Change in system requirements (AVX)

[moonbat]

There's a concept of reproducible builds, but I guess it would be a lot of effort to implement here.

[andyprough]

Unless I build a program myself, I guess that technically there can't be a guarantee?

Like, if I visit a project on GitHub and go to the Releases page, I really have to take it on trust that the zip file or whatever it is that the project owner(s) have uploaded there, is based on the corresponding source. I think I am right in saying that there is no way anyone can "prove" to me that the file I download was made from the publicly visible code?

It really is about trust and never a guarantee, for those of us who don't build from the source ourselves, and I don't think there is any way around that.

So it only comes back to the track record and previous dealings and reputation of the person(s) supplying a program file. There's nothing else.

Well, to be fair, if it is a popular enough package on github then there is going to be a large number of people downloading it, downloading and building the source, exploring the code, offering contributions to the code, etc. [Very similar to how so many of us build and/or contribute to Pale Moon code]. So a lot of packages that are popular enough to get heard about on github are going to have been pretty thoroughly gone over. And any issues that people find are usually raised on the Issues page for that github repo [like we do on the Pale Moon forum]. Contributing to code on github is a popular activity among programmers, as they can put it on their CV's and show their code contributions as part of their portfolio when looking for jobs, so for a variety of reasons the popular packages tend to get a lot of people looking at and working with the code in various ways.

And if you are using an OS that is made up of freely licensed code, such as a Debian-based GNU/Linux OS, then you have hundreds of packagers that are building each and every package from source and making their own code contributions to the source and going through a reliable process to add a lot of trust to the process.

So, depending on the package, there is often a lot of reason to trust them. There are very few historical instances of any freely licensed package containing malicious code. The recent incident with the xz compression package is the only one I can think of in the past few years, and that was found and corrected almost immediately by the same process described above.

And, yes, you should build packages from source for yourself sometimes. It helps greatly to better understand how the package works and how to optimize your use of it, and it will greatly enhance your sense of trust. I build Pale Moon fairly frequently, and it is a very simple process, much easier than building modern Firefox and vastly easier than building modern chromium. Once every couple of years I build nearly every package I use by going through the "Linux From Scratch" building process. You will learn so much by going through the building process that if you can do it you really should.

[Kris_88]

So, depending on the package, there is often a lot of reason to trust them.

You are talking about something completely different.
The source code is indeed checked and confirmed by many people. Indeed, it is rare for something malicious to be directly in the published source code, since it is easily checked and detected by the community.

But here we are talking about a completely different problem. How can you verify that a person did not insert some specific vulnerability or spy code when building an executable module from the source code? Such verification is extremely difficult. It is much more difficult than simply building a browser yourself.

Signature verification only proves that the executable module was actually created by a specific person and was not changed during delivery to the user's computer.

And we come to the conclusion that everything depends on trust in a specific person.
For example, quite a lot is known about Moonchild. He has been working on this project for a long time, he is the owner of the project, he is the owner of the trademark, he has a real (not self-signed) certificate, his first name, last name, place of residence, and approximately his age are known. And although each piece of information does not prove or guarantee anything, but in total, I personally have enough information to trust Moonchild.

As for the authors of third-party builds, I know much less about them.
And therefore, as I already said, there is a big difference between official builds and third-party builds.

[moonbat]

How can you verify that a person did not insert some specific vulnerability or spy code when building an executable module from the source code? Such verification is extremely difficult.

Reproducible builds, like I said. It is difficult to implement.

As for the authors of third-party builds, I know much less about them.

I don't know them either, nor do others here who have been using their builds without any such problems for years(which would've been spotted and called out, as andyprough said. The nearest similar episode was a couple of years ago with JustOff changing his extensions to update from his own server without informing us, that led to their being taken down and again, this was spotted and called out). In the end it's up to you if you want to trust them or not.

[suzyne]

Reproducible builds, like I said. It is difficult to implement.

I followed the link from the previous reply and then did a bit of searching and reading myself. Interesting stuff! But all the pages I saw referred to Linux (or similar) without any mention of Windows, so I am going to assume that this technique is highly unlikely to be used by the main (Windows) Pale Moon any time soon?

[moonbat]

Not sure why..I should think building on Windows with Visual Studio narrows down the number of separate versions of libraries that might differ. Or perhaps this hasn't been explored on Windows much because fewer people are interested in building from source on Windows.

Or perhaps it's a big task for a huge codebase like PM's; one would have to standardize paths for example.

[Kris_88]

I don't know them either, nor do others here who have been using their builds without any such problems for years(which would've been spotted and called out, as andyprough said.

How would such problems be detected by ordinary users? I hope you don't think that a malicious insert would show itself with a big bright window with warning text? Let's say if the browser sends some collected information when accessing Yandex (for example), then it is very unlikely that someone will notice it quickly.

In the end it's up to you if you want to trust them or not.

Moonbat, it's clear that no one is restricting my freedom.
But I'm talking about something else.
I'm talking about the fact that there are now fewer reasons to trust browser builds. This applies to builds that used to be official, but have now become third-party. This is an objective fact, not a subjective opinion.

But what surprised me was the reaction of some here.
Instead of saying "yes, that's true", people try to make themselves look stupider than they are, like "I don't see a problem" or "nobody has noticed anything bad in two years", or try to equate righteous with sinful, like "Most FOSS stuff is provided as-is, which means there is no guarantee for anything. Fullstop." And others even subscribe to this blurring of the problem, like "yes, you said it right". Other people try to replace the problem with another, visually similar one and show that this another problem is not really a problem.
Well, okay, I know how it works internally and can separate truth from deceit. But someone will be deceived by this... And this is much more serious than my dispute with Moonchild. Actually, because of this reaction, I am no longer involved in this project.

[back2themoon]

I'm talking about the fact that there are now fewer reasons to trust browser builds. This applies to builds that used to be official, but have now become third-party. This is an objective fact, not a subjective opinion.

Not really. It seems the major change here is that YOU now have to use a third-party/community build.

Also, builds that used to be third-party, are now official - how about that? So, nothing really changed. It's a swap.

If you were honestly seeking to increase and solidify the security of the eco-system and the way of doing things, you should've raised these concerns years ago. If you had and were ignored, then hats off but frankly, all I still see is the "evil Russians" syndrome. It's old, not tech/browser-related and will get you nowhere. And rightly so.

[Kris_88]

Not really. It seems the major change here is that YOU now have to use a third-party/community build.

I don't use Pale Moon very much. Nothing has changed for me personally. I just use the 32-bit version.

Also, builds that used to be third-party, are now official - how about that? So, nothing really changed. It's a swap.

Obviously, this is not a swap. Previously, the official version was universal (worked on all computers), but now... Don't you know this yourself?

If you were honestly seeking to increase and solidify the security of the eco-system and the way of doing things, you should've raised these concerns years ago.

Well, excuse me, I'm not God. I've never taken on the role of a safety inspector. Yes, I pay more attention to the problem only when it somehow affects me. It's completely natural.

I still see is the "evil Russians" syndrome.

This is a separate topic, and I will not discuss it here. I will limit myself to a general philosophical remark.
For bad people to win, it is enough for good people to do nothing. And one more thing. If you run away from politics, then politics sooner or later comes to you, and sometimes it comes in the form of bombs that fall on your heads.

[gepus]

Off-topic:

I will limit myself to a general philosophical remark.
For bad people to win, it is enough for good people to do nothing. And one more thing. If you run away from politics, then politics sooner or later comes to you, and sometimes it comes in the form of bombs that fall on your heads.

You could narrate your philosophical remarks to Koreans, Vietnamese, Iraqis, Afghans, Libyans, ... to name just a few.
Of course they have been bombed by the good guys driven only by their messianic and altruistic mandate to save mankind...
This is how exceptionalism works. Feel free to be proud of it but in the meantime please spare us from such "philosophical" inspirations.

[back2themoon]

I don't use Pale Moon very much. Nothing has changed for me personally. I just use the 32-bit version.

This thread was started by you, with detailed descriptions of your newly incompatible hardware.

Yes, I pay more attention to the problem only when it somehow affects me. It's completely natural.

So, affected or "nothing has changed?

Previously, the official version was universal (worked on all computers), but now... Don't you know this yourself?

Pretty sure it was not "universal" and would not work on even older machines. Certainly not on ALL computers. It is obvious you have your own hardware in mind. All this fuss for your personal, incompatible hardware which has already been accommodated with community builds? Wow.

I know it well because my main, 16-YEAR-OLD machine was affected, instantly switching to Nuck-TH's SSE2 build. I'm most probably much less technical than you, but it doesn't take a genius to understand why this change was made.

All I still see is the "evil Russians" syndrome.

This is a separate topic, and I will not discuss it here.

It's all you've done. Please grow up. You've got great technical skills. Don't waste them on good vs bad nonsense. I'm done here but still hope to see your familiar, concise technical posts elsewhere.

[Kris_88]

So, affected or "nothing has changed?

Let's just say I was affected enough to notice a potential security issue. Then I looked at the third-party build and saw that I couldn't trust the author, so my fears were confirmed.

Pretty sure it was not "universal" and would not work on even older machines. Certainly not on ALL computers.

Okay, I have to be very precise. The "universal build" worked on both SSE and AVX processors, and the third-party build only worked on AVX. It's not an equivalent replacement, and it's not like "nothing really changed".
And yes, I'm tired of proving the obvious when you stubbornly pretend not to understand.

but still hope to see your familiar, concise technical posts elsewhere.

In short, I already understand everything about this community.
And, no, I won’t bring anything valuable here. I just don't have the desire anymore...

[andyprough]

... saw that I couldn't trust the author ... I won’t bring anything valuable here.

Yes, well, turning yourself into a vicious little rage-filled pimple of hate will tend to make a person rather valueless. At least you are being honest about that. Although you should turn the "won't" into "don't", as the present tense seems to apply most aptly.

[Kris_88]

Although you should turn the "won't" into "don't", as the present tense seems to apply most aptly.

Okay, as you wish.
I have not brought, do not bring, and do not intend to bring anything valuable here in the future.

[SouthernComputerGeek]

Off-topic:
Well I'm now using the third party sse2 build of Pale Moon on my windows machine, I guess I'll be bombed any day now.

[andyprough]

Off-topic:

Off-topic:
Well I'm now using the third party sse2 build of Pale Moon on my windows machine, I guess I'll be bombed any day now.

You can't fake this kind of courage in the face of almost certain death. It's real.

[John_Smith]

Off-topic:

all I still see is the "evil Russians" syndrome. It's old, not tech/browser-related and will get you nowhere. And rightly so.

Not sure what you meant there, but there is no doubt that Russia is the Empire of Evil.

For bad people to win, it is enough for good people to do nothing. ...
If you run away from politics, then politics sooner or later comes to you, and sometimes it comes in the form of bombs that fall on your heads.

You could narrate your philosophical remarks to Koreans, Vietnamese, Iraqis, Afghans, Libyans, ... to name just a few.
Of course they have been bombed by the good guys driven only by their messianic and altruistic mandate to save mankind...

You deserve to live in a country like Kim's North Korea, Ho Chi Minh's Vietnam, Saddam's Iraq or Taliban's Afghanistan. Then you would be grateful for anyone willing to fight for your freedom.

[Moonchild]

No reason to revive this thread with off-topic geopolitical banter.
Locking, with a note to please re-read the forum rules, specifically 1h and 2d.