Firefox zeroday patch

you could also dual-boot both Amber and Byzantium or have one or both in a VM …

1 Like

That reminds me, I should write up a quick HowTo on creating a PureOS Byzantium VM.

3 Likes

Thanks for the clarification, Jeremiah. Have you thought about updating the Amber ISO to remove PureBrowser, replacing it with Epiphany in the default install? Technically it goes against the concept of a stable release, I know, but it may be a good safeguard to prevent new users from using an unsupported and potentially unsecure browser.

1 Like

Yes, this is something we’ve thought about. However, there is still a large installed base that is not addressed by these actions and we need to help those folks. This is why our current focus is on updating Purebrowser through our amber-update or amber-security channel.

Does that mean Purebrowser is or isn’t going to receive future security updates? It sounded like it isn’t from now on which would mean we should all stop using it ASAP and move on to an alternative? Or perhaps I interpreted your last statement incorrectly and it would only stop receiving security updates if Debian doesn’t provide anymore ESR updates?

Okay, I may have screwed something up. Any help would be greatly appreciated. I added the Byzantium repos to PureOS Software & Updates. I updated 59 applications and they look great. I then downloaded the latest version of Firefox and could/can only launch Firefox via CLI when I typed in ~/firefox/firefox. Firefox does not show up as an application on the GUI or on my favorites bar. I double clicked on the Software & Updates application and it did not launch. I restated my laptop and tried to launch Software & Updated again, but no response. I uninstalled Software & Updates (with the intention of re-installing it) but now I don’t have the Software or Software & Updated Application on my GUI at all. My questions are:

  1. How do I get the “Software” and “Software & Updates” applications re-installed on my GUI?
  2. What step(s) am I missing with Firefox. How come Firefox does not show up on my GUI’s applications list or the favorites bar? How do I get them there?

I realize it Saturday but if anyone knows what I am missing can you clue me in after the weekend? Thanks

have you tried to start firefox from the CLI ? then when it pops up look in the launch-toolbar and see if it’s there then > right click > add to favorites (that’s how it should be on Gnome DE)

to search for packages :

  1. elevate your privileges with sudo or su
  2. apt search “at-least-part-of-the-name-of-the-package-you-want”
  3. make a note in your mind or in the clipboard or copy/yank the name of the package you want from the list

to install :

  1. elevate your privileges with sudo or su
  2. apt install “exact-name-of-the-package”
    or
    apt install “at-least-part-of-the-name-of-the-package-you-want”
  3. confirm

in your case it’s > apt install gnome-software
just make sure you have the privileges to install …

wait what ? are you from the future ? where i am it’s Thursday morning jan 16 2020 … back to the future now i guess …

1 Like

Or from the past?

When I added Firefox from Mozilla, I had to add a firefox.desktop entry. Others have described how to do that in this forum, e.g. here. I put mine in /usr/share/applications, however. That added Firefox to the Applications menu and everything was fine.

Maybe one does not have to do that anymore, but I thought I would chime in.

1 Like

Thanks for the help. I will try the CL input. I think that should help. Oddly, right clicking the tool bar to add to favorites is the way I usually do it but, in this case, does work. Thanks again.

1 Like

Opps, I drive 18 hours from Illinois to Arizona and posted my question right before I went to sleep. Yeah, it’s Thursday.

2 Likes

Jeremiah, you were saying, that - “My first recommendation is to use a different browser, like Epiphany”
Are you needing to do anything to “Epiphany” in regards to Privacy & Security? Or is it accepted thatit is all OK in that respect?

This is a good question. A good question requires a good answer but a good answer in this case has to be exhaustive I feel and I can’t give you that.

What I can say is that Epiphany is partly designed to run in a container or via flatpak and that approach fits our security paradigm better. It is also well maintained upstream and doesn’t have many of the bells and whistles that other browsers do thus reducing the surface area for attacks. We want a browser that works on all our devices that we can adapt and even fork if necessary and Epiphany fits that bill better than Firefox. Of course, users can use any browser on their device, but we can’t invest time and energy in every available browser, we have to focus on our users’ needs.

4 Likes

Thanks Jeremiah, I guess Epiphany (which is the one I would like to use), and is on (I think) the “Librem 5” (Chestnut batch) I have, is Secure & Private; but do you there at Purism, intend at this stage to do an Audit on it?

Did you mean, with the Privacy & Security in mind with “Epiphany” as it is, is an Audit of the code, & doing if needed, the type of things, you at Purism found you needed to do to “Firefox”, to make it more Secure & Private; would be done, if Purism decides to “Fork” Epiphany?

Also is Epiphany on the “Chestnut Batch” of the phone, run from a Flatpak, or Installed partly to run in a container?

Picking up on that question, I would be interested to know what those things were. Is that documented anywhere, at least in part?

or a good link ? :joy:

The changes that we make to Purebrowser are here: https://source.puri.sm/pureos/packages/firefox-esr/commit/0d5ee489c1c4761d8b02fc04ee9d16c341c9e2d8

This is a long list, and it is detailed.

2 Likes

I’m pasting here a high level description of what we did to PureBrowser to meet our required safety and privacy goals. Use this description along with the previous link to the actual diff to find out exactly the things we did.

We package Firefox from Debian unstable as “PureBrowser” then we make three minor changes:

  • We change the homepage. DuckDuckGo is currently our homepage.

  • We change the default search engine settings. DuckDuckGo is currently
    our default search engine.

  • We install privacy and security addons from
    addons.mozilla.com by default. We currently have two addons,
    uBlock and HTTPS Everywhere.

There are also tweaks for rebranding, packaging, and user-agent string
tweaks.

  • Re: planned audit - I assume you mean security audit @HD-OZ as opposed to privacy audit? At this point no audit is planned. To do that well requires security and/or privacy researchers, time and money, and a third party.

  • Re: audit of Epiphany - we haven’t done that either, but we have developers who’ve written part of the code base, so we have a greater degree of confidence.

  • Re: Yes, Epiphany should be on Chestnut and I’m fairly certain it’s the default on my Birch device and is meant to remain so. It is currently installed per default and not run from a flatpak. However, we’re building specific Continuous Integration tooling to build flatpaks in our toolchain, so we should soon be able to provide Epiphany runable as a flatpak.

  • Re: Firefox vs. Epiphany security: I don’t know if we’ll need to do the same things on Epiphany as we did with Firefox, though I imagine we’ll want to tweak the defaults somewhat. At the moment core functionality and optimization for our platforms is being done, we’ll soon focus on the privacy and security aspects before wider release.

3 Likes

Hi Jeremiah, That as described in the LINK, for what was needed to do to “Firefox”; was very good, fabulous work > Thanks for including that Link.

The High level description in the next post of yours, was a good overview too; Plus your intended timeline for Epiphany, :slight_smile:

2 Likes