Firefox patches and privacy?

[saturnalia0]

I've recently read this blog post about a dubious opt-out feature added to Firefox 128 (current version in Gentoo):

https://blog.privacyguides.org/2024/07/ ... t-again-2/

I'm a user of firefox-bin so I don't expect it to be patched in any way, so I simply disabled it.

I was wondering, does Gentoo have any opinionated patches to www-client/firefox, like enabling or disabling certain features for privacy reasons?

Looking at the ebuild I see things like --disable-crashreporter and --disable-gpsd, though I'm not sure what the motivation is as the git history is a bit hard to navigate (can't simply git blame on those lines as a new file is created for each version, plus the history is very large).

[CooSee]

try this - it has many security patches https://gitlab.com/Perfect_Gentleman/PG ... type=heads

add it with https://wiki.gentoo.org/wiki/Eselect/Repository

e.g.

Code: Select all

eselect repository list

Code: Select all

eselect repository enable pg_overlay

etc...

and how to handle multiple repositories https://wiki.gentoo.org/wiki/Ebuild_rep ... positories

[Juippisi]

I was wondering, does Gentoo have any opinionated patches to www-client/firefox, like enabling or disabling certain features for privacy reasons?

Not at the moment and I'm personally very much against trying to maintain these on distro-level. I have tons of settings from https://github.com/arkenfox/user.js in my profile, and I still carry some custom-patches in /etc/portage/patches. But the more patches we add on a distro-level the harder maintaining Firefox becomes. Something breaks _every_ release, and it often takes hours just to update the current patches we're carrying. In fact I'd really like to get as close to upstream "vanilla" builds as possible. The browser development is just getting faster and faster, and the codebase more complicated. That's why it's hard to keep up and I'm _very_ reluctant adding any custom-patches that can't be upstreamed.

What I like about Firefox though is they give you the option to configure these settings. Even with this adtech mess, you can opt-out either from graphical settings or about:config. If I/we were to meddle with these settings from the ebuild, we'd have to print some message saying "these options have been set - check whether you want to change them" polluting the postinst log. People who care about that stuff, will find the settings they can change. Oh and the "telemetry" use flag does massive work on its own already - again, glad Mozilla gives this option when building Firefox.

I see things like --disable-crashreporter and --disable-gpsd,

I don't know if you threw these two just as examples or if you're really curious about them, but:

I think crashreporter depends on gconf2 that was somewhat recently removed from Gentoo. Also if I remember correctly it depends on dbug being enabled (which makes sense when you think about it). Mozilla is working on rewriting the crashreported in rust, so when that's finished it can most likely be enabled in the ebuilds. Maybe. There could be some historic reason to disable it since we may introduce some Gentoo-only bugs with our builds.

gpsd depends on libgps which - to my knowledge - has never been available in Gentoo. It uses libgps to track geolocation. But Firefox uses, and has used, built-in geoclue (I think it's built-in?) for ages now. gpsd might be a legacy thing that no one removed from the codebase, even though it's not used anywhere.

[kimchi_sg]

In fact I'd really like to get as close to upstream "vanilla" builds as possible. The browser development is just getting faster and faster, and the codebase more complicated. That's why it's hard to keep up and I'm _very_ reluctant adding any custom-patches that can't be upstreamed.

Thank you for trying to keep up with upstream... the amount of stuff going on inside the firefox ebuilds is quite the eye-opener.

[Hu]

With regard to patching and the maintenance burden it carries, I will note that Gentoo already applies through the ebuild quite a few default-preferences. However, since these are written to a dedicated file, if one of them goes obsolete, it will just silently stop working instead of breaking the build. I like that someone else has done the work of researching what preferences a privacy-oriented individual would want. I would prefer that there be an easy way to pull all that into Firefox, so that I can get equivalent changes on all the systems I maintain, but I recognize that supporting that - and deciding on exactly which preferences to include - could be a notable burden.

[pjp]

People who care about that stuff, will find the settings they can change.

Awareness is the main blocker there, but I can appreciate the patch burden. That they've decided to remotely change user settings is disturbing.

[Juippisi]

I would prefer that there be an easy way to pull all that into Firefox, so that I can get equivalent changes on all the systems I maintain, but I recognize that supporting that - and deciding on exactly which preferences to include - could be a notable burden.

/etc/firefox/syspref.js should be closest to achieving that in a safe location. You then deliver/control the file with same tool you control all these instances.

[lars_the_bear]

That they've decided to remotely change user settings is disturbing.

Have the Mozilla folks just set the controls for the heart of the Sun now?

My gut feeling is that the many (most?) people who use Firefox on a regular basis do so because they don't really trust the underhanded behaviour of the alternatives. I don't know how big a problem this PPA thing is, because I don't really understand how it works. The fact that it was sneaked in, accompanied by the patronizing attitude of the Firefox developers ("You wouldn't understand it even if we told you") has to make it a cause for concern.

This is just one in a history of worrying changes in Firefox. Assuming that everybody uses pulseaudio, and assuming that everybody uses NetworkManager are other examples. I've always supported Mozilla but -- good grief.

BR, Lars.

[sMueggli]

People who care about that stuff, will find the settings they can change.

Awareness is the main blocker there, but I can appreciate the patch burden. That they've decided to remotely change user settings is disturbing.

Who decided to change remotely which user setting?

Firefox introduced a new option with a default value. The main question here is whether the default value is the "right" or "wrong" value. Is the default value a violation of privacy or not? Based on my understanding of privacy I dare to say that the default value is not a violation of your privacy. Because I try to share as little data as possible I opted-out. But sharing as little data as possible is not the same as "protecting privacy".

[lars_the_bear]

But sharing as little data as possible is not the same as "protecting privacy".

No. But perhaps it's a necessary first step? The problem is that 'Internet privacy' encompasses a bunch of complex, interrelated issues. I suspect that few people fully understand the implications of this Firefox change. As a matter of routine, I turn off all forms of telemetry that I can exercise any control over. Whether it does any good, I'm not sure. My gut feeling is that it does no harm.

BR, Lars.

[pjp]

That they've decided to remotely change user settings is disturbing.

Have the Mozilla folks just set the controls for the heart of the Sun now?

Who decided to change remotely which user setting?

Code: Select all

elog "Upstream operates a service named Normandy which allows Mozilla to" 
elog "push changes for default settings or even install new add-ons remotely."
elog "While this can be useful to address problems like 'Armagadd-on 2.0' or" 
elog "revert previous decisions to disable TLS 1.0/1.1, privacy and security"
elog "concerns prevail, which is why we have switched off the use of this"
elog "service by default."

https://gitweb.gentoo.org/repo/gentoo.g ... 3.0.ebuild

My gut feeling is that the many (most?) people who use Firefox on a regular basis do so because they don't really trust the underhanded behaviour of the alternatives.

I've never had the experience of others that Chrome is faster / better. so I've stayed with Firefox. The only other option is not using the web as none of the other Chromium based browsers solve the usability problems inherent in Chrome.

[lars_the_bear]

I've never had the experience of others that Chrome is faster / better. so I've stayed with Firefox.

I have the opposite experience: I find Chromium works better than Firefox for almost everything I do. And it supports ALSA audio directly, without needing to be built from source, which Firefox generally does not any more.

I stick with Firefox because I don't feel I can trust anything that's associated in any way with Google. I don't know what risks I run, using Google products and services; maybe there are none, and I'm being paranoid. And there are plenty of nasty security vulnerabilities, even in software that has always been open source, and maintained with the best and noblest of intentions.

I know I'm a zealot. I'm not proud of it; it's just the way I am. But dealing with anything Google makes me feel... icky. Like I need a hot shower. Heaven help me if Firefox goes the same way; I'll have to go back to Gopher.

BR, Lars.

[pjp]

As a reminder, firefox esr 128 arrived today with this USE flag:

Code: Select all

telemetry%*

euse -i telemetry references 3 packages (but not firefox):
dev-python/stripe
dev-util/selenium-manager
kde-plasma/plasma-workspace

[Bob P]

Code: Select all

elog "Upstream operates a service named Normandy which allows Mozilla to" 
elog "push changes for default settings or even install new add-ons remotely."
elog "While this can be useful to address problems like 'Armagadd-on 2.0' or" 
elog "revert previous decisions to disable TLS 1.0/1.1, privacy and security"
elog "concerns prevail, which is why we have switched off the use of this"
elog "service by default."

Normandy? Why would someone name a service like that after the greatest invasion in the history of mankind? What were they thinking? Hmmm.

Switching off a hostile service like that is not good enough. That kind of service is overtly hostile and it's mere existence on someone's PC places the user at risk. It's existence implies a hostile motive being reserved for future deployment. It is a ticking time bomb and it's only a matter of time until the service gets switched on "accidentally."

[Bob P]

On a related note, I have encountered perf problems with firefox that forced me to use chrome against my wishes. So I tried using the Brave Browser, which is ostensibly a safer version of chrome that has (some of) chrome's spyware features deactivated. Don't believe it.

After painstakingly configuring my version of Brave to honor my seucrity needs to the greatest extent possible, I found after a system update that all of my preferences were reset to promiscuous values and I had to go through everything all over again. (Fedora 39 and Brave v1.71.114 (Oct 17, 2024))

Concerns like those mentioned in this thread are why I don't trust any browser anymore. I think it's a good idea to sandbox them in a VM.

[Hu]

Switching off a hostile service like that is not good enough. That kind of service is overtly hostile and it's mere existence on someone's PC places the user at risk. It's existence implies a hostile motive being reserved for future deployment. It is a ticking time bomb and it's only a matter of time until the service gets switched on "accidentally."

Upstream ships the code for the service. Gentoo disables the service, and shows a message telling you this. If upstream one day makes a change that bypasses Gentoo's change and reenables the service, then that would be an accident on the part of the Gentoo maintainer for not catching that the attempted disable ceased functioning. Given that Gentoo specifically disabled this, I cannot see a Gentoo maintainer reactivating it maliciously. If the Gentoo maintainer wanted it on, he could simply have done nothing and let upstream's default prevail this whole time. Therefore, while your concern about the existence of the service seems reasonable, your implications about motives seem unfounded.

What do you propose be done differently, particularly in light of your own observations that Chrome and its derivatives are actively pursuing an even more anti-privacy policy?

[Bob P]

My concern isn't about what Gentoo is doing, it's about what's being done upstream. I appreciate what all of the Gentoo package maintainers are doing, but this is the sort of thing that oculd have catastrophic consequences if it slips through the cracks. Remember heartbleed?

The problem is that when malware like this is incorporated upstream by design, all users are placed at risk, and become dependent upon a single point of protection downstream. No matter how good a job the second tier people may do in preventing the problem, there's still risk associated with that model.

Regarding your question about what needs to be done differently, I already mentioned that I'm sandboxing my browsers. Maybe you missed that. This news (to me) about Normandy makes me think that I'm doing the right thing ... I'm just not sure that I'm doing enough. And knowing what I know, I know that I don't know enough to know that I'm doing enough. Really, I'm not sure that any of us are truly capable of protecting ourselves when the hostile threat is incorporated by design into devices that people are dependent upon.

We're at a stage where phones and browsers are designed to work against us. I don't have all the answers. I'd like help from those who know more than I do.

[Hu]

I saw your comment about sandboxing, but that is something you are doing, locally. I was asking what it is you think the Gentoo maintainers should be doing differently. Are you advocating that Gentoo should ship a pre-sandboxed browser, so that merely running gentoo-firefox-wrapper provides out-of-the-box all the protection that the Gentoo community knows how to provide, be that through seccomp, containers, virtual machines, etc.?

I only see that Normandy warning in the firefox-bin ebuild, where Gentoo cannot patch out the code because the ebuild is just a download of a blob. I see in the firefox ebuild that the default prefs disable Normandy, but no mention of Normandy in the ebuild text itself. Perhaps this means that the Normandy code is present, but disabled. I can see that deleting the Normandy code outright would be safer, but it would also make the ebuild more fragile.

[Bob P]

Are you advocating that Gentoo should ship a pre-sandboxed browser, so that merely running gentoo-firefox-wrapper provides out-of-the-box all the protection that the Gentoo community knows how to provide, be that through seccomp, containers, virtual machines, etc.?

Please stop imagining words into my mouth.

[Hu]

Are you advocating that Gentoo should ship a pre-sandboxed browser, so that merely running gentoo-firefox-wrapper provides out-of-the-box all the protection that the Gentoo community knows how to provide, be that through seccomp, containers, virtual machines, etc.?

Please stop imagining words into my mouth.

That was a question, not imagination. However, it was a question derived from your own words up thread:

Switching off a hostile service like that is not good enough. That kind of service is overtly hostile and it's mere existence on someone's PC places the user at risk. It's existence implies a hostile motive being reserved for future deployment. It is a ticking time bomb and it's only a matter of time until the service gets switched on "accidentally."

If you think "Switching off a hostile service like that is not good enough", then what is good enough, and who should be doing the work that is good enough? I then offered a specific example of work that might be good enough: the Gentoo maintainers providing a pre-sandboxed browser. I also speculated that a related bit of potentially "good enough" work (deleting all the Normandy code from the build) would be useful, but too fragile to justify the burden on the volunteer maintainers who currently handle this ebuild.

[szatox]

Bob, that was a very reasonable question.
Mainstream is doing its thing, which admittedly sucks, but if disabling it is not enough of a solution, what else would you like implemented?

Meanwhile, I'm waiting for Ladybird project. Making a browser from scratch is a crazy endeavor, but they have a bunch of crazy people on the team, so might actually pull it off.
It should be to Chrome what Firefox used to be to IE.

[Bob P]

Bob, that was a very reasonable question.

The last two posts are errantly premised upon the belief that I have the intent to make some sort of recommendations for Gentoo to take some sort of action. Because I have not defined any recommendations, people have started specualting about what recommendations they think I might make.

When I have a recommendation I'll let you know. Until then, I'd like to request that people please don't attribute their ideas to me, no matter how logically they think their ideas should follow what has been said. Please bear in mind that if I don't say something then whatever anyone might come up with in speculation can not be regarded as my opinion.

[szatox]

You have made it clear that you have an opinion and then refused to express it when asked what it was. Fine, so be it.
You're the only one putting words in other peoples mouths here though. Nobody said anything about assuming what your actual opinion is.

[pjp]

Concerns like those mentioned in this thread are why I don't trust any browser anymore. I think it's a good idea to sandbox them in a VM.

I know it's extreme, but how else can you really protect yourself when the browser/internet system is designed to work against you?

Yeah, I do as little as possible with a browser, and less with javascript. But it's exhausting, and I wonder how much it helps if at all. I still haven't gotten around to something like apparmor.

When I start thinking Apple's prison looks like the best option, it's gotten bad (I've never owned anything from Apple and have no plans to change that. And having used a thing here or there, I don't get the appeal -- new CPUs excluded, but I'm still not buying one.)

[lars_the_bear]

I know it's extreme, but how else can you really protect yourself when the browser/internet system is designed to work against you?

Yeah, I do as little as possible with a browser, and less with javascript. But it's exhausting, and I wonder how much it helps if at all.

I wonder if it helps at all, when all your family and friends are saying 'to hell with it...' and just ignoring the problem? If people who actually understand the issue have decided that it isn't worth fighting any more, what chance is there of changing the behaviour of people who don't even understand?

I turn up all the privacy/anti-tracking/anti-fingerprinting features to maximum; I've de-googled my phone and I don't use apps; I don't use any social media; I have a VPN. Can I do more, without cutting myself off from the modern world entirely?

To keep a sense of perspective, I remind myself constantly that my house is not under water, and nobody is shooting rockets at me. But it is, indeed, exhausting. It's particular exhausting when I have no idea whether the measures I take are doing any good.

BR, Lars.