Palemoon in debian

[sayansg]

Is there any way to install palemoon in debian?

I'm a big fan of palemoon. It's a great deal faster and less resource intensive than firefox, especially on older hardware. Is there any reason why it isn't in debian repo? Is there any security concerns? I found a workaround, a repo in opensuse by steve. What about add-ons? Are they safe to install?

I'm asking this because I see several mediocre web browsers(like netsurf) in debian repo but no palemoon.

[Dai_trying]

I use Palemoon and find it quite good and add-ons can be used usually without issue but as with any software you install you should check it out first, I followed the palemoon website instructions to install it on my system and everything went smoothly.

[MALsPa]

Same here, I've been using Pale Moon in Debian Stretch. My preferred approach: I simply downloaded the tarball, extracted it to /opt, and ran the chown command as shown in this thread: https://forum.palemoon.org/viewtopic.php?f=37&t=19828

[GarryRicketson]

Obviously, you know there is ways to install it:

I found a workaround, a repo in opensuse by steve.

sayansg » Is there any reason why it isn't in debian repo?

A little more search foo: Keywords:

Code: Select all

Why is Palemoon not in the Debian repositories 

https://lists.debian.org/debian-project ... 00016.html

sayansg »Is there any security concerns?

Key Words:

Code: Select all

Is there any security concerns for Palemoon  

https://www.cvedetails.com/vulnerabilit ... emoon.html
But you really should read some of the other results, using those keywords, there seem to be some, depending on your system, that you did not bother to give any details for.

by sayansg » What about add-ons? Are they safe to install?

Code: Select all

What about addons and plugins on Palemoon , are they safe  ?

Honestly, why don't you just read the Palemoon FAQ, and since you have so many questions about Palemoon, sign up to their forum and asks these questions there ?
https://www.palemoon.org/faq.shtml
====================
https://forum.palemoon.org/index.php

I'm asking this because---- snip---

The browsers you call "mediocre", in YOUR opinion only, are good browsers, and those are what Debian has in their repositories, because those are ones that are acceptable for Debian, and their packaging policy.
You are asking this, because you just did not want to do your own searches, I guess, or maybe there are other motives, ? Like telling us the other browsers are "mediocre", ? And you think Debian should include Palemoon in the repositories ?

[sayansg]

My Dear Garry,

I did not have any ulterior motive for asking the questions that I asked. They were honest questions, but admittedly ones asked without doing any searches in the forum first.

[GarryRicketson]

No problem, Oh, and on the security issues, I noticed something mentioned, but seems to be if it is a non-systemd system, I did not look at the details.

[bw123]

Is there any way to install palemoon in debian?

I'm a big fan of palemoon. It's a great deal faster and less resource intensive than firefox, especially on older hardware. Is there any reason why it isn't in debian repo? Is there any security concerns? I found a workaround, a repo in opensuse by steve. What about add-ons? Are they safe to install?

I'm asking this because I see several mediocre web browsers(like netsurf) in debian repo but no palemoon.

The browsers in the main repo are free, including source code, and their licenses all allow you to alter and redistribute them. Debian has made a promise to remain 100% free https://www.debian.org/social_contract even though the distribution can work with software that is non-free.
https://www.palemoon.org/redist.shtml

Debian has a security team for the repo. I don't know how palemoon handles it. That is a good question though, and something to consider when installing binaries from outside of Debian repositories.
https://wiki.debian.org/Teams/Security

[stevepusser]

Pale Moon has some restrictions on the trademarked name that building it from source against system versions of libraries like libnspr4 and libnss3 per Debian policy would violate. My repo has Pale Moon build and use its internal versions of those libraries instead, so I can use the official branding.

However, Debian would be allowed to build it the Debian way if they used a different package name and graphics, such as the suggested "New Moon", and alternate unofficial graphics are already included in the source. I did it as an experiment once, and it wasn't that difficult to switch it over to that name. Debian would then be free to change the build configuration and patch it as much as they want. I believe that the official version only supports i386 and amd64 builds, and Debian would need to patch the source to get it to build on the other architectures that Debian would want to provide packages for. So that situation is much the same as with Mozilla and Firefox builds.

Pale Moon will also crash if you're using your distro's version of the oxygen-gtk GTK 2 theme, since that theme doesn't know anything about Pale Moon. I have a patched version in my OBS that adds it and "newmoon" to the list of Mozilla-type apps for which it does a crash-preventative workaround--Debian would have to do the same if they added New Moon.

As for addons, I'm pretty sure the ones approved by Pale Moon are going to be OK. You should be able to install older XUL-based ones like Flashgot from the vetted Mozilla Web store, too--at least it works fine for most sites on my install.

[debiman]

I found a workaround, a repo in opensuse by steve.

this seems to be causing some confusion.
steve pusser's debian repos are debian repos, even if they are hosted on an opensuse site.

[stevepusser]

Yes, I also have the OBS build Ubuntu packages from one source code upload: https://build.opensuse.org/package/show ... r/palemoon

If I knew how, I could also have it build Arch, SUSE, Fedora, and many other distro packages, like the SMPlayer developer does: https://build.opensuse.org/package/show ... v/smplayer

[sayansg]

Thanks a lot steve.

I installed palemoon 28.1.0 32-bit from the opensuse site following your directions as mentioned in palemoon forum. Great software.

Only had one slight problem. The preference menu items were static. But as suggested by someone in mx linux from, I think, I changed animatefadein to true and the issue was resolved.

Thanks for making palemoon work on debian. It's fast as ever and has a good collection of add-ons.

Cheers.

[pcalvert]

The browsers you call "mediocre", in YOUR opinion only, are good browsers, and those are what Debian has in their repositories, because those are ones that are acceptable for Debian, and their packaging policy.

One thing to keep in mind about the more obscure web browsers, like NetSurf, is that they never receive any security updates. According to what I read, in Debian stable only Chromium and Firefox receive security updates. I like NetSurf because it opens very quickly, but because it doesn't receive security updates I only use it to perform a periodic quick check of a particular website that I trust.

Phil

[debiman]

^ not sure, but i think most if not all security vulnerabilities are tied to javascript (or other forms of client-side scripting).
since these "small" browsers (*) do not support javascript (or other forms of client-side scripting) at all (with the exception of netsurf) one might consider them "unhackable", no?

(*) meaning dillo, w3m, links etc.
NOT falkon, surf, dwb, etc. otoh, if those are built around a constantly updated web engine, they are inherently as safe as that engine.
problem is, they often require special builds of those web engines, which are then not updated so often.
it's a mess.

[Head_on_a_Stick]

^ not sure, but i think most if not all security vulnerabilities are tied to javascript (or other forms of client-side scripting).

No, the vulnerabilities are because of the outdated webkit libraries supplied with Debian stable:

https://www.debian.org/releases/stable/ ... r-security

[debiman]

^ yes yes i have seen that many times.
it does not contradict what i asked.
i am really not sure myself about this, but what vulnerabilites can there be without client-side scripting?
in other words, can a browser like links or w3m be vulnerable, i.e. used as an attack vector on the system? how and to what extent?

[Head_on_a_Stick]

can a browser like links or w3m be vulnerable, i.e. used as an attack vector on the system? how and to what extent?

https://www.cvedetails.com/vulnerabilit ... links.html

[pcalvert]

If you're going to use a web browser (installed from a Debian repository) other than Chromium or Firefox, it would probably be a good idea to sandbox it using Firejail.

Phil

[bw123]

can a browser like links or w3m be vulnerable, i.e. used as an attack vector on the system? how and to what extent?

https://www.cvedetails.com/vulnerabilit ... links.html

links ver is at 2.14 in stretch, elinks is at 0.12~pre6-12 so none of those seem active?

Is palemoon vulnerable to mozilla's cve?
https://www.cvedetails.com/vulnerabilit ... zilla.html

[bentHnau]

Is there any way to install palemoon in debian?

I'm a big fan of palemoon. It's a great deal faster and less resource intensive than firefox, especially on older hardware. Is there any reason why it isn't in debian repo? Is there any security concerns? I found a workaround, a repo in opensuse by steve. What about add-ons? Are they safe to install?

I'm asking this because I see several mediocre web browsers(like netsurf) in debian repo but no palemoon.

As an alternative to installation, I have simply run it from the download folder, but I'd rather not use something that isn't in the Debian main repos. I don't consider any Firefox-type addons to be safe. FYI, if you are a NoScript fan, it has been marked unsafe (or something, I can't remember the exact wording) in Palemoon and users can no longer receive support for it.

[debiman]

can a browser like links or w3m be vulnerable, i.e. used as an attack vector on the system? how and to what extent?

https://www.cvedetails.com/vulnerabilit ... links.html

interesting.
does it say when or if those are fixed? i could not find this information.
also, it says "Gained Access Level: None" except for one, that says a local user can gain user access - so not from the internet afaics.
and: 7 vulnerabilites in 15 years - i bet it looks very different for something like firefox:
https://www.cvedetails.com/vulnerabilit ... refox.html
hint: look for descriptions like "script to execute". the word "script" isn't found anywhere on the elinks page.
this was my initial argument.