Fennec vulnerability? Recommended to uninstall

My fdroid client recommends to uninstall fennec because it has a vulnerability. Do you have any details on this? There is nothing more in fdroid.

2 Likes

Fennec and Mull 129.0.2 in F-Droid.org repository have 42 known security issues per my https://divestos.org/misc/ffa-dates.txt

The issue preventing updates should be resolved soon thanks to @linsui fixing it!

6 Likes

For Mull I would install it from the Divest OS repo

As previously said I would strongly recommend not using the vulnerable version. You are opening yourself up to exploitation. I can not understate the risk of using a vulnerable web browser. You are literally pulling content from servers you do not control. Some of these exploits include CSS related vulnerabilities so noscript can’t even save you.

As for F-droid I would recommend that they do the following:

  • Remove the ability to install vulnerable versions
  • Add a way for the F-droid team to push security related push notifications. These should of course be optional and used rarely. The big idea is to be able to notify people of major incidents like significant vulnerabilities and supply chain attacks
  • Work on stream lining security patching. I know that security updates can get abused to push antifeatures in some cases but I think that security is very important. This is one of those “easier head then done”
  • Create a dedicated security tracker for all vulnerabilities of any significance
1 Like

Thank you very much, I’m looking forward to this!

1 Like

Anyone know if it’s necessary to uninstall and not enough not using it until next update?
TIA! Kind regards!

1 Like

I’d also very much like an official proclamation on this. But for now, that’s what I’m going with.

I’ve changed my default browser in Android to the Monocles Browser, which I presume is more secure for now, but is mildly inconvenient to use. Any suggestions for a less annoying short-term replacement would be helpful.

should be fine if you close all tabs and quit it. you can also force stop it to ensure it doesn’t start again.

this is just a webview browser, so it is only as secure as your webview is up to date. please see my other information about them here: Browsers - DivestOS Mobile

3 Likes

In my opinion, the root cause of this are the exaggerated purity rules in the F-Droid store, as I mentioned here:

The Fennec developers would have everything ready to merge the latest version and resolve the security issues, here is the PR: Fennec 131.0.0 (!63) · Merge requests · relan / fennecbuild · GitLab

But he cannot merge it because of these open source purity rules in F-Droid that require the complete toolchain to be 100% open source, no deviation allowed. Just relax the rule, don’t be such fundamentalists. Then we can have the issue resolved and people don’t need to switch to Google Play store.

1 Like

And as everyone has mentioned in that same thread, it is not that. You need to look beyond the so called foogle world.

1 Like

Hi, I’m under the impression that open source purity rules and FLOSS fundamentalism are precisely the reasons why people switch from Google Play to F-Droid.
Certainly, that’s my case.
The old, freedom, security and solidarity, over short-term “convenience”.
But maybe I’m wrong. In any case, let’s help fix this Fennec issue according to devs needs, both Fennec and F-Droid.
Kind regards!

2 Likes

Ideals are great until they affect my convenience

5 Likes

This is not about convenience though, it is about security.

I’m sure Google sells as much, why are you here?

Wtf? If that’s how you welcome now people here, I’m not going to be here long…

But to answer you question, I am here because I am passionate about avoiding centralized monopolies like the Play Store, which is why my phone and those of some family members install all software from F-Droid – so thank you for providing that service! I am willing to go through great lengths to make sure my actions match my ideals, and I regularly take significant convenience cuts for that (however, F-Droid is actually quite convenient, so that’s not even one of those cases). However, now I have to re-evaluate because it seems in doing so I have exposed my family and myself to severe security risks. You made it sound above like people are just complaining about some convenience issue here, but there is no convenience issue. There is, however, a security issue, and it seems like that is being downplayed, which is concerning.

2 Likes

That how you start all your answers? Odd

thanks for the rest though :slight_smile:

it is not being downplayed, just that I personally don’t like panic and accusations when we instead need help

when this gets fixed everyone goes away… until the next issue… on a loop

when the whole issue was: human resources needed to research, test, fix

4 Likes

Given that uninstalling and reinstalling can pose considerable inconvenience and security risks in itself (some people have a custom collection of extensions and advanced settings that are security relevant) it might be worth to consider the tradeoffs of offering a not entirely clean update until a clean build is available?

what’s the point to “build from source” if “lets not build it from source today…” and “not tomorrow” and “never again” because it’s hard?

3 Likes

If that’s the case will mark it “nosourcesince” and archive it… so long and thanks for all the fish

1 Like

As an open-source contributor myself, I know the problem of “not enough people to do all the work” well enough. :frowning:

I guess the question is whether it’s worth offering Fennec if the capacity isn’t there to ship updates in time. Ideally Mozilla would offer some non-Google way to install and automatically update Firefox on Android, but sadly they don’t so we can only hope someone else is willing to do that work.

you mean APKs built from proprietary Google libs in their own F-Droid repo?

hope nobody thinks F-Droid just builds Mozilla code as it is and hosts it, yes?

1 Like