State of Web Browsers on Debian
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
I normally don't think much of Phoronix's articles but this one raised some good points. It is an issue I have seen on various distros, especially if you want an FSF approved one, in that web browsers among other software can be using EOL versions that are not being patched. App Images and flatpaks have their own issues so don't solve everything or introduce other problems.
https://www.phoronix.com/scan.php?page=news_item&px=Web-Browser-Packages-Debian
abrowser stays up to date and works great on Debian - use that. It has better privacy and security defaults than Firefox.
Or better yet, just use Trisquel. Debian is not a great desktop distro, no matter how many fans it has. Anyone using Debian as their desktop distro and thinking they won't have to find their own browser is just fooling themselves.
So I am currently a Debian user (I'm new to free software as of this year, but I'm considering switching to Trisquel[1]). I use the firefox-esr out of Debian's repository with socks5 to Tor and haven't had any issues at all. I don't use web apps though.
I'm not sure why I would need a newer browser, the sites I use tend to be fairly simple and some of them even work on netsurf (I love netsurf, I wish it could be my main browser instead of firefox but it's not quite there). I'm not very concerned about getting a virus from the websites I visit, especially with noscript.
[1] I haven't switched over from my initial install because there's some things I don't quite like about Trisquel, mostly due to it's upstream:
- Debian bases themselves on their own stable rather than Ubuntu which bases themselves on Debian's testing. Sure the packages are newer, but I see it as "doing it wrong".
- Ubuntu continues to move their apps to containers (which does solve some real problems, but I just don't like it) whereas Debian seems committed to the deb file. Trisquel also seems committed to the deb file, but once again it seems like building your house out of straw here...
- Debian supports almost every architecture under the sun. Ubuntu supports a little bit less, but Trisquel only supports the 86s (I read on this forum 10 should also support arm64, which is good, but still a lot less architectures than Debian). My ideal OS would even support the 3/4/586 which Debian dropped (I'm surprised no one has made a spin of Debian for the 4/5).
If Trisquel was a fork of Debian instead of Ubuntu I probably wouldn't hesitate. I probably will switch to Trisquel anyways because I like it's care to freedom, but if anyone wants to sell me on it there's my reasons for hesitating.
"So I am currently a Debian user (I'm new to free software as of this year, but I'm considering switching to Trisquel[1]). I use the firefox-esr out of Debian's repository with socks5 to Tor and haven't had any issues at all. I don't use web apps though.
I'm not sure why I would need a newer browser, the sites I use tend to be fairly simple and some of them even work on netsurf (I love netsurf, I wish it could be my main browser instead of firefox but it's not quite there). I'm not very concerned about getting a virus from the websites I visit, especially with noscript."
The issue with using older browsers wasn't that web sites wouldn't load but that security threats weren't being patched as the versions that Debian had available were no longer being worked on.
"abrowser stays up to date and works great on Debian - use that. It has better privacy and security defaults than Firefox.
Or better yet, just use Trisquel. Debian is not a great desktop distro, no matter how many fans it has. Anyone using Debian as their desktop distro and thinking they won't have to find their own browser is just fooling themselves."
I used to use Trisquel but 9.0 doesn't have all of the programs I need so I am using Pure OS at the moment. Hopefully 10.0 can change this. I didn't know one could get Abrowser on Debian, where does oen find it ? I didn't see it in the repos last time I used Debian.
You can find it there: https://archive.trisquel.info/trisquel/pool/main/f/firefox/
I am pretty sure andyprough gave on this forum step-by-step instructions to "add the trisquel repo to Debian and do apt pinning to update abrowser regularly", but I was only able to find a post where he wrote that he did that: https://trisquel.info/forum/abrowser-why-no-update-option-menu#comment-161920
@andyprough: do you still have those step-by-step instructions?
I don't use Debian, but I do mess around with Devuan sometimes. Here's my writeup on using abrowser with Devuan, a Debian user such as yourself could correct me if there's any different steps to take:
https://trisquel.info/en/forum/how-install-abrowser-devuan
I'm also not very knowledgeable on apt pinning, so if my method isn't ideal feel free to correct it. This method does work, but it's kind of my amateurish way of doing it.
You are actually more knowledgeable than me, who had never used APT pinning before a few minutes ago. I modified what you wrote to avoid the manual edition of configuration files, to use Nabia's repository instead of Etiona's and to lower the priority from 700 to 50 (because, as far as I understand apt_preferences' manual, which gives headaches, any positive priority is enough here). I obtained that script (to be executed as root):
#!/bin/sh
wget https://archive.trisquel.info/trisquel/pool/main/t/trisquel-keyring/trisquel-keyring_2018.02.19_all.deb
dpkg -i trisquel-keyring_2018.02.19_all.deb
printf 'deb http://archive.trisquel.info/trisquel/ nabia-updates main
' > /etc/apt/sources.list.d/trisquel.list
printf 'Package: *
Pin: release a=nabia-updates
Pin-Priority: -1
Package: abrowser
Pin: release a=nabia-updates
Pin-Priority: 50
Package: trisquel-keyring
Pin: release a=nabia-updates
Pin-Priority: 50
' > /etc/apt/preferences.d/trisquel
apt update
apt install abrowser
The blank lines (which I had not initially written for a better rendering on this forum) are essential! Without them, the packages in Trisquel 10 Nabia that are more recent than those in Debian will be proposed for upgrade. I cannot attach the script, because "An HTTP error 0 occurred".
Excellent, this will be very helpful to me going forward.
Do you have a gitlab page, or something similar? You could upload scripts there and link to them from this forum.
Here it is: https://dcc.ufmg.br/~lcerf/abrowser-on-debian.sh
Thanks, it works fine. I just added 3 more lines to /etc/apt/preferences.d/trisquel
Package: abrowser-locale-fr
Pin: origin "archive.trisquel.info"
Pin-Priority: 50
and installed abrowser-locale-fr.
After logout and re-login, the language of abrowser is changed (no need to change it in the parameters).
I modified what you wrote to avoid the manual edition of configuration files, to use Nabia's repository instead of Etiona's and to lower the priority from 700 to 50 (because, as far as I understand apt_preferences' manual, which gives headaches, any positive priority is enough here).
I had not understood: APT was not proposing the new upgrade to Abrowser 96. After giving pin priorities of 500, it did. Now that I understood that JavaScript Restrictor was the reason why I could not attach anything to my posts (it must be disabled before clicking "Reply"), I provide the updated script as an attachment to this post. You can execute it in this way, from a terminal opened in the same directory:
$ sudo sh abrowser-on-debian.txt
Pièce jointe | Taille |
---|---|
abrowser-on-debian.txt | 569 octets |
>"$ sudo sh abrowser-on-debian.txt"
Quick note Magic - this also still works on 32-bit systems if you simply change "nabia-updates" to "etiona-updates" in line 4
MB,
https://homepages.dcc.ufmg.br/~lcerf/abrowser-on-debian.sh gave me
"Someone could be trying to impersonate the site and you should not continue.
Websites prove their identity via certificates. Abrowser does not trust homepages.dcc.ufmg.br because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.
Error code: SEC_ERROR_UNKNOWN_ISSUER"
I see the issuer is GlobalSign RSA OV SSL CA 2018
I am not in control of dcc.ufmg.br. Only of my home folder on that machine. As a consequence, I cannot change its SSL server certificate, whose issuer is indeed unknown to Abrowser. You can copy the script from https://trisquel.info/forum/state-web-browsers-debian#comment-163429 (where, I repeat, the blank line before every "Package:" is essential) or "accept the risk" (or whatever the wording the Web browser uses). There is here no risk: you can then check that the small script you download is identical to the one in this thread.
Today Abrowser seems to be ok with it. Both https://dcc.ufmg.br/ and https://homepages.dcc.ufmg.br/~lcerf/abrowser-on-debian.sh opened up (https://homepages.dcc.ufmg.br/~lcerf/abrowser-on-debian.sh opened in VIM)
I guess trust for that the issuer was added. Cool!
Edit: Interesting, it actually seems that https://dcc.ufmg.br/ is using a different cert: Organization Let's Encrypt
If you haven't tried Trisquel 10 beta, you should - it's very good. Trisquel 10 beta with backports enabled and with the Guix package manager will give you a very wide range of up-to-date applications.
I saw that Guix has Icecat but there is a warning that it is a preview, I don't understand what that means.
I now use Debian on my desktop because with Trisquel I have failures in Xorg (most often general protection fault) that put the computer in a broken state. I don't know whether there is a way to use Wayland with Trisquel, which could perhaps solve my problem with Xorg so I could use Trisquel again on the desktop. I saw that Guix has a wayland package but I am not sure how to use it.
The problem with Debian is that its packaging system is very complicated, and they have these rules about "stability" which don't really make sense for most desktop users. However, I think Debian testing/unstable are fine for desktop usage if you know what you're doing. I've used unstable for over a year now and I don't have many problems. Firefox is kept up to date (I use the regular version, not ESR), though Chromium isn't (I install ungoogled-chromium from Flathub, it is useful because some sites don't work well in Firefox).
The current situation with Firefox in stable seems pretty bad, a few months ago I was wondering what they would do when Firefox 78 reached EOL, since 91 requires a newer version of Rust. I expected that they would have planned for this transition since there was plenty of time, but apparently they didn't. I remember when Trisquel had similar issues with Abrowser several years ago, but luckily Trisquel seems to be much better maintained nowadays.
"As of 2021-10-14 19:19:07, Debian's Chromium package in buster, bullseye and bookworm repository remains vulnerable to numerous CVEs as outlined in the Chromium Security Tracker. Consider using an alternative browser like Firefox, Brave or ungoogled-chromium."
https://wiki.debian.org/Chromium
"Q: The version number for a package indicates that I am still running a vulnerable version!
A: Instead of upgrading to a new release we backport security fixes to the version that was shipped in the stable release. The reason we do this is to make sure that a release changes as little as possible so things will not change or break unexpectedly as a result of a security fix. You can check if you are running a secure version of a package by looking at the package changelog, or comparing its exact version number with the version indicated in the Debian Security Advisory."
https://www.debian.org/security/faq.en.html#version
> Instead of upgrading to a new release we backport security fixes to the version that was shipped in the stable release
This is not true for Firefox and Chromium. Browsers (besides the minimalist ones like Dillo and Netsurf) have just gotten too complicated for a small team to backport security fixes, so they just update to the latest version (ESR in the case of Firefox). The problem now is that they are far behind on updates for both of these browsers due to certain issues that they had a lot of time to prepare for, but apparently didn't. No security fixes have been backported, and this point only Debian unstable (which I use) has an up-to-date version of Firefox.
Mozilla puts its .debs for Firefox and Firefox-esr in a ppa on launchpad: https://launchpad.net/~mozillateam/+archive/ubuntu/ppa
Those are actually Ubuntu's packages, not Mozilla's. But anyway, I guess it would be nice to have a similar APT repo specifically for Abrowser.
Oh, I thought "Mozilla Team" meant it was a Mozilla effort. So this is Ubuntu's Mozilla packaging team I guess.
Yeah, it would be nice if abrowser was a bit easier to grab and use on other distros. But we have MB's script now - that could be run on most Debian based distros probably.
"This is not true for Firefox and Chromium. Browsers"
True, good point it looks like.
"For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird."
https://lists.debian.org/debian-user/2021/12/msg00242.html
^ First message of "Firefox ESR EOL"
"Please note that Mozilla is constantly updating to newer rustc and LLVM versions. That means that preparing a new major ESR release for Debian requires not just the packaging of the firefox-esr and thunderbird updates, but also some very complex toolchain components. Those components are usually already in unstable/testing, but for stable, oldstable, and LTS, the toolchain must be backported first."
https://lists.debian.org/debian-user/2021/12/msg00261.html
"Debian also supports additional hardware architectures and the toolchain components sometimes require specific work in order to support those additional architectures. In fact, that was the case with this current update that is underway."
https://lists.debian.org/debian-user/2021/12/msg00264.html
Interesting how this is an issue for firefox "ESR", which you'd think would be geared more towards "stable" distros, but looks like debian is planning to update firefox-esr when they can in the current "stable"?
>""For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable."
Except the chromium that Debian offers is way out of date also. Last I checked, their version of chromium was from April or May.
I think Firefox ESR is supported for about a year, so it's not stable enough for Debian. They are working on packaging the latest ESR version, but they are far behind (they just packaged the necessary version of Rust). I don't know why they didn't prepare for this in advance, because it was known that the new ESR version would require new Rust/cargo versions.
Strange that nobody warned packagers that Rust would be a pain in the neck for them.
I think they knew about it, but this has more to do with lack of manpower on Debian's side. Notice that Ubuntu/Trisquel didn't have this problem, as they just backported the latest Rust from Debian unstable.
Chromium is more of an issue because there's nobody willing to maintain it. Ubuntu just switched to the snap version.
Speculation proceeds.
Maybe number of architectures (also?) had something to do with, I don't know for sure and not aware of like an official statement from debian about it?
https://releases.ubuntu.com/21.10/
^ Only appears to have 64 bit?
Is this the first time this type of situation happened with debian stable, and if so maybe will just be one time, or yearly there will be a delay, but maybe shorter over time?
Is there an ESR based firefox fork that's decent enough that would work well with apt?
There is an issue with mipsel and firefox-esr which will lead to firefox-esr being dropped for mipsel:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001234#12
Ubuntu also supports a few more architectures:
https://cdimage.ubuntu.com/ubuntu/releases/21.10/release/
Trying to download that shell script from MB's site with curl resulted in an error for me as well.
https://packages.ubuntu.com/focal/firefox
^ Ubuntu doesn't base off of firefox-esr iirc, but if you scroll down more towards the bottom, it appears that only amd64 has version 95.0+build1-0ubuntu0.20.04.1, whereas the others are at 75.0+build3-0ubuntu1.
>"Trying to download that shell script from MB's site with curl resulted in an error for me as well."
Did you try wget?
>"it appears that only amd64 has version 95.0+build1-0ubuntu0.20.04.1, whereas the others are at 75.0+build3-0ubuntu1"
I hadn't noticed that, I haven't fired up my 32-bit mini-tower since the end of the summer. I should do that soon, there's lots of fun new 32-bit stuff to play with, including the new Trisquel.
The good news is, you can always download the latest abrowser. At least that should give you a current 32-bit option if you can't get the latest firefox-esr.
True, abrowser could be a good option, since no work to turn off the stuff like the automatic connections and recommendations of non-free extensions, but having to concern oneself with two repos to keep abrowser and trisquel-keyring up to date and the rest of the stuff for debian might be a cost of that though? firefox and firefox-esr are different things, but I don't know how much that matters, or if at all, with the current debian/rust situation.
with wget, terminal says
"ERROR: The certificate of ‘homepages.dcc.ufmg.br’ is not trusted.
ERROR: The certificate of ‘homepages.dcc.ufmg.br’ doesn't have a known issuer."
>"but having to concern oneself with two repos to keep abrowser and trisquel-keyring up to date and the rest of the stuff for debian might be a cost of that though?"
Once you set it up you probably won't have to do any repo stuff for quite a long time.
>"with wget, terminal says "ERROR..."
This will do it for you:
wget --no-check-certificate https://dcc.ufmg.br/~lcerf/abrowser-on-debian.sh
It lets me download with no https errors with other things.
sha512sum abrowser-on-debian.sh
0e7f99f722a9c1f8ef3a22b499b9141a6732d74f62a5bd7de5de8192afa319e7b7d1f1b991c81c3a5dafc0dfc564bc18ddd25c9bd3dfcb0cfe75bfc158fcbb98 abrowser-on-debian.sh
"Maintainers:
Maintainers of Mozilla-related packages (QA Page)
Mike Hommey (QA Page)"
https://packages.debian.org/sid/firefox-esr
"His story is also very interesting in that he went from simple user to Iceweasel maintainer, and now he’s working for Mozilla Corporation. But you already knew that contributing to free software is a good way to grow skills and gain experience that are valuable on the job market, right?"
https://raphaelhertzog.com/2011/02/03/people-behind-debian-mike-hommey-firefox-iceweasel-maintainer/
Might want to consider changing the lines that have
Pin: release a=nabia-updates
to
Pin: origin *archive.trisquel.info*
Because if later on, if one forgot to change nabia-updates to the newer one with the apt pinning file, but changed the line for trisquel's repo in sources.list that could result in a broken system?
"Repositories that can create a FrankenDebian if used with Debian Stable:
Debian testing release (currently bookworm)
Debian unstable release (also known as sid)
Ubuntu, Mint or other derivative repositories are not compatible with Debian!
Ubuntu PPAs and other repositories created to distribute single applications
Some third-party repositories might appear safe to use as they contain only packages that have no equivalent in Debian. However, there are no guarantees that any repository will not add more packages in future, leading to breakage. "
https://wiki.debian.org/DontBreakDebian
"you can then check that the small script you download is identical to the one in this thread."
If you wanted to could include a hashsum with link, but maybe one could export the certifcate from a web browser that works (because of AIA?) without https errors so they could use it with wget and curl without having to ignore https?
>"However, there are no guarantees that any repository will not add more packages in future, leading to breakage."
This is why we are apt pinning to only allow the abrowser and the Trisquel keyring packages.
gaseousness' point is that one could substitute in /etc/apt/sources.list.d/trisquel.list "nabia" for whatever Trisquel 11's codename will be and the APT pinning will not work anymore because it specifically deals with Nabia's packages.
I therefore modified abrowser-on-debian.sh as he suggested: https://dcc.ufmg.br/~lcerf/abrowser-on-debian.sh
Its sha512sum is now 2264d7099dca81f9c729f5ba8813804913e6ef7372a582ae7c106d458034c9f514b67bbb85150877d73e335908352c6e24e189907cae6e45018e43f01ca475b5
You've birthed a new opensource project, version 0.2.
Speaking of which, I hope your pdf-page-grep is still working well. I'm going to have need of that soon.
You've birthed a new opensource project, version 0.2.
You have birthed it! It is essentially what you wrote in the first place, half a dozen commands. The script is not meant to be used years from now, because "nabia" is hardcoded and so is the version of trisquel-keyring.
Speaking of which, I hope your pdf-page-grep is still working well.
You remember that! :-)
It is here: https://dcc.ufmg.br/~lcerf/en/utilities.html#pdf-page-grep
And yes, it works. I have just tried.
"SearchEngines (This policy is only available on the ESR.)"
https://github.com/mozilla/policy-templates/blob/master/README.md
Interestingly, although tor browser is said to be based upon firefox-esr, I was unsuccessful with trying to change the search engine using about:polices method.
Personally I use Debian unstable, so this hasn't affected me and I use the non-ESR firefox in the repo, with the configuration changes to disable various antifeatures like EME, studies sponsored shortcuts, etc. Abrowser is a good option. I am wary of it because of the possibility of breakage ("don't break Debian") due to Trisquel's older library versions, but it seems that it works without any problems.
Several years ago I used to maintain a PPA for Abrowser with the KDE patches from OpenSUSE. Maybe I should look into making an Abrowser repo for Debian, perhaps on the OpenSUSE build services.
There is also Librewolf, which has an APT repo and is also available via AppImage and Flatpak.
>"I use the non-ESR firefox in the repo, with the configuration changes to disable various antifeatures like EME, studies sponsored shortcuts, etc."
You might as well switch to LibreWolf, save yourself a bunch of configuration time.
What about a repo of just the latest appimage?
this browser project is fixing security issues in chromium and making a hardened browser. it's still work in progress but i see great promise in what these people are doing
another idea i had of my own was:
make a minimalist browser similar to (or forked from) Suckless Surf that uses the blink engine from chromium (surf uses an old, slow webkit that doesn't render many newer sites well). adblock by default, and start removing fingerprint stuff like tor browser does with firefox, and run it through torsocks
The issue with 'yet another browser' is they often don't have what is really needed to catch on: extension support. Embedding a couple in like Falkon does is not enough.
I think the dream browser is one with something like LocalCDN/decentraleyes. Ultimately all the javascript sites need to run is stored locally on your computer. This will have the benefit of loading times, lower requests to CDNs, greater user control, and even security (if a website wants jquery15.js, and the latest version of jquery is 17, the browser will load jquery17.js from it's own storage, try using this extension https://addons.mozilla.org/en-US/firefox/addon/retire-js/ to see how ruined everything is). The Javascript can be installed/upgraded straight through the user's distro repo.
The problem with the web security model is that it assumes the user should run arbitrary scripts websites give them. I'm inclined to believe users should not run any arbitrary scripts websites give them, free or non-free, users should run software from their own machine given to them from trusted sources. If a website wants jquery, that's not a problem, but the user should have it on their computer, not given to them from some CDN.
I don't dream of a new browser with 35 new mitigations because the model is ruined, I mean that work is beneficial and I appreciate it, but what I dream is a browser that doesn't need to constantly think about mitigations because the model is good. The only way I see that is to kill running any script that's not explicitly from the user's own machine.
Just move to gemini, give up on the world-wide-web. It's a broken model with no real hope for redemption.
What we need is a tool that will grab www stuff and show it as a static capsule to a gemini user. It's probably fairly simple to code something like that.
I don't like gemini actually. It wants me to install one new library for their protocol to access a gmi file, but more importantly it doesn't support inline links. That pretty much makes it DOA to me. What makes the web great is hyperlinks, linking information together, sometimes even word by word, if all you want is a collection of text files then browsing directories with ftp is enough.
> What we need is a tool that will grab www stuff and show it as a static capsule to a gemini user.
I guess you mean this sort of thing, but client side: https://proxy.vulpes.one/gemini/gempaper.strangled.net/mirrorlist.
The guardian.shit.cx stuff works, some of the other resources also work fine, some are broken or discontinued.
A long way to go before reaching the far side of the moon. I think I am enjoying that slow motion journey.
- Vous devez vous identifier ou créer un compte pour écrire des commentaires