[BALUG-Talk] MOZILLA's GnuPG/PGP key-signing session, October 3rd

Rick Moen rick@linuxmafia.com
Wed Aug 16 13:58:16 PDT 2017


Quoting acohen36@sdf.org (acohen36@sdf.org):

> From what I'm seeing now, and FWIW, both the 64-bit open source Brave*
> browser and the 32-bit open source Palemoon browser will _still_ be
> supporting many of our most important browser extensions into the near
> future.

As will Firefox-ESR, SeaMonkey, and Waterfox.

> *An interesting fact to note about Brave is that their Mission District HQ
> is ~3/4 hr MUNI busride from Mozilla's SF offence [9] ear Rincon
> Point.
> 
> Comments from announcement-forwarder Michael P, from Rick M, and from
> others are expected and of course welcome :-)

I'm backlogged on correspondence, and also jetlagged, having just gotten
back from a couple of weeks in Helsinki and Stockholm, so don't hold
your breath waiting for me to address this.

Moreover, it's already been extensively discussed elsewhere:
http://linuxmafia.com/pipermail/conspire/2017-February/008707.html
http://lists.svlug.org/archives/svlug/2017-February/062344.html
https://lists.dyne.org/lurker/message/20170223.160150.c29d18d7.fi.html
(See threads beginning at those links.)

The dropping of XUL & XDL (extension interface) from the main Mozilla
codebase (after verion 56) creates unfortunate short- and medium-term
consequences, though as mentioned there are indeed technical reasons for
it.  But there will be some very serious permanent loss of
functionality, make no mistake: There is simply a great deal that
WebExtensions cannot do and probably will never be able to do, things
classed as 'chrome' alterations, hence involving XUL & XDL.

The recent dropping of ALSA sound support is even more regrettable IMO:
I continue to regard PulseAudio as something of a horror, though one can
substitute apulse as a crutch for applications that expect PulseAudio.

Last, what I've seen about code-signing has been so far troubling, with
Mozilla's builds reportedly _not_ giving users control of the keychain.
Of course, this being open source, anyone sufficiently motivated can
maintain a patchset to restore that control.  (There may have been newer
developments in this area, and I would not necessarily have heard of
them.)

Also, as Akkana noted on the SVLUG discussion, Firefox-ESR will preserve
the ability to switch off mandatory enforcement of extension signing,
via an about:config toggle (that in Mozilla's releases will be switched
on by default).

So, it's the usual sort of thing where less-technical users are going to
get steamrolled.





More information about the BALUG-Talk mailing list