this post was submitted on 27 Oct 2024
184 points (98.4% liked)

Technology

58922 readers
4053 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
184
The Fennec Android browser is currently behind on Firefox security updates, deemed unsafe by F-droid (leminal.space)
submitted 7 hours ago by [email protected] to c/[email protected]
24 comments fedilink hide all child comments
 

If, like me, you've relied on Fennec as a more tolerable version of Firefox for Android, you may have gotten some bad news in the latest F-droid update cycle.

Fennec has fallen so far behind on updates that serious security patches implemented by Mozilla in Firefox haven't been applied to the fork, and Fennec is therefore still breachable.

The developer responded two weeks ago that they were "short on time", and there still isn't a new, secure version available. This appears to be due to that recurring weak link in open source development: small teams, confronted by real life demands like time and money?

top 24 comments
sorted by: hot top controversial new old
[–] [email protected] 40 points 5 hours ago (2 children)

It's just very unfortunate timing. Google removed some library Firefox depended on in NDK and it meant developers need to make significant changes to their packaging system. At the same time critical vulnerably was discovered in Firefox. On top of that, everything happened when main developer of Fennec was away from home and short on time. But from what I've seen on Fennec gitlab most of the work is done so you should expect update soon.

[–] [email protected] 8 points 4 hours ago

Yep, it's this. Unfortunate but from what I was reading, solvable with a little time. Unfortunately the dev has been unavailable but will be back soon. I'm not too concerned

[–] [email protected] -2 points 3 hours ago

Firefox 130 was released on the 3th of September, almost 2 months ago. This didn't just happen in a short time frame.

[–] [email protected] 19 points 5 hours ago (1 children)

A bit of backstory on how we got here - in June 2024 Mozilla chose to (a) integrate the source tree of Firefox Mobile into their huge monorepo ("gecko-dev"), and (b) move the source off of Github onto their own git servers ("Mozilla Central"). You can read about it in the now-archived old repo:

This was then compounded by a core Android build kit ("NDK") choosing to remove parts of the toolchain which is/was used to build Firefox releases (ergo, forcing another change to build process):

Together these have caused a bit of a kerfuffle in getting new releases compiled and released via the official F-Droid methodology. See the other comment about the Mull version in their private repo, they're having to use a Mozilla pre-built clang (a compiler toolchain) now to make it work for the time being.

[–] [email protected] 3 points 3 hours ago

Thanks for the context! Much appreciated.

[–] [email protected] 33 points 7 hours ago (2 children)

What do you find not tolerable in standard Firefox and what did this browser do that made it better?

I know firefox is rather memory heavy, but despite that it's still my go-to browser, both for desktop and mobile.

[–] [email protected] 24 points 7 hours ago (2 children)

Upstream Firefox doesn't comply with FDroid's rules (thanks to the 'proprietary bits and telemetry' Handles mentioned), so is only available from the Play Store or as a loose APK that won't auto-update.

[–] [email protected] 2 points 2 hours ago

This reads like “they only sell hamburgers at the grocery store, and they don’t sell veggie burgers at the hippie food store because they aren't vegan”

[–] [email protected] 18 points 7 hours ago (1 children)

it's also available from Mozilla's repos and can be updated using Obtainium https://download.cdn.mozilla.net/pub/fenix/releases/

[–] [email protected] 3 points 4 hours ago (1 children)

Cool.

But I'm not adding another method of updating apps just for the browser. F-Droid is where my non-play store apps live and update from, and I'd like to keep it that way.

[–] [email protected] 3 points 3 hours ago

I use Obtainium (available in F-Droid) alongside F-Droid since both have auto-updates
this is still tolerable to the old days of updating manually

biggest upside is I can update Tubular/Newpipe faster via Obtainium while F-Droids build system takes days

[–] [email protected] 14 points 7 hours ago

I think this is beside the point here, but as it says in the F-droid description, their build "has proprietary bits and telemetry removed".

[–] [email protected] 15 points 6 hours ago (3 children)

I'll just throw out Mull from DivestOS's third-party f-droid repo as an up to date alternative. The newest versions are incompatible with the main repo but here is their explanation:

Updated Mull to 131.0.0, has 14+1+25 security fixes from the previous 129.0.2 release. In order to resolve the compilation issue introduced in 130, Mull is now compiled using Mozilla's prebuilt clang toolchain. This however is incompatible with the F-Droid.org inclusion criteria, so these updates (for now at least) will only be available via the DivestOS.org F-Droid repository. Please note, while this adds a prebuilt dependency, the result does still remain FOSS.

[–] [email protected] 3 points 3 hours ago* (last edited 3 hours ago)

The only reason the Fennec devs haven't announced this is that they've been moving but they're basically working on the same things to get it back on F Droid.

[–] [email protected] 7 points 6 hours ago (3 children)

Ah yes, the toolchain changes appear to be a stumbling stone for the Fennec devs as well. That kind of thing doesn't exactly speed up new releases, I'm sure.

What are your experiences with Mull? Is it generally compatible with Firefox plugins, and are there performance improvements as well as in security?

[–] [email protected] 3 points 1 hour ago (1 children)

IMHO as i have it as my daily browser, it can become troublesome with booking websites (flights, tickets, hotels, restaurant orders, shopping). They don't like whatever Mull blocks, and at some point during any booking process you'll be unable to complete it. Sometimes during the payment step, so it can be... Frustrating.

[–] [email protected] 1 points 1 hour ago

I experience similar, if rarely, with my about:config modifications and muBlock add-on. Those things I blame more on the modern web than on any browser :/

[–] [email protected] 2 points 3 hours ago* (last edited 3 hours ago)

Mull has defaults that improve privacy at the cost of performance and website compatibility. They maintain a list of changes that you can reverse through about:config. If Mull seems slow for you, consider re-enabling the JavaScript JIT.

[–] [email protected] 3 points 4 hours ago

I've been using it as my primary browser on Android for years so I don't really have much to compare it to, but I haven't had any issues with extension compatibility. It includes changes from Tor browser and Arkenfox so it's more privacy-focused than on performance.

[–] [email protected] 2 points 6 hours ago (1 children)

The link(s) to add their F-Droid repo if not running DivestOS: https://divestos.org/pages/our_apps.html#repos

[–] [email protected] 1 points 1 hour ago

Been using Mull, didn't realize there was newer versions, thanks for the link!

[–] [email protected] 2 points 5 hours ago* (last edited 5 hours ago)

I got the same warning for Mull. Is the patching so extensive? I always thought they have a patchset for some of the shortcomings and just apply that onto the newest Firefox version... Or do they do a full code review on all of the changes?

[–] [email protected] -1 points 5 hours ago (1 children)

"It's fine" (or will be), just donate & carry on.

[–] [email protected] 2 points 2 hours ago

Dangerous attitude when it comes to itsec.