Pale Moon x86-64 SSE2/AVX2

[Veit Kannegieser]

BTW, I assume the line that reads gpg: WARNING: This key is not certified with a trusted signature! is nothing to worry about?

put

Code: Select all

trusted-key 5061CC51C94306050CFA1FEE48FAD2907D84EDEB # 2022-03-18 Nuck-TH <**************@gmail.com>

in your gpg.conf file, which should be somewhere in your OS user profile.

[Moonchild]

wouldn't MD5 be easier? AFAIK, md5sum comes preinstalled on every Linux distro I've ever tried.

Hashes are fine to verify if a download wasn't corrupted/changed in transport, but don't verify authenticity. If someone serves you with a malicious hash and malicious binary, then there's no way at all for you to tell that you got what you expected. MD5 is also fairly weak in terms of uniqueness of the hashes.
Pgp/gpg or any other type of cryptographic signature will not only prevent changes to the binaries (it has checksumming built-in, so to say), but also verify that it was created by the person you expect.
To what level a checksum is "enough" depends entirely on the environment you are in.

BTW, I assume the line that reads gpg: WARNING: This key is not certified with a trusted signature! is nothing to worry about?

Trust of signatures depend on trust in the key pair. If enough third parties have verified that the key pair belongs to the person it claims to belong to, and your pgp/gpg can verify the trust of those certifications by others (e.g. by having them trusted, themselves) then that message will go away. For example, I can certify Nuck's key by cryptographically signing it with my own key indicating I trust the key I'm signing belongs to Nuck. This is why on nerd conventions there's usually a time slot set aside for gpg verification and signing of keys to strengthen that web of trust. It's a bit of a chicken and egg problem -- anyone can create a key pair with nuck's e-mail/name attached to it, and it only becomes more trustworthy if verified and trusted by others, who in turn also need to be trusted.
If you don't have an established web of trust or expect the key to be extensively verified by others, then that warning isn't anything to worry about. Just remember that even cryptographic keys can be faked in that they can be created without trust by anyone.

As stated above you can explicitly assign trust to a key yourself if you've verified it's legit or your trust it. That would also provide a nice flag if it changes in the future/is signed by another key.

[UCyborg]

Can't say I have any complaints about SSE2 Windows version, at least I didn't notice anything out of the ordinary. It's great to see support for CSS layers.

[Theresnothinghere]

The new SSE2 version also works flawlessly on Windows Vista Extended Kernel

[Theresnothinghere]

I looks like 1st gen and 2nd gen Ryzen aka Zen and Zen+ CPU users which is 1xxx, 2xxx on desktop and 2xxx, 3xxx on mobile should probably be using official AVX version despite their processors supporting AVX2,
because they need 2 clock cycles to complete an AVX2 instruction, while Intel's CPUs and also later Ryzens need one.
https://en.wikipedia.org/wiki/Zen_(firs ... erformance

Unless the gains from AVX2 are so high that it wins anyway against AVX, which is don't know.

[Kris_88]

What's the point of these hashes and cryptography if you can't verify that the executables actually match the source code, that there is no spyware embedded in them?

I'm worried about this post: viewtopic.php?f=40&t=27873#p225806

Build of version 29.4.5 is in the same Yandex.Disk folder, now with x86 builds and detached PGP signatures instead of checksums.

The connection with Yandex points to Russians, and I have been very distrustful of Russians for some time now.

And now these builds will also be used in Puppy Linux (such a "good" news) :
viewtopic.php?f=40&t=27873&start=100#p254227

@ Nuck-TH :-

Excellent work, young sir. Thank you SO much for these.

Currently under test, in the re-packaged Puppy-'portable' format I produce for our wee community. To date, seems very stable. I've asked the community to report back any "instabilities" they may find to the portable Pale Moon thread on the Puppy Forum, and I'll forward these on to you.

Appreciated. Cheers!

Mike.

I understand that with this post of mine I can offend, perhaps, a completely decent, honest person...
But, sorry, the potential damage from embedded spyware is too serious to be ignored.

[RealityRipple]

Sorry, but you can't verify that any executable ever matches source code, unless it's a completely deterministic build process, you compile it yourself, and then compare the resulting executable byte-for-byte.

And the post you're "worried about" is talking about a cloud storage location from two years ago...

[Kris_88]

Sorry, but you can't verify that any executable ever matches source code, unless it's a completely deterministic build process, you compile it yourself, and then compare the resulting executable byte-for-byte.

Of course, but here, in addition to the impossibility of verification, other circumstances are added.
It is also possible that someone who is not very familiar with these signatures believes that signature verification guarantees that the executable modules correspond to the source code. Unfortunately, it does not guarantee it at all.

And the post you're "worried about" is talking about a cloud storage location from two years ago...

If someone uploaded files to Yandex Disk, it doesn't matter whether it was recently or two years ago. In any case, it points to Russians (not only where the files were uploaded, but also who uploaded them). In this case, this is what is important to me.

[Nuck-TH]

The connection with Yandex points to Russians, and I have been very distrustful of Russians for some time now.

Yes, im working for KGB to infect 0.0001% of internet users with super secret viruses.
No, seriously?!
Broad attacks pretty much never target obscure software(no offense, but in grand scheme of things Pale Moon is rather obscure). Similarly, targeted attacks... target particular people, not random folks on the net.
Being serious, our special services are most likely busy with Ukraine and preventing terrorism attempts, not spying at (literal)handful of random foreign internet users.

I have no means, nor particular desire to prove anyone anything.
Except that for 2,5 years people use my builds without any complains. Make what you will from it.

Most paranoid can take my .mozconfigs, audit them and make builds themselves. It takes less than 20 min on modern CPU(Ryzen 5600x).
And non-paranoid actually should too in case of repackaging - autoupdater should be disabled in packages for package managers.

[Kris_88]

No, seriously?!

Yes, absolutely seriously. In your country, normal people are sent to prison for years for ordinary posts on social networks. And this is despite the fact that you have very few normal people left.

Broad attacks pretty much never target obscure software(no offense, but in grand scheme of things Pale Moon is rather obscure).

Many people use Pale Moon for privacy reasons.

I have no means, nor particular desire to prove anyone anything.

That's understandable... I put myself in your place and find it very difficult to come up with a method to prove anything in these circumstances. But, unfortunately, this doesn't prove anything either...

[back2themoon]

In your country, normal people are sent to prison for years for ordinary posts on social networks. And this is despite the fact that you have very few normal people left.

I'd say country-bashing does not belong to any sensible discussion, let alone x86-64 SSE2/AVX2. Try getting over your Russophobia. It is ridiculous by nature, as any-country-phobia.

[Kris_88]

I'd say country-bashing does not belong to any sensible discussion, let alone x86-64 SSE2/AVX2. Try getting over your Russophobia. It is ridiculous by nature, as any-country-phobia.

Come on, first of all, don't label me. And don't try to take on the role of a moderator.

What I'm saying is facts that justify my concerns about browser builds. It's entirely relevant to the topic at hand.

[suzyne]

If someone uploaded files to Yandex Disk, it doesn't matter whether it was recently or two years ago. In any case, it points to Russians (not only where the files were uploaded, but also who uploaded them).

I don't live in Russia, have never lived in Russia, and have no Russian relatives or heritage, yet I use Yandex Disk. Go figure?

Sorry, but your last assertion is like saying that everybody who uses Google Drive must be an American with connections to the USA, and that is simply false.

[back2themoon]

You are not suggesting anything sensible though, or some kind of possible alternative. The Russian government does bad things (I'd love to know which governments don't btw), so Nuck-TH is supposed to do what? "Unrussify" himself? Provide some crazy-ass digital super-signature assurance which does not exist? Move out of Russia? I don't even know if he's Russian or why is this a thing and what is the problem here (apart from paranoia).

Perhaps you are saying the contributed 3rd party builds are more prone to attack, than mainline? I guess that could be true and a genuine concern (Moonchild and Nuck-TH could analyse this I'm sure), but it's what it is. This isn't a large corporation, as you know. I'd leave politics out of this.

Come on, first of all, don't label me. And don't try to take on the role of a moderator.

None of this is true. I respect you a lot for the help you've always provided, and I have zero interest in moderation or any kind of forum/power/whatever games.

[Kris_88]

I don't live in Russia, have never lived in Russia, and have no Russian relatives or heritage, yet I use Yandex Disk. Go figure?

Be that as it may, Nuck-TH rather confirmed than refuted this assumption.
viewtopic.php?f=40&t=27873&p=254447#p254443

Sorry, but your last assertion is like saying that everybody who uses Google Drive must be an American with connections to the USA, and that is simply false.

Yandex Disk is more likely to be used by Russians. And global services like Google are used all over the world, including by Russians.

[back2themoon]

Yandex Disk is more likely to be used by Russians. And global services like Google are used all over the world, including by Russians.

And that should tell you which is the most invasive of the two...

[Kris_88]

You are not suggesting anything sensible though, or some kind of possible alternative.

I really didn't suggest anything. I just pointed out the problem.
That's something too..

[fretless]

Nuck-TH - Thanks again for providing these alternate builds, it is really appreciated by at least several of us.

Kris_88 - Nobody is making you use this software. If you don't trust it, don't use it.

[ron_1]

I'm assuming Moonchild does some kind of a check on 3rd-party builds (all of them). After all, they carry the "Pale Moon" name, and are linked to on the official website, and the last thing he would want is a bad actor fouling up the Pale Moon name.

[andyprough]

The connection with Yandex points to Russians, and I have been very distrustful of Russians for some time now.

...

I understand that with this post of mine I can offend, perhaps, a completely decent, honest person...
But, sorry, the potential damage from embedded spyware is too serious to be ignored.

I doubt that anyone is offended. They are probably just saddened to see the FUD-spewing depths you are sinking to, bashing a great contributor to this community in Nuck-TH just so you can continue your petty beef with MC. Freaking childish.