The Waterfox Well Is Dry

[Shadow]

*I guess this is a rant.*

I made the Librewolf Following Firefox topic a few months ago and Waterfox was mentioned.

I decided yesterday, why not try Waterfox again, but I couldn't even get that far.

https://www.waterfox.net/en-US/download/

I clicked "copy hash" for Windows on the webpage and received a hash I didn't recognize.

Turns out it's a sha-512 that my checker doesn't check for.

I don't understand the "Verify the releases" terminal thing on that page. Why complicate things this much?

Then I looked at the installer certs and there is a "Dummy" cert in there I don't like the look of. Tried to find an explanation to no avail.

It has since updated to 6.0.5 and the same thing.

Nothing but disappointment from the get go once again and didn't even install it.

I would question Alex myself, why is there a dodgy cert and why can't you provide a typical sha256 or md5, but why even bother.

[Night Wing]

Sometimes Alex has a tendency to......."go off the rails"........every now and then if you get my drift. When it comes to Alex and Waterfox, I just "go with the flow" and hope he does not make any errors. In other words, "I plan for the worst and hope for the best".

I never pay attention to the "verify the releases" jargon. I use linux Waterfox in both the Linux Mint and MX Linux distros. I also do not install Waterfox in these distros. I basically use the executable file. This means Waterfox is never listed under Internet in either of the Menus in both Mint and MX.

I have learned how to add the launcher and create a path to the launcher from where I keep the extracted Waterfox folder from the downloaded tarball. In the folder, I use the Image Files to find the Waterfox 32 logo and this puts the Waterfox logo on the launcher icon on my linux Panel.

BTW, thanks me letting me know G6.0.5 was released. It is now on all of my four computers.

[andyprough]

Turns out it's a sha-512 that my checker doesn't check for.

Your checker should check for that - sha-512 is a standard part of the sha-2 family of hash functions that includes sha-256, and sha-512 appears to be more robust. Are you using 7-zip to check the hash by chance? I think 7-zip won't check an sha-512, but nearly all the other hash checkers on Windows should do it from what I'm reading. There shouldn't be anything wrong with Alex using sha-512.

I don't know much about certificates, but I think a dummy cert is one that Alex would have used to test his build or test one of his servers, or something of that nature. I don't think it should be a problem. Some of the Pale Moon devs might be able to shed more light about when a dev would use a dummy cert.

I haven't used Waterfox for quite a few years and I'm not a developer, but these two items don't sound like actual problems to me.

[RealityRipple]

I'm guilty of the self-cert thing. I have a whole tiered CA with daily published CRLs. Not because I think I'd make a particularly good authority, but because I think the current code signing system is a bonkers capitalistic nightmare where you're supposed to implicitly trust a faceless, unaccountable enterprise. If someone could set up a PGP personal trust system that was retrofitted to existing code signing standards somehow, I'd hop on it instantly.

[Shadow]

Your checker should check for that - sha-512 is a standard part of the sha-2 family of hash functions that includes sha-256, and sha-512 appears to be more robust. Are you using 7-zip to check the hash by chance?

FF, PM, & Bask all use sha-256. FF also have sha-512 as an optional.

I actually use fHash, which before didn't, but now there is a version supporting sha-512. I remember reading they removed crc32 because they felt like it so I never updated it and presumably went looking for another checker to replace it with but never found one. I guess I'll now concede crc32 isn't worth it.

As for the cert, I guess I'll have to begrudgingly ask. This is what I get for being overly cautious and also stubborn. Maybe a bad combination.

[andyprough]

This is what I get for being overly cautious and also stubborn. Maybe a bad combination.

These days caution is a rare virtue among internet users. It's most likely keeping you safe from some bad actors.

[Moonchild]

IMHO SHA-512 is total overkill for just about anything. If the entire bitcoin industry can build on SHA-256's uniqueness/collision-resistance, then doubling the bit width makes absolutely no sense for just checking file integrity.

[athenian200]

I like the play on words there... it makes me picture other headlines...

"The Firefox flame has gone out."

"The Chrome plating has been tarnished."

"SeaMonkey has failed to evolve."

"Opera has lost its voice."

"Internet Explorer has lost its way."

"Brave browser retreats in disgrace."

I know this one was supposed to be about Waterfox, but it just gave me so many ideas.

As for the self-cert thing, I'm suspecting it might be a cash flow problem... code signing is expensive. If Waterfox is low on cash, they might not be able to afford a proper code signing cert anymore, and may be trying to get around this with a self-signed certificate that is installed on your system. I've considered doing that, but I know that would make users even more suspicious than the smartscreen warning... the only way to get trust is to buy it, anything you do to get around spending the money will just make you look worse.

[Basilisk-Dev]

Off-topic:
Might I suggest just not using Waterfox at all? I think your life will be improved by following this advice.

[Moonchild]

may be trying to get around this with a self-signed certificate that is installed on your system. I've considered doing that, but I know that would make users even more suspicious than the smartscreen warning...

I think using a self-signed cert for code signing is worse than not signing at all. The whole point of code signing is that you have a trusted third party vouch for your code signature. self-signed/untrusted cert chains would raise a lot more red flags (you're pretending you've been verified while you haven't been, implying some form of misleading) than it simply being clear that nobody has vouched for you.

[andyprough]

Off-topic:

I like the play on words there... it makes me picture other headlines...

"The Firefox flame has gone out."

"The Chrome plating has been tarnished."

"SeaMonkey has failed to evolve."

"Opera has lost its voice."

"Internet Explorer has lost its way."

"Brave browser retreats in disgrace."

The orchestra has gone silent for Vivaldi.
The tide has gone out for Netsurf.
Edge is crumbling like a California mudslide.

[suzyne]

Off-topic:
The clever word play didn't quite hit me until pointed out, but here are some more.

IceCat is feeling the heat
LibreWolf is stuck in a cage
NAVER Whale has beached itself
Slimjet runs out of fuel

[Kerebron]

Off-topic:
And everything here is in tune
But the sun is eclipsed by Pale Moon

[athenian200]

I think using a self-signed cert for code signing is worse than not signing at all. The whole point of code signing is that you have a trusted third party vouch for your code signature. self-signed/untrusted cert chains would raise a lot more red flags (you're pretending you've been verified while you haven't been, implying some form of misleading) than it simply being clear that nobody has vouched for you.

Off-topic:
Agreed, that's why I didn't do it. The only case where I would consider forcing users to install a self-signed cert would be if the operating system tries to enforce signatures with no mechanism for turning it off, and even then I would inform them about it and tell them to install the certificate in the cert store themselves by saying that since I can't afford code signing and their OS enforces it, them adding me as a trusted cert authority as if we were members of the same corporation trusting each other's code internally is the only way to run my program.

Otherwise, I would much rather leave it unsigned.