# palemoon, again



## ko56 (Sep 6, 2019)

(I posted this on the "palemoon!" thread a while ago, but maybe nobody is reading that any more, so I am re-posting)

I'm hoping someone is/are still interested in Pale Moon, I think it's a great browser.

I've tried to run the PM 28.6.x and 28.7.x Linux binaries using the linux-c7 compatibility layer on
FreeBSD 12.0.  Some additional Linux libraries are needed, but after they're installed, PM
dumps core on start-up, specifically a file "Compositor.core".

I also tried to run the Windows version under wine-devel-4.12. This one seems to work fine, 
except it does something that keeps the cpu pretty busy. This is in fact worse with 28.7.

Has anybody tried any of these things?  Finally, does anyone know how to (attempt to)
build from source? Or have any other ideas?


----------



## abishai (Sep 13, 2019)

ko56 said:


> Or have any other ideas?


Install firefox. Palemoon has outdated (and, probably insecure) engine and BSD unfriendly.


----------



## ko56 (Sep 13, 2019)

Firefox is exactly what I'm trying to avoid.  As far as security goes, please look at the Palemoon site, if you are interested.
But I agree about the "BSD unfriendliness", it is unfortunate.


----------



## Deleted member 30996 (Sep 14, 2019)

ko56 said:


> As far as security goes, please look at the Palemoon site, if you are interested.



What about this?






						Archive Server of Pale Moon Open Source Browser Hacked | SecurityWeek.Com
					

Hackers breached the archive server for the Pale Moon open source web browser and infected all .exe files with malware.




					www.securityweek.com
				




The hack went undetected for 18 months.









						Pale Moon says hackers added malware to older browser versions
					

Server breach at Pale Moon browser project goes undetected for 18 months.




					www.zdnet.com
				




I wouldn't count on it showing back up in the ports tree. It's been gone from the OpenBSD repository for a long time,

We already had New Moon, I still have it installed on my multimedia machine but it always stays offline.

I didn't realize the business with OpenBSD and Palemoon devs had happened till it was over. That rift not likely to ever be bridged. They had some unkind things to say about BSD people on a couple boards but the treads were closed by the time I saw them. I had a bomb of my own I never got to deploy but have it saved in reserve. Nice Halloween costume, wear it all year do you?

I use www/firefox-esr now. It's seemed more stable than www/firefox. I still have the extensions I need, and aside rendering that's what's most important in a browser for me.


----------



## abishai (Sep 14, 2019)

ko56 said:


> Firefox is exactly what I'm trying to avoid.  As far as security goes, please look at the Palemoon site, if you are interested.
> But I agree about the "BSD unfriendliness", it is unfortunate.


I've used Palemoon before. As for security, modern browsers are as complex as OS itself, so I have serious doubts that such projects can be managed with small teams without strict ties to upstream. Can you share why you try to avoid Firefox ?

- If you managing old devices, you don't need browser at all. Trick your device to give you jnlp file, install java/icedtea-web and you are done.
- If you don't like strange stuff Mozilla adds to the browser from time to time, you have ESR version and this stuff usually has about:config switch.
- If you care about telemetry and security hardering of browser itself here is ghacks user.js https://github.com/ghacksuserjs/ghacks-user.js
- If you want to reduce your internet footprints, you have uMatrix, uBlock, Decentraleyes, CSS Exfil Protection, ETag Stoppa extensions.
- Don't like interface? You have a solution as well https://github.com/Aris-t2/CustomCSSforFx
- Vim bingings? Tridactyl.

Seriously, I don't understand why FF derivatives still exist. I switched to forks as I was not ready to abandon all of my extensions, but now, 95% of problems are solved by community and Quantum is *a lot* faster.

Firefox is not perfect, but today the degree of imperfectness is not enough to think about something else.


----------



## Deleted member 30996 (Sep 14, 2019)

I was moved into using www/firefox-esr due to circumstances, Seamonkey and Palemoon purged from ports. I had been using Palemoon as my main browser because I could use the old extensions, some of which are not available on Quantum. 

I did so grudgingly but life goes on and I don't notice much difference now. I've had it on this machine and www/firefox on the one next to it the last year or so. ESR has seemed more stable on my Thinkpads.

I believe rufwoof said they have tried to do things like mitigate Specter and Meltdown if memory serves me. They also do flakey things like make personalized extension recommendations they got from Telemetry, but you can opt out of that.


----------



## ko56 (Sep 16, 2019)

Trihexagonal said:


> What about this?
> 
> I think this reflects more on the security of that code repository, not on the security of the browser itself.
> 
> ...



As a matter of fact, I didn't know about this security breach, and what I really meant by "look at the Palemoon site" is that it is apparent that PM is being actively and carefully developed, at least as well as FF is.


----------



## ko56 (Sep 16, 2019)

abishai said:


> I've used Palemoon before. As for security, modern browsers are as complex as OS itself, so I have serious doubts that such projects can be managed with small teams without strict ties to upstream.



I think some information relevant to this is in these two links to the PM forum: allegations, rumor control



> Can you share why you try to avoid Firefox ?


I don't like Firefox mainly because it has turned out to be essentially a clone of Chrome (ium). Most of all, I dislike Chrome's UI.  (In fact, I had used FF for years before they became a copy of Chrome.) Now I see from what you write below that you can get around some (?) of these UI issues, but with significant effort, as far as I can tell.



> - If you managing old devices, you don't need browser at all. Trick your device to give you jnlp file, install java/icedtea-web and you are done.
> - If you don't like strange stuff Mozilla adds to the browser from time to time, you have ESR version and this stuff usually has about:config switch.
> - If you care about telemetry and security hardering of browser itself here is ghacks user.js https://github.com/ghacksuserjs/ghacks-user.js
> - If you want to reduce your internet footprints, you have uMatrix, uBlock, Decentraleyes, CSS Exfil Protection, ETag Stoppa extensions.
> ...


I find PM (now New Moon) to be at least as carefully developed and maintained as FF.  The PM forum has a lot of interesting discussions about FF, Mozilla, etc ...


> Firefox is not perfect, but today the degree of imperfectness is not enough to think about something else.


Yes, I understand.  But I'll see if I can get PM working in a Linux jail.  There's an interesting post about Setting up a (Debian) Linux jail on FreeBSD.


----------



## SirDice (Sep 16, 2019)

ko56 please learn to quote correctly.


----------



## SlySven (Nov 6, 2019)

I am saddened by the removal of Pale Moon (or even New Moon the _unbranded_ version that we had to use because the FreeBSD port/pkg did not use the precise custom cooked _curated_ libraries that Upstream demanded to be used so that it could be deemed an official version ) packages from FreeBSD.

Some of the reasons that I use it on my set of Windows, GNU/Linux AND until recently FreeBSD boxen is that:

I could keep all of them synced so I did not have to use a particular OS/Machine to revisit a particular site I wished to go back to.
Much of the telemetry that phoned home to Mozilla had been burnt out or otherwise neutered.
Pale Moon retained the XUL addon / extension system - that Mozilla had not just deprecated but actively killed in favour of a much more restrictive and less capable system that rendered much of the long standing add-on environment extinct. Of course the elimination of the central repository for those add-ons at Mozilla was just one of the steps in the execution of what was once a rich pool of extras. Some of the add-ons have been mutated and regenerated - so for instance there is nmatrix to replace noscript...
Pale Moon is not trying to become a clone of Chrome.
Whilst I was annoyed to hear of the security breach that infected the archive site for the Windows version it isn't obvious to me that that is something that the project team could have prevented. It is a small team I believe and the nature of the breach does not seem to make it something that was down to them. I also believe it to have the largest user-base of the truly independent forks of the FireFox browser. Compared to say the Cliqz one ( https://en.wikipedia.org/wiki/Cliqz#History ) which seems to have ties to Mozilla - which is the broswer that I am currently, _reluctantly_, typing this in on.


----------



## ko56 (Nov 8, 2019)

I like PM for the same reasons.  Have you tried running the latest, PM28.7.2, under linux-c7? 
(Here linux build it says that the binary they distribute is built on CentOS 7, so it has some hope on working in FreeBSD.)

In my case the behavior is that it consumes all the memory on my machine, and then crashes before starting, creating a dump 'Compositor.core'.  (The memory is then reclaimed.)

I don't know how to make any progress in debugging this.   If anyone has any ideas about how to diagnose the problem, I would be happy to hear.


----------



## SlySven (Nov 16, 2019)

TBH I am not really familiar with the linux sub-system - though I see I do have some linux-c7 packages installed.

Does that mean that I will need to compile PaleMoon direct from source rather than using the Ports system? I guess that is not _too_ dissimilar to what I currently do for my own project of interest - in that I can build a usable Mudlet directly but I haven't gotten around to making a port that others can use (how _do_ you specify a Lua 5.1 flavoured luarocks as part of the build process - see Porting Mudlet to FreeBSD for the details of that)?


----------



## rootbert (Nov 16, 2019)

just to add some points to use firefox ... the german cyber security agency BSI did an audit: https://www.secureworldexpo.com/industry-news/new-testing-reveals-firefox-most-secure-browser


----------



## ko56 (Nov 17, 2019)

SlySven said:


> TBH I am not really familiar with the linux sub-system - though I see I do have some linux-c7 packages installed.
> 
> Does that mean that I will need to compile PaleMoon direct from source rather than using the Ports system? I guess that is not _too_ dissimilar to what I currently do for my own project of interest - in that I can build a usable Mudlet directly but I haven't gotten around to making a port that others can use (how _do_ you specify a Lua 5.1 flavoured luarocks as part of the build process - see Porting Mudlet to FreeBSD for the details of that)?



To understand the Linux compatibility layer, a set of packages named linux-c7*, see Ch. 10 of the FreeBSD manual.  As it says there, these packages are in some sense a minimalistic Linux (in this case CentOS 7) system, and they allow you to run *unmodified* Linux *binaries* on a FreeBSD system.

So in the case of PM, the port has been removed from FreeBSD 12. And there is no pre-built package. However, you can download the x64 binary for Linux from the PM website http://linux.palemoon.org/, and follow the instructions there for installing it in your $HOME. Then you can try running it, as I mentioned in my previous post. (This may need some linux-c7 packages in addition to those already on your system. You should be able to tell what is needed from the error messages, and you can see what the available packages are by doing "pkg search linux-c7".) And see if you can figure out what is going wrong.


----------



## ko56 (Nov 17, 2019)

I forgot to add that what you are attempting with Mudlet is much more ambitious than the "Linux way" I'm talking about above.  Of course, attempting a real port of PM would be very nice, but it is beyond my capabilities, at least.


----------



## rudelgurke (Nov 18, 2019)

rootbert said:


> just to add some points to use firefox ... the german cyber security agency BSI did an audit: https://www.secureworldexpo.com/industry-news/new-testing-reveals-firefox-most-secure-browser



No they did not. All what they did was defining a minimum standard for use of browsers inside official / government agencies (e.g. "Must support TLS" "Must support internal password manager" etc.).
Then they did read through the manuals and compared what browser supports their pre-defined standards. There was no auditing at all like taking a look at sources so it's all a recommendation they published. A recommendation that matches their defined needs. If you define other needs like "Browser must not support storing passwords at all" another browser will win the match.

A lot of so called "news sites" took the boring story, added some personal opinion and had their "big story".


----------



## linux->bsd (Oct 27, 2020)

ko56 said:


> I like PM for the same reasons.  Have you tried running the latest, PM28.7.2, under linux-c7?
> (Here linux build it says that the binary they distribute is built on CentOS 7, so it has some hope on working in FreeBSD.)
> 
> In my case the behavior is that it consumes all the memory on my machine, and then crashes before starting, creating a dump 'Compositor.core'.  (The memory is then reclaimed.)
> ...


PM28 works well under 12.2-RC3 (standard /compat/linux). And a third party verified it works on 13.0-CURRENT using an Ubuntu jail|chroot.


----------



## ko56 (Nov 3, 2020)

linux->bsd said:


> PM28 works well under 12.2-RC3 (standard /compat/linux). And a third party verified it works on 13.0-CURRENT using an Ubuntu jail|chroot.


I just saw this, thanks.  I tried PM 28.15.0 with FreeBSD 12.2-RELEASE, and indeed it works fine with linux-c7, as far as I've been able to tell. (I think it may have something to do with the recent fix to linux threads, see
https://www.freebsd.org/security/advisories/FreeBSD-EN-20:17.linuxthread.asc)
The only thing I found that does not work is the FEBE addon, it has a thread(!) problem.
Anyhow, this is very good news.


----------



## ko56 (Nov 5, 2020)

linux->bsd said:


> PM28 works well under 12.2-RC3 (standard /compat/linux). And a third party verified it works on 13.0-CURRENT using an Ubuntu jail|chroot.


Is there any reason to believe that PM 28 won't work in FreeBSD 13 under Linux compatibility?
(A jail is a rather heavyweight solution, last resort)


----------

