this post was submitted on 27 Oct 2024
354 points (97.8% liked)

Technology

59161 readers
2206 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

If, like me, you've relied on Fennec as a more tolerable version of Firefox for Android, you may have gotten some bad news in the latest F-droid update cycle.

Fennec has fallen so far behind on updates that serious security patches implemented by Mozilla in Firefox haven't been applied to the fork, and Fennec is therefore still breachable.

The developer responded two weeks ago that they were "short on time", and there still isn't a new, secure version available. This appears to be due to that recurring weak link in open source development: small teams, confronted by real life demands like time and money?

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 1 week ago* (last edited 1 week ago) (1 children)

If you want an up-to-date and lightweight Firefox fork, try Waterfox that's what I'm using right now

[–] [email protected] 5 points 1 week ago (1 children)

Didn't even know there was a Waterfox for android, good to know.

[–] [email protected] 1 points 1 week ago

I'm also surprised when I saw it on their website

[–] [email protected] 6 points 1 week ago* (last edited 1 week ago) (1 children)
[–] [email protected] 3 points 1 week ago

Cool cool, glad to see I may have jumped the gun. But I had cause to try a couple other Firefoxes (Nightly Beta and Mull) in the meantime!

Now I'll just be refreshing F-Droid every five minutes until the update comes through 😄

[–] [email protected] 4 points 1 week ago

Same, I just switched to mull. Use FFupdater

[–] [email protected] 8 points 1 week ago

more tolerable version

It doesn't even get updates. What are you on about? 😂

[–] [email protected] 5 points 1 week ago* (last edited 1 week ago)

For those who want to install standard FF via Obtainium use this:

https://download.cdn.mozilla.net/pub/fenix/releases/

Then add intermediate links (EDIT: this will only fetch releases like 130.0 or 130.1, etc. so feel free to edit regex if you want to match other versions like 130.0.1)

[0-9]+\.[0-9]+/$

android/$

fenix-[0-9]+\.[0-9]+-android-arm64-v8a/$

EDIT: based on https://github.com/ImranR98/Obtainium/issues/1625#issuecomment-2120736614

[–] [email protected] 4 points 1 week ago* (last edited 1 week ago) (1 children)

Is there a way to transfer my browser profile on Android between Fennec and Firefox?

[–] [email protected] 3 points 1 week ago

Firefox sync? You'll get bookmarks at least

[–] [email protected] -2 points 1 week ago (1 children)

More specifically Google made it difficult to update, if I am not mistaken?

[–] [email protected] 9 points 1 week ago (1 children)

I could be mistaken, but since it's a Mozilla base code and F-Droid distribution chain, I'm not sure where Google can stick it's thumb in the pie.

[–] [email protected] 2 points 1 week ago

Mozilla relied on an Android NDK to build correctly, became no longer available right as a firefox vulnerability came out and the Fennec dev was away from home.

[–] [email protected] 1 points 1 week ago (4 children)

I've been using Fennec. Any one got advise on what would be the best alternative? And please explain why.

[–] [email protected] 2 points 1 week ago

There's really no reason to go scrambling for an alternative, it's a temporary problem.

[–] [email protected] 1 points 1 week ago

You can update Fennec I heard, just not through the regular means.

[–] [email protected] 1 points 1 week ago (1 children)

Mull browser is also available on fdroid. It is an even better (secure) alternative to firefox as it uses some of tor architecture, from what I know.

[–] [email protected] 1 points 1 week ago

I don't know about tor architecture but it is more hardened

[–] [email protected] 8 points 1 week ago* (last edited 1 week ago) (2 children)

What were its advantages over Firefox?

[–] [email protected] 8 points 1 week ago* (last edited 1 week ago)

Fennec F-Droid

  • removes ff telemetry,
  • allows about:config changes,
  • you can enable dev mode for your own extension collection,
  • and it's completely open source
[–] [email protected] 6 points 1 week ago (1 children)

Being installable directly from fdroid was what made me use it.

[–] [email protected] 0 points 1 week ago

I've been using Firefox install via obtainium straight from the Mozilla repo.

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago) (3 children)

I have Mull installed 129.0.2 https://f-droid.org/repo/us.spotco.fennec_dos_21290220.apk

Should I uninstall?

Is there any way to export bookmarks from mull, so that I can uninstall it?

[–] [email protected] 10 points 1 week ago

There are newer builds sooner in the divestos repository https://divestos.org/pages/our_apps#repos

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago)

I used the Mozilla account sync thing that's built in but it didn't restore the extensions.

bookmarks and passwords seem to have copied over to the DivestOS one though.

[–] [email protected] 5 points 1 week ago

Honestly, just wait a little bit, both Fennec and Mull will get it sorted soon and you'll see an update. If the vulnerability is worrying you that much, I'd honestly just download the standard Firefox APK for the time being and use it while waiting on Mull to update on fdroid. It likely won't be more than a couple days.

[–] [email protected] -5 points 1 week ago (1 children)

"It's fine" (or will be), just donate & carry on.

[–] [email protected] 13 points 1 week ago (1 children)

Dangerous attitude when it comes to itsec.

[–] [email protected] 1 points 1 week ago

I know (& agree), I was saying it like exposing my flaw of laziness.

[–] [email protected] 100 points 1 week ago (2 children)

It's just very unfortunate timing. Google removed some library Firefox depended on in NDK and it meant developers need to make significant changes to their packaging system. At the same time critical vulnerably was discovered in Firefox. On top of that, everything happened when main developer of Fennec was away from home and short on time. But from what I've seen on Fennec gitlab most of the work is done so you should expect update soon.

[–] [email protected] 5 points 1 week ago (1 children)

Firefox 130 was released on the 3th of September, almost 2 months ago. This didn't just happen in a short time frame.

[–] [email protected] 8 points 1 week ago

Fennec being a version behind for over a month because the dev was absent wouldn't normally be that big a deal if not for the vulnerability being discovered.

[–] [email protected] 29 points 1 week ago* (last edited 1 week ago)

Yep, it's this. Annoying change, but from what I was reading, perfectly solvable with a little time. Unfortunately the dev was moving house, so they fell a version behind at the worst possible moment, but they're aware of the issue. I'm not too concerned.

Had it not been for FDroid's warning, I wouldn't have even realized Fennec was a version behind (now 2). Normally it's not that big a deal.

[–] [email protected] 43 points 1 week ago (2 children)

A bit of backstory on how we got here - in June 2024 Mozilla chose to (a) integrate the source tree of Firefox Mobile into their huge monorepo ("gecko-dev"), and (b) move the source off of Github onto their own git servers ("Mozilla Central"). You can read about it in the now-archived old repo:

This was then compounded by a core Android build kit ("NDK") choosing to remove parts of the toolchain which is/was used to build Firefox releases (ergo, forcing another change to build process):

Together these have caused a bit of a kerfuffle in getting new releases compiled and released via the official F-Droid methodology. See the other comment about the Mull version in their private repo, they're having to use a Mozilla pre-built clang (a compiler toolchain) now to make it work for the time being.

[–] [email protected] 1 points 1 week ago

Quick update for anyone still reading this thread:

@[email protected] As with any other app, we flagged Fennec and Mull with KnownVuln until the app is updated. Contributors fixed the issues that delayed versions 130 and later. Stand by for the build.

https://floss.social/@fdroidorg/113384089915217604

[–] [email protected] 6 points 1 week ago

Thanks for the context! Much appreciated.

[–] [email protected] 4 points 1 week ago* (last edited 1 week ago)

I got the same warning for Mull. Is the patching so extensive? I always thought they have a patchset for some of the shortcomings and just apply that onto the newest Firefox version... Or do they do a full code review on all of the changes?

[–] [email protected] 27 points 1 week ago (3 children)

I'll just throw out Mull from DivestOS's third-party f-droid repo as an up to date alternative. The newest versions are incompatible with the main repo but here is their explanation:

Updated Mull to 131.0.0, has 14+1+25 security fixes from the previous 129.0.2 release. In order to resolve the compilation issue introduced in 130, Mull is now compiled using Mozilla's prebuilt clang toolchain. This however is incompatible with the F-Droid.org inclusion criteria, so these updates (for now at least) will only be available via the DivestOS.org F-Droid repository. Please note, while this adds a prebuilt dependency, the result does still remain FOSS.

[–] [email protected] 6 points 1 week ago* (last edited 1 week ago)

The only reason the Fennec devs haven't announced this is that they've been moving but they're basically working on the same things to get it back on F Droid.

[–] [email protected] 5 points 1 week ago (1 children)

The link(s) to add their F-Droid repo if not running DivestOS: https://divestos.org/pages/our_apps.html#repos

[–] [email protected] 3 points 1 week ago

Been using Mull, didn't realize there was newer versions, thanks for the link!

[–] [email protected] 9 points 1 week ago (3 children)

Ah yes, the toolchain changes appear to be a stumbling stone for the Fennec devs as well. That kind of thing doesn't exactly speed up new releases, I'm sure.

What are your experiences with Mull? Is it generally compatible with Firefox plugins, and are there performance improvements as well as in security?

[–] [email protected] 7 points 1 week ago (1 children)

IMHO as i have it as my daily browser, it can become troublesome with booking websites (flights, tickets, hotels, restaurant orders, shopping). They don't like whatever Mull blocks, and at some point during any booking process you'll be unable to complete it. Sometimes during the payment step, so it can be... Frustrating.

[–] [email protected] 4 points 1 week ago* (last edited 1 week ago)

I experience similar, if rarely, with my about:config modifications and muBlock add-on [edit: that was on Fennec, I expect similar on other Fenix forks]. Those things I blame more on the modern web than on any browser :/

[–] [email protected] 6 points 1 week ago* (last edited 1 week ago)

Mull has defaults that improve privacy at the cost of performance and website compatibility. They maintain a list of changes that you can reverse through about:config. If Mull seems slow for you, consider re-enabling the JavaScript JIT.

[–] [email protected] 6 points 1 week ago

I've been using it as my primary browser on Android for years so I don't really have much to compare it to, but I haven't had any issues with extension compatibility. It includes changes from Tor browser and Arkenfox so it's more privacy-focused than on performance.

load more comments
view more: next ›