New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use non-official branding by default for Pale Moon #36917
Conversation
As much I dislike the Pale Moon management and would advise people against using this browser, at this point, removing the package entirely will likely upset even more users. |
I think you are right. I'll prepare that change (along with (By the way, Firefox now comes with official branding enabled by default after someone from Mozilla said our patches are OK.) |
The only concern that's left is that Pale Moon -> New Moon rename also might confuse users. Perhaps, this should be in release notes, there's not much else we can do about that. |
Don't worry about it. If it's an attribute name change please add a compatibility alias but if you just mean the name the browser displays then there's no issue. |
afc57d2
to
4e42a90
Compare
I dunno why you are debranding your package. Your build options look fine to me. |
The best of all world is to de-brand the package. "Looking fine" does not suffice, and I am not a graduated lawyer yet, so a more conservative and less risky approach is in order. |
When packaging it I overlooked the fact that is uses the bundled libraries but it should use those provided by Nix in priciples. |
Substituting in-tree libs for system libs, beyond the potential mismatch and subtle and hard to reconcile conflicts with the glue code, materially changes the nature of the end result. It's like baking a cake and using margarine, powdered eggs, and powdered milk instead of real butter, real eggs, and real milk. You get something kinda close but it isn't the same thing.. It is something.. OTHER.. System libs won't have any specific feature or functional changes we have made to the lib code to make them suitable for the glue code. In that case you would need to debrand and NOT offer any option for official branding. It wouldn't build with official branding anyway in that configuration. Besides, as explained, what you would producing would cease to be Pale Moon at that point. Be sure to inform your users that they should not seek any support from us if you make these unwise changes. We cannot offer any kind of support to packagers or users for unbranded builds or alternate build configurations. Nor is there any guarantee that the codebase will be stable and in any kind of working condition in that configuration. You have to understand that a classical mozilla style codebase is not like any other piece of software out there.. It cannot be treated exactly the same as everything else. It requires care and due diligence. @AndersonTorres This "conservative approach" is VERY risky because of the reasons outlined above. We have seen that strange things happen when you mix random system libs into the glue code and produce a binary like this.. Basically, it is a code mismatch. @rnhmjoj Please don't let @yegortimoshenko crusade against our project cloud your opinions of us or my self. By all means, I am not perfect but I do try to learn from my own mistakes. A few bad interactions elsewhere is not the sum of who I am. Beyond the strictly technical issues all we want is to ensure that when a user installs and uses Pale Moon what they are getting IS indeed Pale Moon. As it stands, that is what you are producing and it is fantastic. However, if you make these changes then well.. I have no idea what it is you are putting out at that point.. But it isn't going to be Pale Moon and your users will suffer because of this.. I ask you to please leave things as they are because they are perfect as-is. But failing that, perhaps you should just remove the offering completely because yet another system lib configured unbranded build really helps no one unless you are gonna actually DO something with it beyond grab the code and build. Also, sorry for all the edits and revisions. I wanted to make sure that I was clearly expressing what I wanted to say. Also, mobile github isn't that great for this so I rewrote from my workstation. |
I understand your reasons well, I just disagree with the means. Regarding OpenBSD, if you say that was a mistake then that's fine with me. The free and open source software community is already small and fragile without people hating and attacking each other. Anyway non-technical matter aside, It's just that this is generally against the design of Nix and other distributions of maintaining a curated set of packages where each package should use the dependencies provided by the package manager to reduce disk space and compile time, allow easy patching, not mixing licenses, tracking dependencies etc. Firefox, Chromium, other browsers and the vast majority of packages are doing this but there are exceptions, so I guess this could be one but I don't have a lot of experience and knowledge of Nix to say a definitive yes or no. I can surely say that I don't want the package removed because that would the possible worst solution for everybody, particularly for users that may see their browser of choice removed for reasons they couldn't care less. |
That is the issue though, their browser of choice is being removed and replaced with something else (albeit similar) if this goes forward. However, it is your decision but please do inform your users of the change and the repercussions of it. Please don't leave them confused. |
The problem with using bundled libraries is that it makes tracking CVEs in those libraries impossible, and trademark policy specifically prohibits patching source code, so we can't patch it ourselves without debranding. Also, see Debian thread and FreeBSD thread. It would be nice if Pale Moon distributed patches on top of modern versions of libraries that we could apply. Even if we were to leave Pale Moon as is, it probably should be under
That would cause it to not be built on Hydra, so it seems to be a better idea to debrand it from user's perspective. For example, we currently have jemalloc patch to make it work on aarch64, sqlite in Pale Moon is one minor version (three months) behind, NSPR is two minor versions (6 months) behind, etc. Also even though I couldn't find unpatched CVEs, I think it's important to be able to patch code that we ship without asking for permission. That said, @mattatobin raises a valid concern: since Pale Moon patches third-party libraries for compatibility with older Gecko, there might be a point in the future where our builds that use native libraries destabilize to the point where we would have to keep older versions of the libs, or patch ourselves, or drop Pale Moon from the tree. In that case, someone can contribute |
Any updates on this pull request, please? |
Upstream confirms the configuration is acceptable as-is (the current update PR). I can still take a shot at an updated Pale Moon/New Moon split if you think it makes sense. |
Thank you for your contributions.
|
Ping @yegortimoshenko |
Closing it because, well, everything is OK now. |
I would suggest dropping Pale Moon, because it's currently built with non-standard options and native libraries and upstream is aggressive towards this. For context, see: jasperla/openbsd-wip#86 and prism-break/prism-break#1385 (comment).
Pale Moon redistribution policy: https://www.palemoon.org/redist.shtml
I should note that there are no legal repercussions for redistribution, so no need to pull it from cache, but would be nice to resolve this prior to 18.03 release.
Alternative resolution would be to switch to New Moon branding (i.e. only dropping
ac_add_options --enable-official-branding
) and change attribute name and such./cc @rnhmjoj @AndersonTorres