you can think of someone will be able to reply with solid logic about how it could be used in a way that’s bad and/or privacy-violating.

But is though IF it's not up front and center shown to the user. All telemetry can be backtracked to an IP in most cases. That's a bad thing. It's a form of history. It should be a switch that turns ON so that you OPT IN. Not the reverse, nor should it involve having to change a hosts entry.

> Telemetry isn't inherently bad or privacy violating.

How can you tell?

In Firefox:

point your url bar to about:telemetry

It shows you all the data that has been gathered. (Though IIRC it might still show stuff even when you've disabled telemetry -- in that case the data is being aggregated locally but not sent.)

Go to https://telemetry.mozilla.org

To look at the data on the server side. There are more sophisticated ways of querying it, but obviously not everybody can just be handed access to run arbitrary analysis code.

Probe dictionaries:




Just checked about:telemetry, it seems most data are about CPU and memory stats, nothing related to browsing history.

Mozilla doesn't collect browsing history, period.

You forgot safe browsing.

What about it?

How you probably think it works in Firefox and how it actually works in Firefox are two different things, by the way:


As soon as i start firefox on windows it connnects to 1e100.net and makes a lot of connection to this domain even when no page is displayed (just the start screen). This is another reason why i'm in the process of switching from Firefox to another browser. A program shall not initiate network connections if not asked to.

It's open-source software.

That means nothing. Go read the audacity threads pertaining to trying to sneak in Google and some Russian analytics clients.

From the latest Audacity release notes:

>A journaling feature has been added for QA purposes.

What exactly does that mean?


That's not what I meant. Search the PRs for the most commented upon PR. It'll invariably be the one about adding Google analytics and telemetry to Audacity.

What is privacy really? The browser? The ISP gets your data, the site gets metrics, and VPNs will just redirect traffic.

Having control over which information about yourself, your life, your habits, etc. you choose to give out, when, for how long, and to whom.

It's not this convoluted. Give people their privacy.

I’m not anti privacy, it just means something different to everyone. If you don’t control the metadata for servers you use, does that mean you cannot ever expect privacy?

I argued with someone about how we shouldn’t expect privacy with a cell phone, I don’t see how a 24/7 location tracking device that reads data telemetry (even if you use a custom privacy rom you connect to the towers and send telemetry) can ever be seen as private. PCs are usually compromised with Intel ME or AMD ST (unless you have a specially modded one or use old government contracted ones with them disabled).

Not having to use servers at all is kind of a preference. Why do browsers need to phone home at all?

When you use a site, you’re using servers and they have logs. This is unrelated to the browser itself, although ideally it shouldn’t have telemetry. But even so the servers of sites you use will and you can’t control the data collection.

When I boot Firefox, that operation should not automatically connect to a server unless I have a default web page set.

Maybe I am opening a local file? Using a local network resource? On a limited/expensive connection and don't want it auto-updating some BS? Running the browser in kiosk mode as a glorified HTML/CSS/JS GUI for a local app (apparently a thing now)?

It's really apparent when I socks proxy into a remote site (via limited 2G) to view a few kB worth of HTML admin page and firefox starts autoupdating a bunch of remote resources.

> The ISP gets your data

Browsers know much more. Most channels are encrypted nowadays so ISP doesn't know what you talk about on internets.

I've been a Firefox advocate for years, but after the recent update to 94.0.1 I removed it from my Mac, Linux, and Windows machines because of how it obscures multi-account containers - they are now a hidden icon that you can't click in the toolbar, and it's been moved into the address bar where its functionality has changed. This disrupted my workflow significantly.

I just switched the Librewolf, and installed the plugin there. It's working as expected, and I won't be forced (or incessantly nagged) to update the browser as I was with Firefox.

Thank you for your work on a great browser, but if you have any pull at Mozilla please tell them they're losing core users for good with these forced, unannounced, irrevocable changes to how users work in a browser.

Of the 180 lists we track at RethinkDNS, all the top ones contain *.telemetry.mozilla.org https://rethinkdns.com/search?q=telemetry.mozilla.org

That said, on Android, I don't see a single telemetry.mozilla.org entry in my DNS query logs.

Hi what exactly is your offer with RethinkDNS vs lets say, nextdns?

Hi: NextDNS is the gold-standard and many capable alternatives have cropped up in its wake in the recent times like windscribe's controld.com but RethinkDNS is not it.

Our primary objective is anti-censorship, and so, we make it simple for folks to deploy their own DoH (which means all our code is open source). Today, the serverless DoH stub resolver deploys to cloudflare workers but we plan to support deno.com/deploy and fly.io soon (already have it working in our development branches but the incompatibility between node and deno is causing a bit of pain to merge with mainline). RethinkDNS is the reference serverless DoH deployment, if you will.

We support DNS-based content-blocking too (out of sheer need for it from our users) but believe the right avenue to block content is either in-app where possible (like uBlockOrigin in Firefox) or at the IP-layer (not DNS), and hence we also build a Firewall (due to limited time, the RethinkDNS + Firewall app is Android-only, for the time being [1]).

That said, we do plan to achieve parity with NextDNS, but that's going to happen over a period of time since our team of 3 is stretched thin between building the firewall (too much complexity!) and the dns (too much work!).

[0] https://github.com/serverless-dns/serverless-dns

[1] https://github.com/celzero/rethink-app

How valuable is the telemetry data to Mozilla?

Based on their recent design changes (deprecation of compact mode, for example), they are either not collecting enough telemetry about the affected parts of the UI/UX, or they are ignoring what they have collected for whatever reason. Of course, there is a chance that telemetry confirms their vision, but based on the explicit feedback I've been seeing online, I doubt the rationality of their decision-making at least part of the time.

It is also possible that the telemetry shows that the vocal majority you perceive is, in fact, a vocal minority. I don’t have any more knowledge than you about whether that’s the case or not, but the possibility of being in the minority (and perhaps severely so) is absent from your list, and that deserves correction.

While I agree with you and the way you’ve stated it, it should be widely known that tiny groups of highly technical people can unlock huge understandings about how to improve.

Look at the speedrunning community for example: sometimes it’s not just a tiny group, but a single person that sees something that the devs did not, and that can lead to fixing “wtf” bugs for everyone else.

There is a chasm of difference between "We've identified something you have not given consideration to" as you describe (which I wholeheartedly support), and "We will insist we're right about the same points over and over again in every post about Firefox for all time" as HN behaves (which I do not, no matter what the topic). The former is a valuable and essential component of public issue reporting; the latter is not.

I see Firefox doing user hostile activity all the time, so I’m more inclined to think that are using telemetry in the slowly boiling frog analogy. The extension download data even without telemetry shows people want multi row tabs but they’re not putting it in by default. I am not sure how much the data is being used to improve user experience.

Which extension do you mean?

Multi row tab.

How do you compare strong voices of a few on a site like HackerNews or Reddit against many many many millions of data points of users around the world.

Should written feedback overrule a bigger data set?

A technically competent user's feedback should be weighted at least one, if not tens or hundreds of orders of magnitude greater than anonymously gathered telemetry. Remove actual, intentional human communication from the loop and you're lost at sea - anyone can make the anonymous data mean anything, and then it's whomever can make the cleverest chart or analysis of the data that ends up directing decisions.

Ignoring the people who actually take the time to communicate problems in favor of interpreted telemetry is exactly why Firefox is losing. Taking direction from technical users, or so-called power users, can give the application improvements in nuanced and technical uses. Taking direction from anonymous "averages" makes development a race to the bottom.

Firefox developments over the last couple years feels like what would happen if you put grandma in charge of trying to make things better. To put it bluntly, fuck grandma, she doesn't know what the hell she's doing anyway. Firefox used to be a Lamborghini, it doesn't need training wheels and balloon bumpers. Lean into technical excellence and drop the obsessive ui/ux nonsense.

I agree with this so much.

Once it was clear that Chrome was destined to cater to the masses, Firefox should have done a hard pivot with an emphasis on privacy and putting the user in control of their browsing experience. The best time to do this was a few years back when all of this was becoming obvious, but now with massive popular distrust of large tech companies like Facebook and Google making daily news, the second best time is now.

There's a reason I run Linux and BSD on every computing device I own, instead of Windows or Mac. It's not because it's easier to use (they are not), it is not because it has more bells and whistles (they do not). It's because at the end of the day, _I_ am the one in control of my computers, not some product manager who needs bullet points on his or her annual review.

There is no universe in which Firefox is going to successfully compete against Google at their own game, especially when Google is _still_ the majority source of their funding. I have no evidence for or against this, but my greatest fear is that the people at Mozilla who were passionate about the same things that I am passionate about have left out of frustration and the only ones left are there for the lifestyle and hipsterness of "working in tech" at a non-profit in a trendy city.

I cannot agree with it or your comment. I have seen these type of comments pop up in every Firefox thread on HN. It is so common for people to try to play armchair CEO. But when I actually dig into it, I have really never seen anyone with a competent vision of what a "competing browser" is supposed to look like. It all seems to boil down to "put the user in control of X feature and add a bunch of settings for it" or "don't remove Y feature that I used" or "bring back XUL" or something like that which I hope you can understand are not reasonable high-level directions. The various forks of firefox are well intentioned but these are all minor modifications, they don't try to do something different.

To illustrate what I mean here, if you want a fork with an emphasis on privacy you can just use LibreWolf. It is the entire thread we are responding to, the thing you want exists right now. But I don't see people exactly flocking to use that, your comment seems to not even acknowledge that it exists!

> Once it was clear that Chrome was destined to cater to the masses, Firefox should have done a hard pivot with an emphasis on privacy and putting the user in control of their browsing experience.

Why do you believe that catering to the masses implies not focusing on privacy and putting the user in control of their browsing experience?

Is there a guiding philosophy behind any of Firefox's decisions?

If it isn't customizable by the type of users who care about customization, then what is the reason to use Firefox instead of what ships with your OS or Chrome. Why would "typical users" have chosen Firefox in the first place without some vocal user suggesting it?

I still use Firefox for everything, I'm just sad that the lack of inspiration in the project means that it might not be a viable option in a few years. Maybe they're aiming for making 98% of users happy, and matching 98% of the features of other browsers, but it needs to have some reason to exist. Usability testing without innovation is that different from p-hacking without hypotheses in science.

Anyway, compact density was a non-default option, so it's difficult to understand why the option had to be deprecated. Compare that to MacOS. I didn't upgrade to Big Sur until Apple restored the option `NSWindowShouldDragOnGesture`, which allows you to drag a window from any pixel when you hold down control-option-command. Out of a billion users, I'd be surprised if more than 5,000 users care about this feature. (ie >99.9995% probably don't care) I only use the feature in combination with Karabiner Elements to change the command and Steermouse to recognize mouse button chords, but I invoke the command every couple minutes. Nevertheless it was restored, and it never disappeared in Monterey. Is it the budget alone that allows Apple to be simultaneously opinionated in their UI design and user accommodating, or is it completely different attitudes about users?

As someone who is currently implementing a compact theme for a different app, anything of that nature has a non-zero cost. Which is compounded by the number of designers you have working on the product who now all have to review every change multiple times.

While I broadly agree: data lies too. "X% more people use this now" says absolutely nothing about if they like it, or if it's doing what they want, or if you'll drive them off the system in a couple months because of it. It just says that X% more used it during the time you were watching.

You can use nothing but positive data-driven results to drive yourself out of existence, and it's rather easy. Direct, human feedback is absolutely essential.

If the telemetry-based removal of a feature would turn out to be a dealbreaker for a critical mass of users, it should be reconsidered (think of Mozilla's position in the browser market nowadays: it can't afford to piss off the "power users" and evangelists of Firefox).

And it's not like Firefox has no Nightly or Beta branch to test the waters before making a significant change. For example, during the prerelease phase of the so-called Proton UI, there was no shortage of clear feedback about it. A lot of it was legitimate criticism about accessibility (harder to distinguish inactive horizontal tabs because the separators were removed; part of the new palette did not have enough contrast; etc.) and usability (e.g. in cases of low screen estate, some menus were suddenly so huge that they'd not fit within the height of the screen).

Mozilla is slowly fixing some of these issues, which is a good sign IMO, but also sticking to some other "deliberate design decisions" that still remain controversial. I largely do not believe in design-by-committee, by the way. However, I believe that all valid feedback should be evaluated and taken into consideration if it's critical.

At the rate Firefox's market share is currently declining, it seems unlikely Mozilla actually has a finger on the pulse of the wider "millions [of users] around the world."

Is there anyone who you believe does have a finger on that pulse? If so, why? What can we learn from them?

Unfortunately, a certain employee who was rightfully kicked out of Mozilla in 2014 made a few bets that paid off (users dislike ads, users are stupid and will love it if you offer them money, and they'll go crazy for security snake oil even if it actively harms them).

Firefox doesn't block ads because they're funded by Google and they have ads in their own browser. Nobody likes ads. Especially not in the browser. This contributes to the decline. Firefox doesn't advertise with security snake oil, and they beg for money a lot, which is the exact opposite of the model proposed by the only browser that's rapidly shot up in market share in the last decade rather than roughly stagnating.

Some vocal voices are superusers that can affect others to use or not. Think of them as like current social media influencers. FF userbase has been in decline for sometime now during which those vocal feedbacks had been largely ignore. Perhaps, that give some proof indication "should written feedback overrule a bigger data set"?

Typically on the web more virulent, extreme content should always win against the quiet majority.

Is this sarcasm or sincere? I agree to a certain extent; informed people with good taste tend to be strongly opinionated.

Uninformed people with terrible taste generally seem to be even more strongly opinionated, though. I'm not sure we can draw many useful conclusions!

I'm not an expert on Mozilla's telemetry, but my recollection is the vast majority of telemetry data is performance data (e.g., how long does it take the program startup, how long does it take to query the history database when typing in the URL bar) or features usage (and this is more on the level of "which SSL cipher suites are being used" versus "who clicks this button in the UI").

Here is Mozilla's list of telemetry probes, including descriptions and whether it is recorded in prerelease (Firefox Nightly and Beta) or release versions.


Those are great examples and we do both.

We use the telemetry data as input to many product and business decisions. It is very important.

If that was entirely true, then better communication with users would probably be the ideal substitute for it.

Those are in no way substitutes for each other -- you have to do both. People are not able to self-report accurate measurement data, and telemetry data can't tell you anything about what a person wants or why they do things.

Product decisions I can kind of see, but what kind of business decisions are you talking about?

I examined this and it appears that you can get the same effect yourself by enabling ETP strict mode, disabling telemetry and suggestions, and installing uBlock Origin in Firefox, which is a pretty common configuration for a lot of people. I suppose it's easier to just install this and have that already set up, but it's not exactly hard to do this in Firefox for the average HN reader and you most likely /already have/, so this gives you nothing except lagging security updates from an unknown developer.

Until Firefox accidentally disables these settings or replaced them with new ones with new defaults, deprecates these plugins or introduces a new privacy invasion.

> Until Firefox accidentally disables these settings or replaced them with new ones with new defaults, deprecates these plugins or introduces a new privacy invasion.

Did anything of the sort ever happened at all or are we only entertaining thought experiments?

It happens all the time with different OS’, software, games, and apps. I don’t know of a single example of Firefox doing it, but I feel like it’s fair if people are thinking about it as a possibility.

> I don’t know of a single example of Firefox doing it, but I feel like it’s fair if people are thinking about it as a possibility.

This line of reasoning doesn't add anything of value because the same fear mongering applies to LibreWolf and any other project just the same.

My intent was not to fearmonger. I agree that anyone could do it (including LibreWolf). My intent was to say that the comment I responded to has a rightful place in these discussions (and further: in any discussion about privacy)

If anything, these types of projects should come as some sort of external wrapper to help you compile or configure the software to give you the wanted behavior.

I don’t know a lot about how Arch’s AUR works but this seems like something that could be made an AUR package for example with special configuration while still using “base” Firefox to put it together, rather than profiling it as a new product.

It depends on how they plan to diverge from upstream firefox. Given enough source code changes a fork might be justifiable.

I don’t think “hard forking” a browser of all things is manageable, even for largish companies, let alone a few developer team. Backporting all the security patches is a very expensive process.

Forgive my ignorance, but couldn't this be done as an extension? (Maybe even withing uBlock Origin itself, if they were to add an option?)

Or do extensions not have access to these settings?

This is exactly the sort of thing one might expect an extension to be able to to, but since the move to web-extensions many of these things aren't possible.

For example, you can't change user settings from an extension. Or install other extensions.

That is part of why FF is having user drops. There should be a way to easily set a bunch of preferences in bulk for privacy/security or whatever one wants.

However, the same is true for all other browsers as well as most are forked from Chromium and also use the web extensions API. What other browser provides more control via extensions? This seems like it's not a reason for users to drop.

> This seems like it's not a reason for users to drop.

It's means people have one less reason for sticking with firefox and means more people will stick with what comes with the OS / what google advertises everywhere / what works better with their favorite websites.

They don't. But honestly, it would be easy enough to have a script/program run to fix the settings while Firefox is not running.

I also don't see all the excitement about ETP and similar. I have one profile that has javascript and cookies disabled and I do 90% of my browsing via that. I mostly just read text...

I have another profile that I use to is less locked down that use that might need cookies and javascript. One can use plugins like noscript and enable on per site basis.

LibreWolf is mostly a bunch of policies. If you go into the preferences pane, you should see a note: 'Your browser is being managed by your organization'. When you click the link, there's a bunch of 'features' disabled like telemetry, auto-updates etc. It also has the about:config section heavily tweaked and modified.

Doing all that on stock Firefox is a lot of work which is why I prefer the developers of LibreWolf to do it for me. Call me lazy if you want.

There is the added benefit of new Firefox features getting stripped in later releases of LibreWolf that otherwise would have gone un-noticed by me. Also: Trimming down the browser traffic and stopping it from being really chatty with Mozilla servers is great (if you don't like Mozilla for whatever reason).

Having gone through most, if not all of the browser lockdown activities on FF, can concur completely - it is a huge time saver. I would vastly prefer to use a common approach for this, rather than my own ad hoc decisions for this.

Am very interested in LibreWolf for this reason.

> there's a bunch of 'features' disabled like […] auto-updates

YIKES. Automatic updates are incredibly important for security. Disabling them by default is highly concerning.

Does the browser support (manual) self-updates at all, or has that functionality been disabled entirely?

Some of us are responsible software owners who prefer to update on our own terms.

I understand the argument that my grandmother should probably enable auto-updates, because otherwise she could easily end up months behind on releases.

But I care deeply about my personal computing environment. I notice every minuscule change because I'm on my computer for hours and hours each day. Sometimes I'm in the middle of some important projects and I don't want anything to automatically update. Sometimes I'm really productive during an afternoon and I don't want to waste time and lose momentum on an update (or some bug, or UI change, as a result of that update). Sometimes I've heard about some problem coming down the pipe in the next update and I'd rather wait until there's mitigations to make that change work better with my specific setup.

Automatic updates basically assume that I have the computing proficiency of my grandmother. But I actually manage my computer in a very conscious, thoughtful way. All software should provide the ability to disable automatic updates (and update nagging) out of respect for power users. It's OK to hide it in a developer or advanced menu. Just give me the option.

That being said: automatic updates are a sensible default for the same reason. But let me opt out, and (Mozilla, are you listening?) for the love of god please don't override my preferences back to automatic updates when you decide to change the UI of preferences.

(Disclaimer: I work on the Firefox Application Update system)

> But let me opt out

It seems to me that you can opt out. You can use the "Check for updates but let you choose to install them" setting in `about:preferences`. Or you can use the exact policy currently under discussion: `DisableAppUpdate`. Or there is another policy called `ManualAppUpdateOnly` [0].

> (Mozilla, are you listening?)

Why yes, we are listening. We have heard many people request the ability to disable automatic updates, which is why we have the options that I mentioned above. If you feel that these options don't meet your needs, we would really appreciate you filing a bug [1]. We will get to it fastest if you put it in the correct component (which for this issue is `Toolkit::Application Update`).

> for the love of god please don't override my preferences back to automatic updates when you decide to change the UI of preferences.

I'm guessing that you are referring to when we removed the "Never install updates" setting [2]? This wasn't fundamentally a UI change. We had several good reasons to remove the underlying pref. Naturally, that meant that the UI for that pref went away as well. I won't spend a lot of time getting into our reasoning here, but we would be happy to discuss it with you if you want to chat with us about it. You can find us in the `#install-update:mozilla.org` channel on https://chat.mozilla.org

[0] https://github.com/mozilla/policy-templates/#manualappupdate... [1] https://bugzilla.mozilla.org/home [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1420514

I'm not a security engineer but I have attended a lot of talks by security people. And the feeling I get from them is: don't opt-out of security updates. You don't want that option, it is a lose-lose for everyone involved, including your grandmother who is very likely to be a target of all kinds of scams and phishing attempts.

I have been burned often enough by software that auto-updates itself that I am positive I don't want it enabled by default on _my_ systems. Anywhere from between "this feature I really liked is gone" to "now it crashes every five minutes."

Perhaps more importantly, companies that offer software that can auto-update itself, can also make it so that the software uninstalls itself. Or worse, installs something you don't want. It also makes for an especially juicy target for supply chain attackers. So you have quite a bit of a double-edged sword there, from a security standpoint.

I wonder when we're going to stop pretending that there shouldn't be at least a fuzzy divide between software and systems intended for technical users and software for non-technical users. (And we should not be afraid to label them as such.) I fully agree with auto-updates for mass-market software but as a technical user, I don't want the system that I rely upon to make a living to constantly be changing out from underneath me.

I’m sorry but if you think that disabling auto-updates on goddamn browsers, then you may not be as technical a user as you think of yourself.

Browsers run untrusted code 0-24, which get JIT compiled to machine code through a very complex and bug-prone process. Add to that that desktop OSs are quite lacking when it comes to sandboxes, so even with browser sandboxes, the potential for serious damage is quire hard.

So, staying ahead of bugs is a must.

Junkies snort, sniff, drink, eat, inject untested stuff all the times, which get's metabolized to hot shit, frying their neurons, trying their livers, trough a very complex and bug-prone process with the occassional OD. Add to that that rational thought is quite lacking when it comes to judgement.

So, stopping to be a junkie is must.

edit: Blablala

Didn't you get the analogy? If your'e using software equivalent to the mindstate of some longtime crackhead with shrunken brains, there isn't much you can do to get the brain repaired.

You could pretend to do so, but you could also just switch off/disable the dangerous stuff, even if it locks you out from some content. Which could be seen as another addiction. So stop accessing that, too.

Yeah bitches, light up the pipe some more!

Enjoy your fever dreams, where it is considered normal to build skyscrapers on a foundation of a house of cards,

which requires constant maintenance by an army of people equal only to the builders of the pyramids.

Make Work! Make Work!

> I have been burned often enough by software that auto-updates itself that I am positive I don't want it enabled by default on _my_ systems.

Even then, there's a difference between "automatic updates aren't enabled by default" and "the application cannot update itself at all, even if you ask it to, so you'll have to download the new version yourself" -- and it sounds like this developer has chosen the latter.

> Does the browser support (manual) self-updates at all, or has that functionality been disabled entirely?

It has been disabled, as per the policy. It looks something like this in the policies.json file:

    "policies": {
    "DisableAppUpdate": true
This is why when mainline Firefox increments to the next major version, you have to manually download the corresponding LibreWolf version as LibreWolf closely watches the new mainline updates.

In terms of security, it kind of sucks having to manually do this, but it's a small price to pay for a hardened stripped down Firefox with all the Mozilla crap (Pocket, Telemetry etc) stripped out.

Once I would have used this, but I can't just can't bring myself to trust forks by small or unknown teams. We trust browsers with passwords to everything in our lives, like our bank details. The FAQ doesn't even cover who created LibreWolf. Why should I trust them?

Even if I do trust the developers, are they really capable of keeping a modern complex browser secure in the hostile environment of todays internet? It has millions of lines of code in multiple languages with a history going back 2 decades. I can't find:

- who is responsible for the project security

- their CVE policies

- policies for back porting Firefox patches etc

- update schedules

They also removed the auto-updater which is critical to ensuring browsers get the latest patches.

I'm really skeptical about the (undocumented) "hundreds of privacy/security/performance settings and patches" they claim to have implemented. What exactly cannot be achieved through settings and addons?

What I'd like to see is a Firefox (and Chromium) fork with

- automatic builds and uploads via GitHub/GitLab CI (or similar) from a well-commented build script

- all the knobs for reproducible builds set up, so anyone can fork the repo, run the CI themselves, and see that it's bit-for-bit the same thing

- an automatic merge or rebase of the latest stable release tag, and the result of that merge being plugged into automatic updates

- an automatic merge or rebase of the latest beta tag (or even nightly), and some form of alerting if the build fails

- perhaps some Selenium + Wireshark automation to see what requests happen and make sure there are no unexpected ones

And, actually, it seems like LibreWolf is on the way there. https://gitlab.com/librewolf-community/browser/common has a decently-well-commented build script that grabs the latest tarball from Mozilla and builds on top of it and even supports building on nightly, and their documentation (https://librewolf-community.gitlab.io/docs/) mentions that as well. But I don't see where it is run / who runs it, and what they do if the build fails.

(Honestly it seems like setting up the release automation and alerting is a substantial project in itself.)

I see Brave are interested [1] in reproducible builds but it's not implemented yet. [2] I'm not sure if their CI artifacts are public or not.

[1] https://brave.com/building-brave/ [2] https://github.com/brave/brave-browser/issues/5830

This is relevant to my interests (less the reproducible builds part, but very much the "well commented CI script" part), and for a frame of reference I have successfully built the last couple of brave tags because I'm persistent that way. But I haven't put it in my CI yet because they appear to clone *the whole chromium* repo courtesy of depot_tools & gclient, making the caching story very bad as that git repo is twenty two gigs (not the checkout, mind you, I mean the git repo)

Plus, the build takes several hours on my Ubuntu machine, so unknown what the CI job timeout is or how beefy the runners need to be in order to not OOM a monster C++ linker

I want to be careful with this commentary, because it's just my opinion as an outsider, and ultimately it's their project. But I struggle mightily with the decision tree that lead one to have a home grown build system written in npm that shells out to depot_tools, gclient, a bunch of manual git clones (although there are some git submodules, too), then a ... fascinating ... manual patching system layered on top of it all. I'm glad it works for them, but it makes wading in by the casual user incredibly hard.

Compare that to mozbuild (and its new "mach" friend) that as very best I can tell is python all the way down and since their CI system is also open source, one can very easily crib enough config files to build it locally

A lot of those forks don't even bother with CI: Some of them, one of their first commits is to remove all the tests.

I feel the same as you. It is great that there is another variants at the same time, we already have more than 6 FF variants and they are behind with security patches and updates. I recalled that WaterFox and Pale Moon are quite of versions behind Firefox.

Would be nice to have a FF variant that are capable to be equal as Firefox like Chrome, Brave & Vivaldi. For Firefox variant, I couldn't think of variant that could have an equal footing.

Something like Vivaldi but using FF as a base would be _wonderful_.

Why are there not more successful forks of Firefox? While it's still my browser of choice, I think it's safe to say there are a significant number of developers who are not happy with the leadership of Mozilla. What's preventing other forks from taking off?

This will be an unpopular opinion here, but for developers, telemetry is a really useful way to make decisions about the direction of a project.

Otherwise if it's just on a whim of the lead dev, that often does not scale. And we've seen with lots of projects, that actual regular-user feedback, not power-users, is crucial in taking those decisions. Switching off telemetry is easy, but I suppose you also have concerns about technical issues, and those can be really difficult to compromise on (a lot of people suggested forks when XUL was removed.. but today probably very few people would want XUL back).

To have a successful fork, you need devs with either a business model behind it, or enough motivation to maintain it as a hobby. For a while, it worked for Iceweasel, but it was just branding. Firefox is complex, requires a lot resources to build, distribute binaries, etc.

I'm not affiliated to Mozilla, but I do help maintain another open source project, where, in my opinion, power-users and consultants drove the project in a direction that made the product more difficult to use, and therefore gave it a bad reputation and limited growth. I can say that because I have access to some of the telemetry, and also because I talk to a lot of random users as part of my work.

> regular-user feedback, not power-users, is crucial in taking those decisions

In general, that's true. But Firefox is an exception to this.

The most important thing to a regular user, is that their websites work. But for websites to work, the developer had to test in Firefox. So, Firefox's alienation of power users has hurt its regular userbase.

There's also the distinction between users vs customers. Most users pay nothing for Firefox. A relatively small number of free-software lovers provide donations. If they want more of those people to give more money, Mozilla would have to cater to power users. This leaves Mozilla's main customer as being Google, who doesn't really want Firefox to be good.

The other exception to this, is if the software you're making is so specialized, that you can get by on a handful of large institutional customers. Obviously this is not where Mozilla is, it's just another case where telemetry is not necessary.

Whether devs test in firefox or not is orthogonal to whether they like the product, it is entirely based on its market share. No sane person wanted to test on IE, but it was mandated by the company.

That's partly true. N of one, but I have Firefox set up the way I want it to, so I do all my development in Firefox and then occasionally test in Chrome. Essentially all my users use Chrome, so if I didn't prefer Firefox's ux it would get much less attention

I like the mention of large institutional customers. Is there a way where mozilla can have companies sponsor firefox to be open so that these companies do have to deal with google and MS control and any of the crap that do to try to control it. I guess it is more so that google does not have control because MS is now using chrome engine.

I don’t mind telemetry that much. I mind Pocket, ads and whatever bullshit they’ll push next week.

I have some color packs for you, but they are only available briefly.

Additional "colorway" themes will be introduced seasonally, but the current colorway themes will not disappear. They will "graduate" to https://addons.mozilla.org/.

To be honest that was not clear at all from this work-interferung modal after the upgrade to 94.0

It more read like some marketing FOMO inducing lingo like "use the new feature better now or you will miss out once they're gone".

Do you have a user panel at Mozilla to vet stuff like that? I would love to participate. Being a Moz suite user since 1998.

Yeah, what the fuck was that?

I honestly have no clue.


But reading this and answering for Mozilla staff should get them some feedback:

> What’s next for Firefox colorways?

We’ll see. We’ll go where our customers take us.

Well, I saw and I clicked to skip this BS.

If telemetry were that useful and acted upon, we wouldn't have FF regularly breaking its interface. (Such as the stupid disconnected tabs and other vanity projects.) Almost everyone hates these kind of unique-snowflake interface changes for the sake of change.

I don't mind telemetry, if it is opt-in. It should never be opt-out, but usually is.

"No one opts in" aside, any opt-in metrics you do collect tend to be skewed towards how the people who opt in, use the product. Anyone serious about making product decisions using opt-in metrics should be aware of this bias.

This could be solved by a lot of transperancy about what collected telemetry is saying. A user can then check if the users that opted-in to telemetry are representative of his own use cases and thus make an informed decision if he should opt-in as well (if he's not well represented). Telemtry is a lot like voting.

The vast majority of people will not read about the collected telemetry, even fewer will read it and then make a decision to opt-in.The telemetry is optimizing for the vast majority, not the loud minority, hence opt-out works better in order to cater to a larger group of users. Your voting analogy is really bad.

With that said, I don't really like telemetry and will turn it off.

I think voting is a good analogy for telemetry. You submit your use case to help decide development direction.

So, `about:telemetry`, https://telemetry.mozilla.org

The difference between opt-in and out organ donors between otherwise similar countries is a staggering 80% — people are seriously lazy and will choose the default almost always. I think one should not be afraid to “exploit” this innate human quirk, if it is done for good reason. Unethical people will abuse it either way.

Almost nobody goes out of their way to enable telemetry because they want to help some project. Very few power users do (and they don't represent the majority in most cases) and I'd say zero regular users would care.

I don't mind it if it's opt-in with a user-facing setting to turn it on or off.

and it would be fine if it was opt-in. syncthings telemetry is very transparent, so I started enabling it on my nodes. but I hate when programmers who should absolutely know the difference conflate opt-in and opt-out.

I have question: what is the rate of opt in into telemetry? I like the concept of donating your data to improve a product. I wonder if there would not be enough data if ppl could simply chose when installing.

It is not an unpopular opinion. I bet most people here actually work on products that have a fair share of telemetry. How else would you know how your products are doing or what to focus on.

Yet Firefox went in a weird direction. Telemetry decisions, huh.

>Why are there not more successful forks of Firefox? [...] What's preventing other forks from taking off

Some of the replies to your question state "money" but there are also more fundamental reasons of choosing Chromium over Gecko: technical functionality and performance (especially on mobile).

You'd think an ex-Firefox programmer and Mozilla co-founder such as Brendan Eich would have chosen Gecko for Brave but he didn't. He explains in a previous comment why he switched from Gecko to Chromium: https://news.ycombinator.com/item?id=22062636

So the "hidden" reason people are not comfortable saying (except maybe Brendan Eich) is that Gecko isn't as good as Chromium as a foundation for forking. That's why you get a bunch of companies independently choosing Chromium instead of Gecko such as :

- Github Electron based on Chromium

- Qt QtWebEngine uses Chromium

- Opera Vivaldi switches from Presto to Chromium

- Microsoft Edge switches from Trident to Chromium

- Brave switches from Gecko to Chromium

Some speculate Gecko's MPL license instead of Chromium's BSD might also be a factor.

If you read that tweet, it mainly says that they made the choice based on DRM licensing. Well, plus a vague "it lost on many dimensions in a head to head comparison enumerating gaps vs. Chrome". Which I can't argue, because there are no specifics to disagree with.

That said, I work on Gecko and it is indeed an old crufty codebase with numerous issues. From what I've seen of Blink, it seems surprisingly similar (overall; the specific problem areas are different). And Gecko has a surprising willingness to rewrite or revamp core aspects of the codebase -- by some metrics, it appears to be more nimble than Blink (eg, site isolation to separate processes was a massive project for both codebases, and it looks like although Gecko started and finished later, the elapsed time is a couple years less.)

On the other hand, Eich was pretty well in touch with the Gecko codebase, so his opinion should carry some weight. (Somewhat counterbalanced by his seeming enthusiasm for burning some bridges behind him, but that gets into very speculative territory.)

I tend to agree that Gecko isn't as good as Chromium as a foundation for forking, though. I think working with the Mozilla development community is actually quite a bit better than working with Chromium's, but Gecko is pretty unapologetically focused on Mozilla's product needs and Mozilla doesn't have the resources to properly support external embedders or forks.

DRM was not the main issue we faced, just one of many. I wasn't vague, Twitter limits size to 280 chars. We developed a decision spreadsheet with the data in almost all the rows weighing against Gecko.

Your "seeming enthusiasm for burning some bridges behind him" is bunk. On what did you base it?

Again, we started Brave based on Gecko (multiprocess sandboxed embedding via Graphene, which was developed for FirefoxOS). We did not just jump to Chromium upon founding. A startup is a no-BS/little-room-for-error setting with scarce capital. To suggest I did anything uneconomic out of spite is silly.

> I wasn't vague, Twitter limits size to 280 chars. We developed a decision spreadsheet with the data in almost all the rows weighing against Gecko.

Perhaps "vague" is too loaded a word? I did not mean it as an insult or complaint, I was just pointing out the fact that the reasons were unclear because they were mentioned but not described. Twitter's character limit is a perfectly valid reason for that. And the literal meaning of the word "vague" applies perfectly.

> Your "seeming enthusiasm for burning some bridges behind him" is bunk. On what did you base it?

> ...To suggest I did anything uneconomic out of spite is silly.

I was not suggesting that.

Sorry, it seems I did not describe myself well. "Burning bridges" was not a reference to making anti-Gecko technical decisions. It's about unrelated public postings that I object to, but I don't think that here is a place to get into it.

I am confident that the bases for your technical choices were well-founded and I have no reason to suspect that they were made out of spite.

Hi Steve, I read through


and wondered which ones you meant. If I burned a bridge I should try to rebuild, let me know.

If you mean the ones about Mozilla holding back tracking protection while Monica Chew was there, or the ones about Mitchell's ridiculous salary, then we must disagree on "burning bridges". I'm not going back to Mozilla, and even if I hoped to, I see no reason to lie or self-censor about bad things they did after I left.

The continuous struggle to get Gecko used by any non-Mozilla project should also carry weight: there are many reasons why Apple went with the arguably-inferior KHTML engine when they started their own browser, and why the resulting library was quickly adapted all over the world - when arguably Gecko had had by then a headstart of a decade or so. Reportedly, embedding WebKit in one's codebase was basically trivial, whereas with Gecko was almost impossible.

I have heard the same from many moons ago that the blink/khtml/webkit engine was designed from the start to be embeddable.

I'm part of the team maintaining the "boot 2 gecko" aka b2g fork (we push it to https://github.com/kaiostech/gecko-b2g) so I have some experience building a non-firefox product on top of gecko, and maintaining a non-upstream platform (the "android without java" stack called Gonk).

At some point we compared gecko with a blink port on Gonk, maintaining both while we were doing performance comparison on low end mobile devices. We were looking both at memory usage and page loading speed. I was expecting to see blink way ahead of gecko, but that was not the case at all. For some content blink was a bit better, for some it was gecko, but never with a large gap either.

Maintenance of the blink product was not easy, with barely documented internals changing a lot (it's very different to build a new product on top of blink compared to just fork an existing one like chromium). I'm not blaming the blink team, that makes sense in the context of what they do, and we were not as familiar with blink code base as with gecko. Finally we stayed on gecko because this was the best choice for us (eg. including team velocity and the amount of non standard apis to rewrite).

In my opinion if you want to start on a new browser product, the main Chromium benefits for a commercial project are: - web compat, which unfortunately is self sustaining. - licensing. The MPL vs. BSD doesn't matter for open source projects, but many companies (especially VC funded) are adverse to copyleft licenses. Gecko's xpcom architecture was actually not a bad fit with the MPL, since you can ship new xpcom components without publishing their code if you don't want, but that didn't make much of difference (some chipset vendors used the capability for FirefoxOS to replace the implementation of telephony apis with closed source ones).

But you need to be comfortable being subject to the whims of google (and a little bit MS now). For instance, consider the changes to web extension resource blocking capabilities with the "manifest v3": some forks plan to keep the resource blocking api working, but it's very unclear if they will be able to do so in the long term without a growing complexity of their fork that may become too high.

If you are an open source project, please don't cement Google's dominance of the web by using chromium.

Gecko deserves to have a future - it may just not be Mozilla's corp current leadership that is the best for that to happen.

I neither want nor need DRM to work.

I'd rather have the ability of ad-blocking and similar extensions to work on a deeper level, instead of crippling them, like on chromium-based browsers.

What about mono-culture and the risk there of?

edit: Availability of working DRM is what it all boils down to.

I haven't kept up to date. Is Chromium hostile towards ad blocking?

It started with this, but applies to other extensions also:

[1] https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...

I'm a longtime Firefox user and advocate, but this feels mostly right.

Maintaining a successful project takes A LOT of work. For something this size it’s not a side projects amount of work.

How do the people working on it get money to cover their bills? If they don’t have this they will work on something that does that.

A financial model is usually the blocker.

Consider this, a lot of the people who work on Linux or many other projects are corporate backed. The companies pay the developers.

Is it becoming a truism that (in this space) the profit motive will inevitably lead to user abuse?

Maybe we need more 501c3 and benefit corps providing basic stuff like an internet browser?

Nationalize new browsers and OSes' development, or subsidize them. Governments do it with things like energy, space tech aviation and even telecom, but surprisingly not their software foundation.

I guess the French would be in a position to do so.

They've already adopted some infrastructure software projects into their governmental operations, not only using them, but also participating and maintaining them.

They also have many initiatives mandating the use of open source where applicable, and also suggestions of liability for closed source software by law. Harr! Unheard of! Those naughty Gauls!

cough Mozilla is dead in the water cough

The mozilla Foundation doesn't provide their browser, the mozilla for-profit subsidiary corporation does.

And the clients pay the companies. When we ll start buying browsers they ll stop tracking us

I'd be willing to bet whichever paid browser popped up would both still keep the telemetry _and_ fuck us with subscription based, you-won't-ever-own-your-browser payment scheme.

Unlikely. I can't name even 1 major paid for product that doesn't have telemetry and other forms of tracking.

Perhaps, but they will still optimize to maximize sales then, i.e. do what sells to as many people as possible, not what is good for you (an advanced user in particular). In fact I'm Okay with Firefox but would rather pay for a good alternative to Facebook where I would be a customer rather than a commodity.

One reason is that there's a ton of social pressure not to fork, for example:


Another is that doing so, and sustaining the effort, is a non-trivial amount of work. Throwing up a web page and a single release is one thing. Keeping up with the release cadence of an org like Mozilla, and the demands and expectations of a browser user base is something entirely different.

Also, "Libre" is a terrible moniker.

I've not come across someone in tech who doesn't pronounce Libre in French (leebr). Libre is necessary, because English is deficient when talking about freedom, since it doesn't distinguish something being free of charge (free as in doesn't cost money) and something being free in the broad sense (as in freedom).

Out of curiosity, why do you think "libre" is a terrible moniker?

Because nobody knows how to pronounce it, for one. Is it /libre/ (Standard Spanish) or /libʁə/ (Standard French) or /libχ/ (Northern French, esp. Parisian) or /la͡ɪbɚ/ (RP import) or /la͡ɪbɛɹ/ (GA import) or /libɹe/ (GA Spanish import)?

But that's a symptom of a different pair of issues, namely: (1) it's ambiguous what language the word is in, and (2) neither of those languages are really tech field lingua francas (English, Russian, maybe Hindi, probably in that order).

Libre comes from Latin, via Norman and New Orleans French, to American English. It seems to me quite well chosen, as tech lingua franca.

American English does not have this word. It uses it only as parts of other phrases imported from French or Spanish, with Spanish being the more predominant (more people have seen Nacho Libre than partake in vers libre).


> Out of curiosity, why do you think "libre" is a terrible moniker?

For me, as a fan of open source, Libre-something means something focused on being open source, than being a good product. And in my humble opinion, open source governance is generally not good at making big sweeping, or even just focused changes when needed, so the "Libre" moniker to me has an aftertaste of "good enough, but could be much better" compared to commercial offerings or products that have paid volunteers and stronger governance.

Something called Libre usually means it will never get nor accept any paid sponsorship, and sometimes it's what is needed to turn a decent open source product into a killer product.

None of these things are rooted in hard facts, that's the "feeling" the libre word gives me. To be honest, the only popular libre products I know of are LibreOffice (just good enough IMO) and LibreSSL, which was born after the OpenSSL fiasco, yet is still living in the shadow of OpenSSL. The "Open" word has similar shortcomings, but is less strict that the definition of libre and thus carries fewer negative connotations in my view.

Totally agree. Love the Wolf part of the name. Do not like Libre. Would have rather seen any of just Wolf, WebWolf (alliterates), WolfWolfGo (couldn’t help myself), FireWolf (ties to original), etc.

even GNU has really hard time keeping up their IceCat releases

Some years ago Mozilla decided that rather than creating a browser toolkit that browser developers could build browsers a round, they would go the whole hog and combine the engine with the user interface aspects.

Even their own developers objected to the policy, but they went ahead anyway.


> Money

That's incredibly vague. Can you explain? How are the many forks/variants of Chromium and WebKit not affected by this "money" factor in the same way

Money in the terms of resources. Browsers are huge and complex codebases so maintaining one (even if "just" a fork) is quite expensive.

> How are the many forks/variants of Chromium and WebKit not affected by this "money" factor in the same way

They are, but the main Webkit/Chromium forks are either large companies (microsoft) or companies trying to make money off of their forks (Brave, Vivaldi).

This here is trying to do the exact opposite. Vivaldi has ~50 employees, Brave has 150 and tens of millions in investments. Even if not all of them work on the fork management, that's a lot more resources than a dozen peeps doing that in their spare time.

Google, Microsoft, Apple and Brave, are some of the corporations who fund Chromium/WebKit-based browsers. The ones who fund Firefox (Gecko)-based browsers do not have nearly enough money to dedicate to their own fork.

Can you elaborate? Is Mozilla paying off people who try to start FF forks? Because I could use a bailout.

More seriously, is the suggestion that FF is too complex to properly fork without full time devs?

It's 20 million lines of security sensitive code. Of course it's difficult to properly fork.

The same is true of Chromium, btw.

Chromium is the one with all the forks, right? I don't think "it's a browser, stupid" is the only reason. ...although reading some of the other comments elsewhere, it is a pretty good one. Chromium-based browsers do tend to have some form of corporate support.

OP said this:

>> is the suggestion that FF is too complex to properly fork without full time devs?

How many Chrome forks don't have "full time devs"? A lot of them (Vivaldi, Opera) aren't even open source!

The only one I can think of is ungoogled Chromium which is basically equivalent to this Firefox one in that the actual changes being made are miniscule.

I'm not OP, but you, in GGP, said:

>>>It's 20 million lines of security sensitive code. Of course it's difficult to properly fork.

Did you forget to switch accounts? Which is it? Easy or hard?

>Did you forget to switch accounts?

No, but nice accusation.

> Which is it? Easy or hard?

Could you spell out what the contradiction is, here? I said it's hard to fork both browsers, and then pointed out that the only real "community" ones are miniscule patchsets which pretty much exclusively delete code - that even then, the list is only one or two forks long for each browser - and the rest all have multiple full-time professional devs behind them.

The "contradiction", coincidentally the very same reason I wondered if you switched accounts, is your implication that the reasoning for the way things are is blindingly obvious, except for the exceptions obviously, but those are blindingly obvious too. Apologies, I didn't realize the rationale behind your posting; that straightforward explanatory paragraph clearly couldn't have been deployed without all the posturing, first.

And yet we see quite a lot of Chromium forks - Brave, Vivaldi and Edge come to mind. For Firefox, the number seems to be a lot lower.

> Brave

Company trying to make money off of its fork.

> Vivaldi

Company trying to ???

> Edge

Microsoft, who found that maintaining a chrome fork would be less expensive than playing catch-up with their own in-house browser.

And yet the all could have choose Firefox and you could say exactly the same.

Chromium has proper separation of its components (Blink, V8, Desktop, iOS, Android UIs, etc). It's "easier" for a small full-time paid team to detach the default browser UI, implement their own thing and keep the other components up to date.

Examples of this are the Electron Framework [0], Vivaldi, Brave, Opera, Yandex, Edge, etc.

Firefox instead is a nightmare to fork. They used to have something called XulRunner[1] that allowed to create your own XUL application (things like Seamonkey, Thunderbird used it) thus making it fairly easy to fork Firefox. After the 41 release Mozilla removed it completely. XulRunner's components were intertwined with Firefox code. Mozilla deliberately killed the easiest way to work their product.

Only light forks like Waterfox, LibreWolf are viable. Hard forks fail or struggle every single time Mozilla releases a new version (SeaMonkey, Waterfox Classic, Pale Moon, etc), lagging behind in features and performance.

Even WebKit is easier to integrate with your own UI (Safari, Gnome Web [2], etc).

[0] https://en.wikipedia.org/wiki/Electron_(software_framework)

[1] https://en.wikipedia.org/wiki/XULRunner

[2] https://wiki.gnome.org/Apps/Web/

Yes? I've no idea what you're implying. All the viable Chromium forks have large amounts of manpower and resources available.

The choice between forking Chromium and Firefox is mainly one of business[0]: Chrome has a >70% global marketshare, adding Edge & co even ignoring Safari it's probably around 80. Since Google also keeps pushing their own stuff, that means forking Chromium gives you much better compatibility guarantees.

[0] though the history of Chromium — and Webkit before that — forks also means there's probably a lot more knowledge floating around about maintaining such a fork, especially since Chromium itself was originally a fork (running concurrently with its source and regularly synch-ing from it, forking a dead codebase or hard-forking with no sync is a different concern)

Yeah, because of the usual open source problem: funding. Brave is funded by venture capital and crypto-crap, Vivaldi by advertising deals and Edge by the infinite coffers of Micro$oft.

Firefox forks tend to dislike associating with any of the above.

Edge, for example, is a fork maintained by Microsoft. It is a strategic project for a multi-billion company. That is not comparable to a fork of your average open-source project.

But it's absolutely comparable to a fork of Firefox. This does not solve the GPs question, why do so many people fork Chrome instead of Firefox.

>But it's absolutely comparable to a fork of Firefox.

It's still not comparable for a fairly simple reason: the list of companies in the world that are as big as Microsoft consists of Google, and Apple, both of whom already have their own browsers.

As for why Microsoft chose Chromium, it's probably a combination of marketshare, the fact that it is a bit more cleanly architected as a result of having a decade less history than Gecko does, and the fact that they have ambitions of making a stripped down version of Electron part of the standard Windows userspace.

It was definitely a strategic business move. Chrome is eating everyone's lunch with marketshare.


1. Fork Firefox, people install Chrome anyway 2. Fork Chromium, some people realize that it's essentially the same as Chrome and don't install Chrome and just use Edge

Due to its market share, Chromium has better website compatibility these days than Firefox. See the statement by the Brave creator on this: https://twitter.com/BrendanEich/status/1165348116398104576

Also, especially on mobile, Firefox is an extremely niche browser engine. The biggest browser forks in therms of global user count are actually not the likes of Edge, Brave, etc, but android Chromium forks popular in asia.

The biggest chromium fork on mobile is actually FB "in app browser".

Look at the code

Ok thanks I'll read Chrome's and Firefox source code over the weekend.

This brings up the questions: How can i disable as much telemetry as possible when using the standard Firefox?

What am i missing if i go to <about:config>, search for "telemetry" and set everything to false?

Are there drawbacks to blocking the hostname incoming.telemetry.mozilla.org in Pi-hole?

Supposedly this will opt you out: https://support.mozilla.org/en-US/kb/telemetry-clientid

One way is to use your firewall to block anything going to mozilla.org or firefox.com, or the subdomains. That probably gets most of it, but possibly not all. For example, Google has a number of non-Google.com subdomains, some of which seem to be used only for telemetry.

Another more involved way is to start WireShark or tcpdump and capture the traffic, then start Firefox and browse some, and then close Firefox and stop the capture. Now you have a list of all the traffic it tries to send, normal and telemetry. Sift out anything that looks suspicious and block the ip/domain via your firewall.

There is https://gist.github.com/MrYar/751e0e5f3f1430db7ec5a8c8aa237b... as well (check out the comments, too).

Or https://gist.github.com/davinian/1991bb3486cbf6005b5320e93b3... but it is quite old I think.

In any case, make sure you know what you are disabling, because in the latter it suggests disabling WebSockets which you may not want to do.

Surely there's a way of scripting this...

Something like this: https://github.com/shawnanastasio/firefox-privacy-restorer

Or you just turn it off in the normal preference UI and trust that California's AG will sue Mozilla into oblivion if they weren't honoring the CCPA.


How is this any different from a standard Firefox install with telemetry turned off

It also comes preconfigured with a lot of good settings for privacy, like resist fingerprinting, 3rd party cookie stuff, etc...

I know you can turn this stuff on manually but it's convenient to have a fork that does it for you and turns off Mozilla's telemetry completely

Hopefully it's a lot different. If you proxy Firefox you'll see that even with everything turned off that you possibly can through the UI, Firefox phones home many times, especially during launch and exit.

It would be nice to back that up a bit more. I'm genuinely curious.

For what it's worth, some of the startup checks are to see whether the user is on a public wifi with a captive portal, and talk to a Mozilla service rather than Google. Other checks are for upgrades, or Firefox Sync, if enabled.

There’s a great macOS app called Charles Proxy that you can use to inspect this sort of thing which is a little quicker to get going and use than the CLI equivalent (mitmproxy I think it’s called).

I would be really surprised if the Firefox developers refused a patch adding a new about:config setting for whatever you're talking about.

When they get around to it in ten years.

So my choice is to trust one of either:

1. The Mozilla developers who are capturing telemetry, but probably just using it to push ads (at worst, and possibly not even that).

2. Some new devs who may have good intentions, but who are unknown to me, who are not capturing telemetry, but nevertheless have control over my browser.

> probably just using it to push ads

Telemetry isn't about "pushing ads".


It's just a custom build of the latest Firefox version with some patches applied. Everything is very well documented and you can build it by yourself, there is no need to trust "some new devs who may have good intentions"

Sure, I could review the source code. And then review it again next week when a change is released. I don’t want to have to though.

Trust matters.

I don’t trust Mozilla not to push ads, but I do trust them not to build in intentional backdoors and steal my personal data, because there’s a whole public organization there, with a reputation and responsibilities and heads that will roll if they are caught doing nefarious things.

You might ask why I trust thousands of other open source community led projects? Largely because they have built rep and get at least a minimal vetting via distro package management.

I’m not saying this fork is malware. But I don’t know it isn’t, and the browser is the #1 critical component that handles all my most sensitive data.

Or just trace it’s network activity without a code audit.

Doesn’t help if the exfiltration only occurs monthly and you only monitored for a week, or if there’s something locally malicious, or if side channels are involved, or if it’s manipulating data sent to legitimate sites (e.g. instructions to your bank, while logged in as you).

Keep it on, you can keep a firewall on, locally malicious files can be seen on your machine and if they aren't transmitted what is the worry?

If its manipulating data sent to legitimate sites you'd notice while you used it. These concerns aren't absent in other official browsers either.

Quite right that these concerns apply to any software, but they are significantly mitigated by sourcing software from organizations you trust.

There’s no way I would be able to spot the operation of malware-masquerading-as-browser without committing totally to a forensic examination of every system call it makes. Imagine how much attention you’d have to pay to stop it capturing your bank credentials and then making transactions in an invisible tab (the browser doesn’t have to render a site in order to interact with it).

But trust is just assumed and not a real security measure, trust just means you are not going to audit it.

To echo a sibling comment, I think you may be discounting the time and effort it would take to monitor every change made and the ripple effects of each change.

One of the key pieces of open source is the larger a project, the more people will be incentivized to monitor the code for malicious changes. This distributes the burden to a much much larger pool therefore minimizing the burden to single nodes across the board.

Is it perfect? No, absolutely not. Do malicious or unintentional bugs slip through? Sure. But when it comes to scaled out projects, nothing is perfect and never will be. I certainly trust a large open project with years of reputation built up and a large user base significantly more than a large closed source project or large and open with no reputation.

There are of course valid criticisms of this model but I’ve yet to see an alternative put forward that isn’t fraught with its own issues.

I do find it strange how over the past few years we’ve seen a number of people who engage in a whiplash type behavior where they see minor problems with a model so they whiplash away into a far worse model with far more serious problems.

> there is no need to trust

Providing you actually review the code and not just trust it because the code is there. Reviewing (a fork of) Firefox sounds like a big job, if can be done at all. Being a Firefox fanatic does not magically make you a rust programmer

It’s easy without a code review, just trace it’s network activity and see what connections it makes.

It might make more sense to have no ads and for telemetry to be opt in. I actually want FF having my telemetric data as far as it is used for improving the product only. Ready to pay if they were into it.

For improving they said.

> [ Debian-based ]

> This is for Debian Unstable only - do not try to install this package on any other branch of Debian or Ubuntu/Mint..

When I see a "Debian based" installer, I would expect it to work on at least some type of OS apart from Debian. That header should really say - Debian Unstable installer, not a "Debian based" installer.

When I heard about all these shenanigans over at Firefox, I switched to Vivaldi, and I am enjoying the experience so far

Its not free or open software, so using it is a step back.

Well, I have serious issues with most of the major open-source browsers. I liked Opera when it was around, I heard good things about Vivaldi and I'm willing to trust them more than Firefox and Chrome at this point. I wish it wasn't this way and I would have preferred open source or even paying hard cash for a good browser experience, but I will take a good browser experience from a source that is at least transparent about their funding and is not Google or funded by Google.

This indeed is true and I truly wish they made Vivaldi open source. However, free and open software is an ideal. Like any ideal, it can be used as a front and abused inna way that defeats its purpose.

In its original form, free and open is noble. But since then, corporations have figured out how to monetise it. So, IMHO, we need to be very careful about anything free and open coming from corporations because their core objectives are very much orthogonal to the core objectives of the original free and open software movement. Those execs aren't the hackers who built the gnu/Linux tools in the early days.

We need to be careful about free and open software and your solution is to use non free and closed source software because they can make money off open source software? This makes no logical sense.

I'm not proposing any solutions. Just stating that a software with source open may not necessarily mean it's free and open in the sense it was originally intended. What one wants to do with it I think depends on one's own values.

I use qutebrowser, vivaldi and brave (on mobile) and sometimes console based browsers when I can get away with it. Qutebrowser and Lynx are open source. Vivaldi and I think Brave aren't open source? I'm using them because I read about their team, their business model, their past and hung out in their forums and decided that I'd support them. Doesn't mean anyone else have to. And there's nothing wrong with making money off opensource software and that's how it was intended in the first place. Original open source software authors didn't mean that the software has to be free of charge. For me, I don't want to support an organisation that sacks the researchers of their core product but the execs pay themselves millions of dollars. Most of those dollars come from Google. I'm sorry that that makes no logical sense to you.

Depends which way you're facing, really.

A step back is always a step back no matter your facing. Try it out yourself. You see, your front and back stay towards your front and back respectively regardless how much you spin and turn. Weird ikr

Maybe I’m missing something but it looks like there aren’t actually code changes, rather a repackage with a strict policy file:


I was wondering how they could instantly patch nightly builds and this seems to be the approach. Good idea and nice to have a build pipeline that allows tweaking Firefox to this degree.

Thanks for linking that. Seems like the patches are 95% UI-related. There doesn’t seem to be any significant change related to improving privacy.

While I’m grateful to this project for calling attention to the privacy issues with Firefox, most of the effort spent on this seems like replacing the brand.

People could get nearly all of the benefit by copying the policy.json file.

Genuine questions. Aren't such forks harming the actual Firefox developers by decreasing the Firefox user base? Doesn't it help the Google monopoly on the web?

I think that Mozilla is harming Firefox much more with their decisions. Adding ads to address bar and sending metadata to unknown third parties alienated lots of users, I can’t blame them for looking for alternatives - or making one.

I'm not thrilled with every decision Mozilla has ever made but I think people have gotten so used to the unlimited resources that Apple, Microsoft, and Google are able to pour into their unprofitable ecosystem moats that they've lost sight of what running a self sustaining business in this space would even look like.

> they've lost sight of what running a self sustaining business in this space would even look like

Get your facts right.

Mozilla Corporate receives 400mil a year from Google, for google search to be the default search engine. The engineering costs of Mozilla in 2020 were about 300mil. [0]

So in actual fact you could maintain the not-for-profit status, fire all the corporate staff and still sit on a trove of cash every year.

The google money will not dry out because it is the only CYA situation that Google has against an anti-trust case on Chrome.

There is absolutely no reason Mozilla could not maintain the not-for-profit status and tick along, like other foundations such as Linux, Gnome, Apache, etc.

[0] https://www.computerworld.com/article/3600206/mozilla-report...

> they've lost sight of what running a sustainable business in this space would look like

Is the claim that it is economically impossible to create a browser without turning it in to surveillance malware?

To the extent that's true, it is the best argument yet for shutting down the web.

Are you implying that Firefox is "surveillance malware"? Precisely what surveillance are you referring to? Telemetry isn't surveillance. Recommended content (e.g. on the default New Tab page) doesn't involve surveillance.

> Telemetry isn't surveillance.

As a categorical statement, this is false. "Not all telemetry is surveillance" is true.

Telemetry is exfiltrated data the user did not ask to send. The line between telemetry and surveillance depends on the use and intent of the data recipient, not (necessarily) the data itself, and that use is opaque to the person whose actions generated the data.

It is interesting to note that telemetry can become surveillance after it is collected. Perhaps a new manager has a different plan, perhaps the cops show up with a subpoena.

Your prejudice is showing. "Exfiltrate" implies a surreptitious operation. E.g. Merriam-Webster: "to remove (someone) furtively from a hostile area"; Dictionary.com: "to escape furtively from an area under enemy control"; Collins: "to remove (data) from a computer, network, etc surreptitiously and without permission or unlawfully".

When Firefox is first launched, it opens the Privacy Notice page https://www.mozilla.org/en-US/privacy/firefox/, which is totally up-front about data being collected. Nothing surreptitious about it. Data is not "exfiltrated", it's simply "sent". But that doesn't sound nearly as evil, does it?

I'm talking about telemetry, not FF. But whatever, I'm not going to have a pointless discussion with someone more interested in criticizing word choice than replying to what I wrote.

>Are you implying that Firefox is "surveillance malware"? >Telemetry isn't surveillance.

(honest question) Why is this necessary then: https://github.com/arkenfox/user.js

Why do you assume it's necessary? FWIW, I'd rate quite a bit of what it does as "not necessary".

On another thread, I was told: "Firefox is feeding your data to Google. You need to disable it in the user.js file"

To google? Other than it being the default search engine, highly doubt.

And those “home calls” are nothing more than calls like whether you are on the public internet, whether a new update is available and other mundane things.

AFAIK Mozilla uses Google services for some telemetry. But that's exactly the kind of thing that warrants detailed consideration and not just "there's traffic touching a Google IP, THEY ARE FEEDING DATA TO GOOGLE!" and random scripts from the internet that disable IPv6 "against tracking"

Oh, some random stranger on the Internet said so? That must be right, then.

I was not proclaiming that it was a fact. I am openly frustrated and confused. An oft repeated claim is that "people just don't care about their privacy." I am moderately technical and I am totally unsure of how to keep my data from these parasite companies. Achieving privacy is incredibly arcane and confusing. Instead of quipping at me with a low value post, why don't you tell me exactly what Mozilla's telemetry does? Do you know?

If you want to know about Mozilla's telemetry, you could start with https://support.mozilla.org/en-US/kb/telemetry-clientid and its links to additional details.

Perhaps these indicate data leakage?

>Searches: Firefox sends Mozilla what you type into the search bar and Mozilla may share that data with its partners.

>Sites you visit: For the Suggestions you click, Firefox sends Mozilla the website URL, and Mozilla may share that data with its partners.

Interesting that turning off "suggestions" is not located in the "privacy" section.

I can’t tell if this is supposed to be serious, but just in case [1].

In case it is, really, shut down the web? What would that look like? Why would we do it? How? How can “browsers are expensive” possibly be worth doing something that extreme?

[1] https://xkcd.com/1454/

The majority of the web should be standardized uniformed wizards. Then people can apply whatever the skin they want onto all of the web. We don't want to deal with all kinds of design that are hard to make, require crazy powerful browsers, and was asked for by no one anyway.

Fancy UIs are made to slow people down in their tasks and draw attention to things that don't matter to what they want to do.

Web developers and creative people like to think the web is their playground but really the most important role of the web should be delivering informations and services efficiently, and get the hell out the way.

Something I vehemently agree with

Can't drain the swamps if the goal is to have moats.

Except if you go full-on Neo-Amish/Luddite and use

[->] https://en.wikipedia.org/wiki/Gemini_(protocol)

or the remaining stuff which stays accessible via simple

browsers like [2] https://en.wikipedia.org/wiki/NetSurf ,

[3] https://en.wikipedia.org/wiki/Dillo ,

or textmode stuff like Lynx, (E)Links(2), W3M, and similar.

> the unlimited resources that Apple, Microsoft, and Google are able to pour into their unprofitable ecosystem moats

No sane company pours money into unprofitable anything. They pour money into those moats precisely because it pays dividends.

My point (which I'm confident you do understand despite the pedantry) is that the browsers themselves are not profitable without taking into account their effects on the entire ecosystem.

Mozilla doesn't have an ecosystem like Google, Microsoft and Apple do. If they want to stay afloat they have to be profitable with the browser alone. So trying to directly compare that to the "free candy" approach which the others can get away with is unrealistic.

It's like asking why Target and Best Buy can't match the prices of Amazon retail, which has a money fountain named AWS in their backyard that can subsidize their other activities for "ecosystem growth". If Amazon retail had been a separate standalone business which had to succeed on its own for the past decade, it probably would have been run differently.

Can't see the value of Amazon Retail here without going full-in with Prime, and not even then.

Though that may be regional, as I speak from Germany.

excelent explanation

If a fork like this would decrease ff's user base, Mozilla can change ff or have their lunch eaten by said fork. Hard to see a down side.

Is this fork going to actively develop Firefox if Mozilla's lunch is eaten? Are they going to continue implementing the ever moving standards? That's the down side.

I'd say if there's any harm, it would rather be related to money, as in Mozilla has less to bargain for their deals with their sponsors.

However, seeing how these forks are just "cosmetic", they still use the same rendering engine, which doesn't increase Google's relative user base. As far as this monopoly is concerned, all these forks are still Firefox.

> As far as this monopoly is concerned, all these forks are still Firefox.

Not in the website statistics I guess, unless the forks present themselves as Firefox, which I doubt.

To defend against browser fingerprinting you absolutely want them to present themselves as Firefox.

Which forks are actually doing this?

The one we're discussing here, LibreWolf. Here's my UA:

`User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0`

Note that I am on Linux, so your line of thinking has some validity.

Librewolf does this. It presents itself as Firefox on Windows.

This one.

so far, nobody has been more successful at decreasing the firefox user base than the actual firefox developers.

mozilla is not the kind of entity I'd want to have control over the web either, considering the shit they feel comfortable doing even as an underdog with 3% market share.

> Doesn't it help the Google monopoly on the web?

Can't answer your other question, but this fork has a chance of helping those who don't want to use Mozilla Firefox avoid switching to Chromium browsers by offering a choice.

They’re sponsored by Google, and use google services and google as the default search engine. How are they not part of the Google ecosystem, or monopoly as you call it?

Firefox does not receive orders from Google (except the default search). All decisions and code are independent.

They use Google safesearch to send all your browsing data to Google, and use Google as the default search engine. Tell me how why its not part of the monopoly you mentioned? How is this fighting Google at all?

It is fighting the Google monopoly in browsers, not in search.

No, since a fork is still fundamentally Firefox.

No. Mozilla is actually helping Google build and maintain a monopoly on search (for money) and is accepting the scraps that Google leaves on the table from the browser market.

Mozilla has continuously and repeatedly fucked up when it comes to defaulting to grab telemetry and shady deals with Google, to asking for money while spending way too much salaries for its execs for a supposed non-profit corporation (that is exempt from Federal income taxation).

Although I'm a Firefox user, it pains me to say that I can't wait for the day where Mozilla and Firefox dies. At least it'll hasten the rise of a new effort. And I'd take anything other than Chrome or the Edges of the world.

I'm still hoping Brave will wake up and properly fork Firefox and give Mozilla the big FUCK YOU.

Edit: a special ps to down voters: Fuck Mozilla and its CEO.

Seriously, why are people down voting this? They have been paying the CEO a lot while laying off a ton off people at MDN!

I don't think Mozilla is intentionally helping Google, but they are bleeding a ton of money with community events etc, laying off people while giving this horrible execs increased salaries. Like seriously WTH?

Mozilla need to kill the current leadership, get lean on spenting and most importantly cater to their audience. They don't have much general users. A huge portion are hardcore fans, OpenSource folks, people who value privacy or anti-chrome. Pushing ads to this audience, is only going to accelerate the downfall.

Focus on pleasing power users and devs. Market on shit that matters to power users, sys admins, devs and privacy folks, journalists! Like containers, and dev tools (some of which are already cool). Then these folks will whole heartedly embrace it in their workplaces, recommend to friends and family. Devs will write things more for FF. And don't break extensions again! This is how you got us before. Do it again. Then the general audiences will come.

Currently all these power users an others are themselves not sure about Firefox. They are stuck with it cos neither can they donate directly to Firefox development, nor are they happy with the leadership decisions. They are just waiting till the last day of FF's existence so that they can be a lil more private until they have to move to Chrome based browsers.

When their heart was at the right place their tech sucked. Their tech is better now, but their heart is not in the right place.

(Mozilla dev here, not speaking for Moz)

"grab telemetery" - that data is really, really useful in making development decisions, and we are hyperparanoid about what we collect. From an armchair, it may seem like you can make the right guess about how to eg adjust garbage collection scheduling priorities, but actual data always surprises you in one way or another. It can make the difference between spending a month on a tough project that ends up making no difference for the vast majority of users, and having a month to spend on something more impactful.

I really don't like to speculate on executive pay, but I'm pretty baffled why this is seen as such a big deal. Your argument sounds valid to me. So does the argument that we're talking about the CEO of a tech company that is competing directly with multiple Big Tech competitors, and perhaps paying comparatively bargain basement prices is not the smartest idea. Which is not to say that I'm happy about the layoffs.

Mozilla has messed up on a number of things, multiple times, including at least one time when it ended up (as in, made a deal to and carried it out) sending a bunch of data to a third party. (It was more nuanced than is generally appreciated, but I won't go there.)

I sincerely apologize that Mozilla isn't up to the pristine standards of the big technology companies. /s

I'm not going to explain the MoCo/MoFo structure here. I'll just say that MoCo most definitely pays taxes, MoFo asks for donations because it's a nonprofit with its own initiatives and direction, and you can get tons of information about the finances involving both because of MoFo's nonprofit status and the resulting annual report. (MoCo = Mozilla Corporation, MoFo = Mozilla Foundation, MoFo owns MoCo.)

The Google deal is, like, how MoCo makes money and is able to exist. What's shady about it? I'd certainly like the funding to be more independent. Maybe Mozilla can try drilling for oil on the land it doesn't own or start selling off the user data it doesn't collect?

> I really don't like to speculate on executive pay, but I'm pretty baffled why this is seen as such a big deal.

The problem is not the exec getting paid this much. It is about getting paid this much when to me and many long time users like me see a sinking ship with ever decreasing user base... while on the brink of no more pay from Google... Trying to push ads to us. < THIS IS WHERE EXEC PAY COMES INTO PLAY >

The context is important. It's like when your house is on fire and you are casually using the fire to light up a cigar.

> I sincerely apologize that Mozilla isn't up to the pristine standards of the big technology companies. /s

In all seriousness, we just need the heart of the old MoCo (Pre quantum) and the tech of the current MoCo. ;)

Firefox users are ideologically invested in the browser. I do feel like Mozilla is trying to push things like you are this big corp (In a way MoCo is.). While I am absolutely happy with the technical progress and direction Firefox taking, MoFo/MoCo should understand the ideological element here. This is why you see more outcry against "how things should be run" against Mozilla and not Google.

> I really don't like to speculate on executive pay, but I'm pretty baffled why this is seen as such a big deal.

They lay off 250+ people - many of whom are the very people needed to make the technical improvements many users desire - while the executives get pay raises. You wonder why it's a 'big deal'?

Did the execs get raises after the layoffs? About half the ones that were at Mozilla at that time are gone now.

> "grab telemetery" - that data is really, really useful in making development decisions, and we are hyperparanoid about what we collect.

We understand that, and we're saying no. You can do whatever you want. I will use LibreWolf.

Yeah that’s a weird attitude to have, the only reason there are users who feel personally hurt by the attitude Mozilla has been taking for the past few years is because they know things could be going way better.

No one is arguing that telemetry can be helpful but forcing users into it while acting holier than though is not just shady, but very much scammy.

The whole structuring difference between the foundation and the corporation sounds a lot like a tactic to push for some things under the non profit front and others under the company front, aka scammy.

All this turns on alarms in people’s heads… in a way I don’t find it weird that you guys still don’t see it, this is a sinking ship, and you’re going to think everything is going well until the last breath.

I'm absolutely with you on this. In fact, when I heard about the servo team and the CEO's salary, I stopped using Firefox. Now I mostly use qutebrowser (and Vivaldi for stuff I need more security).

I will start using Firefox when it leaves Mozilla and I'd pay a subscription for it. For me, the ideal situation is a lean team (hopefully only the devs, because I'm not paying any useless middle or high level managers a penny) start developing it for a fee. Just the browser will do, no password managers, no vpns, no nonsense. I already pay for subscriptions for those.

I've seen many here on hacker news expressing willingness to pay and the only reason that they don't is because they don't want to pay for other Mozilla nonsense but Mozilla doesn't want to open a direct channel for the community to support the Firefox team. I find this outrageous. Clearly, they are using Firefox, its very talented devs and the image of their noble fight for a private internet to fill the pockets of executives who don't know shit about engineering or the ethos of opensource software.

> and Vivaldi for stuff I need more security).

I agree with you on almost everything except Vivaldi. They are closed source and Firefox is 100% much more capable of supporting privacy than Vivaldi.

I have my own problems with Firefox but don't intend to stop using Firefox. They are still great. I will have to see this through I feel. lol.

Also, when you use a browser based on Blink engine (Vivaldi, Opera, Brave, Edge, Chromium) you are giving more leverage to Google at W3C. This makes FLoC kind of stuff more probable from Google.

"You need to change the browser engine as well, NOT JUST THE BROWSER." ;)

Always choose Gecko or Gecko based (like Librewolf) :)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact