Re: [Bug-gnuzilla] IceCat 38.3.0 release

[Ivan Zaigralin]

First of all, thanks for fixing the spyblock bug where custom filters
would not work. I've got zero feedback when I reported it, so it was a
pleasant surprise.

Get ready for another angry rant. Once again, I yell because I care,
because I believe users must have an alternative software source to
Mozilla, which is now not to be trusted, and icecat is pretty close to
an optimal answer. I am a long-standing user and also a maintainer of
the SlackBuild, which is a source-based distribution way in Slackware
derivatives, so please take my frustrated yells as signs of <3

OK.

There is a reason, I think, why users like maestro curse at this project
and its maintainers every now and then, and here's what I think is the
problem. Please note I am not at all endorsing or excusing the that kind
of trolling, but I really wish that devs would stop for a second and
look at the likely causes of the obvious user frustration.

In my humble opinion, the priorities need an adjustment. One of the
HIGHEST priorities for web browser users is staying on top of the
security patches, so every time the concern for the "new features"
results in skipped releases, the users are gnashing their teeth and
thinking about jumping ship and just customizing the heck out of the
stock Firefox. The official goal #1 is to produce a FREE browser, but
this goal is in jeopardy whenever the browser falls behind, since it
almost ENSURES that MANY users will be running non-free software such as
viruses and trojans, and that WITHOUT even knowing.

On the technical side, I want to bring up once more what I see as a very
mistaken move, which is the inclusion of addons. I hope to convince if
not the devs than at least other package maintainers like me, who
prepare icecat for distribution within a paricular OS. Starting with
this release, I am cutting all the addons, and I strongly urge all the
involved parties (including devs) here to do the same. I am doing this
precisely to improve the user experience and to make icecat and its
signature addons more popular, and here are some reasons why including
addons is a REALLY BAD idea.

(1) Since gnuzilla does not test addons and occasionally gives silent
treatment to bug reports in addons, including the ones produced
in-house, it should not distribute them. A common pattern seems to be
when users install icecat, they immediately run into an addon bug, and
give up. Here's my experience with a 38.3.0 and a VIRGIN profile:
duckduckgo does not work, asks to turn on javascript. I check settings,
javascript is on. This is already a show-stopping bug. I check LibreJS
(and how would a NEW user know that?), enable all that page, it reloads
and... still DOES NOT WORK, it's blank. I check librejs again,
everything is enabled. I try google maps, and the outcome is exactly the
same. Yes, maestro is a troll, but I think his emotional state is a
perfectly predictable consequence of the browser JUST NOT WORKING.

(2) Addons were intended to receive security updates independently from
the browser or the OS, but when we package icecat into GNU/Linux
distributions, the pre-added addons end up in the distro channel, so
they update only when users get around updating the OS. This is
suboptimal. The only addons which belong in the OS channel are the
OS-related addons, such as "Ubuntu Integration" or whatnot. Everything
else must go. Then there are users who get icecat directly from
gnuzilla, and they get addon updates only when they get around updating
the browser, which is slightly less bad. But the lazy release schedule,
which seems to be the norm, confounds this problem a lot.

(3) Why does gnuzilla think they know best about which addons user
should run? What if I want to run a different fork of adblock, not the
spyblock? Not many users know these forks are INCOMPATIBLE, so
installing a different blocker will break things. In effect, gnuzilla is
forcing its users to maintain gnuzilla's faulty package, as if users
didn't waste enough time maintaining addons they themselves installed.

(3.1) Forgive me for being blunt, but whose bright idea was it to
distribute blocklists along with spyblock? Do you realize you are
censoring the web without asking for explicit consent? Notice that good
adblockers (the addons themselves) do not do that, because USERS are the
only ones in the position to decide what is an unwanted ad. They offer a
choice of blocklists upon install, and taking this step out is meddling
edging on censorship.

(3.2) LibreJS in particular is basically nagware. Ostensibly, it should
help users to nag at web designers, but all it actually accomplishes is
nagging the users. As I explained before, it is 0% effective, since it
cannot possibly check whether javascript code is free. The only good way
to check that is to (a) authenticate the script source (b) check it
against the list of authorized free software sources. What makes THAT
script likely to be free is the tendency of users to put their trust in
ethical software sources such as FSF, Trisquel, FreeSlakc, etc. The
presence of a license boilerplate has not a JACK to do with ANYTHING,
and I frankly cannot believe this useless addon is still being bundled.

So here is a specific proposal:

(i) All currently bundled addons should go into the common directory,
none should be installed by default. Until this is done, the browser
will be bloated and unstable, and curses will fly thick. This will also
free the devs' hands to work on the long-neglected goal of making new
releases prompt and secure.

(ii) Even in the addon directory, no adblocker should be bundled with
blocklists.

(iii) The free addon directory which shows up at about:addons should
contain a simple "get started" list saying which addons are essential
for user freedom and why, and (IMHO) this list should omit LibreJS until
it's shown to do something useful.

On 10/12/2015 09:05 PM, Rubén Rodríguez wrote:
> GNUzilla is the GNU version of the Mozilla suite, and GNU IceCat is the
> GNU version of the Firefox browser. Its main advantage is an ethical
> one: it is entirely free software. While the Firefox source code from
> the Mozilla project is free software, they distribute and recommend
> non-free software as plug-ins and addons. Also their trademark license
> restricts distribution in several ways incompatible with freedom 0.
> https://www.gnu.org/software/gnuzilla/
> 
> The user manual pages are at http://libreplanet.org/wiki/Group:IceCat/
> You can contribute by joining the wiki and editing the manuals.
> 
> Source tarballs, binaries for generic GNU/Linux systems and translations
> are available at http://ftp.gnu.org/gnu/gnuzilla/38.3.0/
> GPG key ID:D7E04784 GNU IceCat releases
> Fingerprint: A573 69A8 BABC 2542 B5A0  368C 3C76 EED7 D7E0 4784
> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=gnuzilla
> 
> This is a major release upgrade following the Extended Support Release
> upstream cycle, moving from v31.x-ESR to v38.x-ESR. All the features in
> previous releases have been preserved, along with extra polish and
> improvements in privacy.
> 
> == Changes since v31.8.0-gnu2 ==
>  * Rebased to v38.x
>  * Updated to v38.3.0ESR
>  * LibreJS updated to 6.0.10.20150620
>  * HTTPS-Everywhere updated to 5.1.1
>  * HTML5 Video Everywhere updated to 0.3.3
>  * Added more privacy settings and crypto hardening
>   - Disabled battery handling in dom
>   - Disabled sensor handling in dom
>   - Disable face detection and autofocus controls
>   - Disabled DNS prefetch
>   - Disabled ssl/tls protocols that are useless or too weak
> 
> 
> 
> --
> http://gnuzilla.gnu.org
>

signature.asc
Description: OpenPGP digital signature