r/firefox is spreading disinformation about Pale Moon

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
jobbautista9
Keeps coming back
Keeps coming back
Posts: 780
Joined: 2020-11-03, 06:47
Location: Philippines
Contact:

r/firefox is spreading disinformation about Pale Moon

Unread post by jobbautista9 » 2022-07-03, 11:31

See this for example: https://old.reddit.com/r/firefox/commen ... ?context=3

Here's a copy of the AutoMod message just in case the mods cowardly remove it:
/u/[username], please do not use Pale Moon. Pale Moon is a fork of Firefox 52, which is now over 4 years old. It lacks support for many modern web features like Shadow DOM/Custom Elements, which have been in use on major websites for at least three years. They also don't have support for many modern JavaScript features, TLS 1.3, WebP images, and AV1 video. Pale Moon uses a lot of code that Mozilla has not tested in years. They have no QA team, don't use fuzzing to look for defects in how they read data, have never published a CVE (mature software teams report their security bugs), and have no adversarial security testing program (like a bug bounty). In short, it is an insecure browser that doesn't support the modern web.
Absolutely disgusting. Whoever in the mod team wrote this obviously hasn't used Pale Moon at all and relied on unfounded rumours. I wouldn't be surprised if it turns out to be u/nextbern who wrote this; that guy's a Mozilla fanatic. I wonder if he's getting paid though, all the moderation in r/firefox and preaching about how Mozilla is the best and the messiah of the web must be tiring.

What's weird is that they singled out Pale Moon, and don't attack Waterfox Classic which has some problems we also have and is arguably more insecure (look at all the security advisories they haven't addressed yet!).
Image

merry mimas

XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.

Mima avatar by 絵虎. Pixiv post: https://www.pixiv.net/en/artworks/15431817

Image

User avatar
Sajadi
Board Warrior
Board Warrior
Posts: 1226
Joined: 2013-04-19, 00:46

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by Sajadi » 2022-07-03, 12:23

What do you expect from Mozilla - The only thing what Mozilla is these days is being a political activist cult which only tries to collect the most radical of the radicals.

Can anyone really take Mozilla serious these days? A developer which abandoned willingly their most dedicated vocal user group (power users) for Chrome/simple users and who is interested in becoming the best Chrome possible without actually being Chrome?

Mozilla is in so many ways a waste of time, and yes, they are disgusting and anti-democratic and authoritarian, which includes the "management/leadership", the "development team" and most volunteers :sick: :mrgreen: :twisted:

They are literally grasp at straws right now in the hope that most Chrome users will abandon Chrome because of the Manifest V3 issue. Pure Losers :mrgreen: :mrgreen: :mrgreen:

BenFenner
Astronaut
Astronaut
Posts: 588
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by BenFenner » 2022-07-03, 12:48

Pale Moon gained TLS 1.3 support in v28.3.0 (2019-01-15).
http://www.palemoon.org/releasenotes-archived.shtml

Not sure how old this Reddit post is.

User avatar
jobbautista9
Keeps coming back
Keeps coming back
Posts: 780
Joined: 2020-11-03, 06:47
Location: Philippines
Contact:

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by jobbautista9 » 2022-07-03, 12:52

BenFenner wrote:
2022-07-03, 12:48
Pale Moon gained TLS 1.3 support in v28.3.0 (2019-01-15).
http://www.palemoon.org/releasenotes-archived.shtml
IKR? And it gets worse: they say WebP is not supported, despite the fact that it has been supported since 26.0.0 (January 2016)!
BenFenner wrote:
2022-07-03, 12:48
Not sure how old this Reddit post is.
I'm not sure when exactly the mods added the message to AutoMod, but the one I linked is from 11 hours ago. It must've been recent, as it's the first time I've seen this AutoMod message from r/firefox. They can't excuse themselves saying that it's an old post.

I still can't get over the fact that someone from the mod team, for whatever reason, decided to write an attack piece against Pale Moon unprovoked. Has there been a sudden evangelism in r/firefox preaching about why you should try Pale Moon? That'd be weird; you'd think that the fact that XUL is no longer appreciated by the audience of r/firefox, one would rather recommend, say, Waterfox...
Image

merry mimas

XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.

Mima avatar by 絵虎. Pixiv post: https://www.pixiv.net/en/artworks/15431817

Image

User avatar
andyprough
Astronaut
Astronaut
Posts: 688
Joined: 2020-05-31, 04:33

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by andyprough » 2022-07-03, 13:25

They are doing this because Firefox has been steadily losing users to Brave, Vivaldi and especially Edge for the past few years. You'll see them lashing out at projects like Pale Moon that are gaining users.

So as far as their points, Pale Moon does have TLS 1.3 and webp. I think it has support for AV1, right? It's enabled in the default .mozconfig.

I don't know what Shadow DOM/Custom Elements is - does Pale Moon implement that?

I think that "many modern javascript features" probably refers to the constantly shifting chaos that's "supported" in an often broken manner by Chrome?

As far as "QA team", seems like Pale Moon has the same one as every other major and minor open source project - the community bringing up issues on the forum and in formal bug reports. I'm pretty sure there are bug bounties, just not often needed to be paid out.

Fuzzing, to my understanding, simply refers to a few computers running various algorithms to test memory defects and so forth. Chrome and Firefox use completely different fuzxing from each other, I don't think there's any standard for it. It seems most important for projects like Chrome that are changing far too rapidly for human readers to keep up with. A mature code base shouldn't really need 20 million cycles of fuzzing per month. Also, I think Chrome and Firefox need fuzzing because they are multiprocess and are susceptible to highly complicated data leakage between processes, which should not effect Pale Moon at all.

As far as publishing CVE's, I don't know anything about it. Does Pale Moon ever publish them? Sounds like something that might become more important if the browser is in more widespread use, especially in corporate environments? If sysadmins were wanting to apply specific patches, rather than using the provided binaries?

I'm clearly no expert in any of this, feel free to correct me on any of the above.

User avatar
jobbautista9
Keeps coming back
Keeps coming back
Posts: 780
Joined: 2020-11-03, 06:47
Location: Philippines
Contact:

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by jobbautista9 » 2022-07-03, 14:01

andyprough wrote:
2022-07-03, 13:25
I think it has support for AV1, right? It's enabled in the default .mozconfig.
The standard mozconfig builds AV1 support into the browser, but it's currently disabled from the Preferences, which can be easily enabled back.
andyprough wrote:
2022-07-03, 13:25
I don't know what Shadow DOM/Custom Elements is - does Pale Moon implement that
They're part of the WebComponents package. We don't have full support of Shadow DOM yet. Custom Elements Is not implemented yet either.
Image

merry mimas

XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.

Mima avatar by 絵虎. Pixiv post: https://www.pixiv.net/en/artworks/15431817

Image

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2181
Joined: 2018-05-05, 13:29

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by vannilla » 2022-07-03, 14:21

One can argue that there are no CVEs because Pale Moon is secure unlike Firefox :^)

User avatar
Mæstro
Lunatic
Lunatic
Posts: 459
Joined: 2019-08-13, 00:30
Location: Casumia

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by Mæstro » 2022-07-03, 16:06

andyprough wrote:
2022-07-03, 13:25
They are doing this because Firefox has been steadily losing users to Brave, Vivaldi and especially Edge for the past few years. You'll see them lashing out at projects like Pale Moon that are gaining users.
Do we know about how many Pale Moon users there are? User agents are misleading for many reasons, leaving me to wonder how we could reckon this.
Browser: Pale Moon (Pusser’s repository for Debian)
Operating System: Linux Mint Debian Edition 4 (amd64)
※Receiving Debian 10 LTS security upgrades
Hardware: HP Pavilion DV6-7010 (1400 MHz, 6 GB)
Formerly user TheRealMaestro: æsc is the best letter.

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2181
Joined: 2018-05-05, 13:29

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by vannilla » 2022-07-03, 17:19

TheRealMaestro wrote:
2022-07-03, 16:06
Do we know about how many Pale Moon users there are? User agents are misleading for many reasons, leaving me to wonder how we could reckon this.
I don't think it's ever possible to measure it.
As you said user agent strings are unreliable, but so far that's the only way to actually see which is which.
If you also add that user agent switchers are popular with Pale Moon users, measuring Pale Moon's market presence accurately will never be possible.
Additionally, even if you were to do "feature detection", that is, measure it based on what is supported or not, with the increasing number of browsers being based on Chromium or implementing Chrome quirks you'd just map everything (Brave, Edge...) to Chrome or an older version of it.
(Not that it is wrong... but it's not accurate either, at least regarding the "front end" used on top of the engine.)
Admittedly here Pale Moon would be easier to detect, since by design it doesn't have certain features like RTC or the "global event", but those are metrics that can be measured only on a small subset of sites and are thus unreliable.
On the other hand, many contemporary browsers don't allow changing the user agent string or anyway there are limitations to it, which in tandem with many users not even knowing what a user agent string is, makes it easier to check the presence of a certain browser as the probability of the string being the default one is very high.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35403
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by Moonchild » 2022-07-03, 18:15

vannilla wrote:
2022-07-03, 14:21
One can argue that there are no CVEs because Pale Moon is secure unlike Firefox :^)
There are a few Pale Moon specific CVEs but in general any sec bugs reported are simply fixed and not submitted/requested as a CVE. I could, if I wanted to, report all theoretical vulnerabilities like Mozilla is doing whenever I find a UAF or missing null check or race condition or lock issue, but I really don't see the point in putting my time into it when I have a lot better use for that time. 95% of Mozilla's CVEs are found through fuzzing or code inspection or because someone ran into odd behaviour, and not because it's actually exploited in the wild, anyway.
vannilla wrote:
2022-07-03, 17:19
I don't think it's ever possible to measure it.
It's extremely difficult to measure because we don't collect that kind of data to begin with. It can be indirectly inferred from the traffic our services get, at most, as an "at least this many" figure.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35403
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by Moonchild » 2022-07-03, 18:21

jobbautista9 wrote:
2022-07-03, 11:31
They also don't have support for many modern JavaScript features, TLS 1.3, WebP images, and AV1 video.
Our JS support is pretty good (and totally unlike Firefox 52). See http://kangax.github.io/compat-table/es2016plus/ -- pretty much all of that implemented by yours truly over the years. Comparison chart attached with Firefox ESR 52.9.
TLS 1.3 is fully supported (and in use on this forum, too).
WebP has been supported for a long time already and is actively used and advertised for conneg. (image.http.accept;image/webp,image/png,image/*;q=0.8,*/*;q=0.5)
AV1 is support but disabled by default because it is a reference implementation that is not very performant. With our current work updating libaom though, I may enable it by default in the next dev release.
Attachments
PM-vs-ff52-js.png
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
nicolaasjan
Moon lover
Moon lover
Posts: 85
Joined: 2017-07-28, 14:44
Location: The Netherlands

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by nicolaasjan » 2022-07-05, 07:40

Aaand, the auto moderator strikes again:
https://old.reddit.com/r/firefox/commen ... m/iewg4ek/
Linux Mint 20.3 Mate 64bit
Pale Moon latest

User avatar
Night Wing
Knows the dark side
Knows the dark side
Posts: 5146
Joined: 2011-10-03, 10:19
Location: Piney Woods of Southeast Texas, USA

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by Night Wing » 2022-07-05, 09:14

Looks like that site's auto moderator bot has..........PMDS.......which equates to "Pale Moon Derangement Syndrome". ;)
Linux Mint 21.3 (Virginia) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox
MX Linux 23.2 (Libretto) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox
Linux Debian 12.5 (Bookworm) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35403
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by Moonchild » 2022-07-05, 12:15

jobbautista9 wrote:
2022-07-03, 11:31
don't attack Waterfox Classic which has some problems we also have and is arguably more insecure (look at all the security advisories they haven't addressed yet!).
Their reasoning apparently being
Some of the patches may still be needed, but the changes between versions so numerous between ESRs making merging difficult if not impossible.
I've had no issue auditing and porting sec bugs every Firefox release cycle (sure, some were a bit tricky or actually required some new code or actually understanding behaviour and patching accordingly) and it would at most take me 2 days to work through the list; often a lot less.
Merging might be difficult or impossible for someone just wanting to use patches as-is, of course. But that's no excuse adopting security fixes by actually doing the work of porting patches instead of wanting everything to merge cleanly. I warned Alex about the work needed when he rejected cooperation with us on Waterfox. He was all high and mighty about it. And now see where it has left them. At least Pale Moon keeps up. In fact, Waterfox Classic could probably plainly use the patches I have committed to our tree since we're closer siblings than trying to address the issues with mozilla-central code changes, and benefiting from my work porting them. But eh, his call.
of course they might still need more patches because I didn't port things that are N/A for us like e10s vulnerability patches.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
andyprough
Astronaut
Astronaut
Posts: 688
Joined: 2020-05-31, 04:33

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by andyprough » 2022-07-05, 13:03

Well, looks like the reddit automoderator bot reads the Pale Moon forum, since it removed the verbiage about TLS 1.3, AV1, and webp once it was proven incorrect about those items in this thread. The bot is still upset that Pale Moon (like nearly ever other major and minor open source project) does not have a dedicated separate QA team (but like all others relies on community testing and reporting for QA), and continues to lie saying that no bounties have ever been paid and no CVE's have ever been issued. So, it's a lying bot, but one that can be shamed into tempering its lies a little bit.

The fuzzing thing is still amusing, as both Google and Mozilla spend millions on fuzzing every month BECAUSE they picked multi-process models which have rampant cross-process data leakage, which I don't think would effect Pale Moon.

The new item is along the same lines, now the bot is complaining that Pale Moon does not have "Project Fission", which is a form of site isolation designed to protect Firefox from Meltdown and Spectre related multi-process data leakage. Chrome has its own anti-Spectre anti-Meltdown "site isolation" mitigation. Again, I'm assuming that Pale Moon could not possibly be vulnerable in the same manner as Firefox and Chrom since it is not running in multi-process mode, and so Project Fission would not apply, although Pale Moon might have to have other Spectre or Meltdown mitigations. Please correct me if there's something I'm wrong about here.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35403
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by Moonchild » 2022-07-05, 13:20

andyprough wrote:
2022-07-05, 13:03
no bounties have ever been paid
Wait.. what?
Code bounties have been paid every single time someone actually did the work for it. Are they just fishing for getting money from this project by us paying bounties for sec issues that have been reported elsewhere and have ready patches for it, or something?

But hey, don't take my word for it. I'll let people who have been paid bounties speak up if they want.

Also, why is this obviously human sourced posting referred to as a bot? Is it to somehow not take personal responsibility for posting FUD?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
gepus
Keeps coming back
Keeps coming back
Posts: 933
Joined: 2017-12-14, 12:59

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by gepus » 2022-07-05, 13:29

Off-topic:
Moonchild wrote:
2022-07-05, 12:15
In fact, Waterfox Classic could probably plainly use the patches I have committed to our tree ...
Alex doesn't really care anymore about Waterfox Classic. Their new flagship is Waterfox G (next generation).
Waterfox Classic is in the meanwhile only a ballast "maintained" by some amateurs while its use is discouraged even on their own page.

User avatar
jobbautista9
Keeps coming back
Keeps coming back
Posts: 780
Joined: 2020-11-03, 06:47
Location: Philippines
Contact:

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by jobbautista9 » 2022-07-05, 14:16

andyprough wrote:
2022-07-05, 13:03
Well, looks like the reddit automoderator bot reads the Pale Moon forum, since it removed the verbiage about TLS 1.3, AV1, and webp once it was proven incorrect about those items in this thread.
I didn't even notice that, lol. Nobody from the mod team admitted their mistake on that though, so still pretty scummy to me.
andyprough wrote:
2022-07-05, 13:03
The new item is along the same lines, now the bot is complaining that Pale Moon does not have "Project Fission", which is a form of site isolation designed to protect Firefox from Meltdown and Spectre related multi-process data leakage. Chrome has its own anti-Spectre anti-Meltdown "site isolation" mitigation. Again, I'm assuming that Pale Moon could not possibly be vulnerable in the same manner as Firefox and Chrom since it is not running in multi-process mode, and so Project Fission would not apply, although Pale Moon might have to have other Spectre or Meltdown mitigations. Please correct me if there's something I'm wrong about here.
Pale Moon has already secured itself against Spectre and Meltdown before the mainstream browsers did: viewtopic.php?t=17928 So whether a browser is multiprocess or not is completely irrelevant to Spectre/Meltdown. Yet another bullshit from people spewing out technological jargon they don't understand.
Moonchild wrote:
2022-07-05, 13:20
Also, why is this obviously human sourced posting referred to as a bot? Is it to somehow not take personal responsibility for posting FUD?
AutoMod is triggered everytime someone says "Pale Moon" and "palemoon", so it's definitely a bot. Though it could also be to hide which mod is doing the FUD against us.
Image

merry mimas

XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.

Mima avatar by 絵虎. Pixiv post: https://www.pixiv.net/en/artworks/15431817

Image

User avatar
andyprough
Astronaut
Astronaut
Posts: 688
Joined: 2020-05-31, 04:33

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by andyprough » 2022-07-05, 14:33

jobbautista9 wrote:
2022-07-05, 14:16
Pale Moon has already secured itself against Spectre and Meltdown before the mainstream browsers did: viewtopic.php?t=17928 So whether a browser is multiprocess or not is completely irrelevant to Spectre/Meltdown. Yet another bullshit from people spewing out technological jargon they don't understand.
Ahh, that's a good read on Pale Moon's response to Spectre/Meltdown from 2018, with the coarseness of the performance timer granularity being already set in 2016. I keep making the cardinal error of conflating multi-process with multi-thread when it comes to discussing shared memory, I'm definitely in the camp of people "spewing out technological jargon they don't understand", but I'm trying to improve.

So basically, Pale Moon trying to implement "Project Fission" as the reddit automoderator bot demands, would be completely pointless (and probably would not work at all or have any conceivable benefit if it did, I would imagine).

User avatar
jobbautista9
Keeps coming back
Keeps coming back
Posts: 780
Joined: 2020-11-03, 06:47
Location: Philippines
Contact:

Re: r/firefox is spreading disinformation about Pale Moon

Unread post by jobbautista9 » 2022-07-05, 14:40

andyprough wrote:
2022-07-05, 14:33
So basically, Pale Moon trying to implement "Project Fission" as the reddit automoderator bot demands, would be completely pointless (and probably would not work at all or have any conceivable benefit if it did, I would imagine).
It is indeed completely useless for us, as multi-process is a prerequisite to Fission/Site Isolation. As I see it, "Site Isolation" really is more of a workaround to an oversight in their implementation of multi-process in light of Spectre/Meltdown. Not an improvement in its own right. Which is why Moonchild is correct in staying with single-process mode for Pale Moon! :thumbup:
Image

merry mimas

XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.

Mima avatar by 絵虎. Pixiv post: https://www.pixiv.net/en/artworks/15431817

Image

Locked