O Iceape, where art thou?

News and discussion about development of the Debian OS itself

Re: O Iceape, where art thou?

Postby mor » 2013-11-14 11:24

I don't know Phil, I can't claim to be absolutely sure about it (in this I would really appreciate the input of more knowledgeable users than me), but I think what you're saying is not right.

I want to start from the last thing, the upgrading by reinstalling (that is: re-download and re-unpack into /opt ).
I think it is overkill.
Let me make you an example: when you upgrade your system through apt, you temporarily give root permission to that tool (apt-get, aptitude or whatever you use). If by any chance that tool gets compromised, then you are caught with your pants down. Why you do it then?
Because you trust debian's sources and have confidence that when you give root privileges to apt you won't get screwed.

Now, upgrading Seamonkey by running it as root just to upgrade, is pretty much the same thing. As long as you trust the source (and frankly I have no reason not to trust it), there's no problem in upgrading the browser through its built-in feature.

Let's move now to the main issue: security problems in running Seamonkey from the user's home or from system-wide installation.

Through the years I have seen many guides and articles that instructed users about the installation of Mozilla related products (they all work the same as far as we are concerned). They all either suggested to install under the user's home or under /usr or /opt or other system-wide locations, but never I read about security reasons in preferring one over the other (or maybe if there were, they could favor a user's home installation as we'll see later).

I just did a quick search and found a document about installing Firefox on GNU/Linux and they have no problem in suggesting to install in the user's home.
This doesn't prove that what you are saying is wrong, after all there are other guides that only suggest a system wide installation, but it is an official guide that proposes a method without talking about a security flaw.
Actually the only reason for choosing one installation over the other is whether one wants to have Firefox or Seamonkey or whatever available for a single user or for all users.

Now, the reasoning.

As far as my understanding of privileges goes (and it doesn't go far, so I'm humbly just saying how I see it), what matters is not where the files physically reside or who owns them. What matters is who executes those files.

Say you have a script that'll delete all files under the user's home and this script is located both in /usr/bin/malicious-script and ~/.scripts/malicious-script.
What's the difference in executing them?

I see none, either you execute them with root privileges or with your user, files will be deleted (this is why we have to only use scripts we know or from sources we trust).

On the other hand, say we have a similar script, copied in the same two locations, but this time the script will delete root files instead of user's home files.
In this scenario only by executing the script as root you'll do the damage, a user will simply be denied, regardless of whether he executes the script under root or the one under his home.

So, a malicious script or malware or whatever that aims at destroying your home, might be a problem regardless of where you launch Seamonkey from, and as for a script that aims at destroying your system, it won't do anything as long as you don't run it as root.

Now, in this regard, as I anticipated before, having a Seamonkey installation in /opt or any other system-wide location, would actually represent a higher risk than having it in the user's home, but only when used as root, which in turn would only be a realistic risk if used as root for anything but upgrading.

In fact, as I said, if you only run Seamonkey as root for the purpose of upgrading (no navigation, no mail, no nothing else) you won't expose the root profile or the executed process to potential threat. The only source of problems could be the built-in upgrading feature which, as I said before, I think we can trust.

What do you think?

Anybody else cares chipping in a matter of security?
User avatar
mor
 
Posts: 970
Joined: 2010-08-28 15:16
Location: mor@debian

Re: O Iceape, where art thou?

Postby pcalvert » 2013-11-15 19:29

mor wrote:I want to start from the last thing, the upgrading by reinstalling (that is: re-download and re-unpack into /opt ).
I think it is overkill.

Maybe it's overkill, but it is a simple thing to do. It also allows me to easily revert to the previous version if I experience any problems with the new version. That's because I do this before I reinstall:
Code: Select all
# cd /opt
# mv seamonkey seamonkey_prev


mor wrote:In fact, as I said, if you only run Seamonkey as root for the purpose of upgrading (no navigation, no mail, no nothing else) you won't expose the root profile or the executed process to potential threat. The only source of problems could be the built-in upgrading feature which, as I said before, I think we can trust.

That makes sense to me. I never said that I don't do it that way because of security concerns.

Phil
pcalvert
 
Posts: 1737
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: O Iceape, where art thou?

Postby mor » 2013-11-15 20:37

pcalvert wrote:Maybe it's overkill, but it is a simple thing to do.

Not as simple as using the built-in upgrade feature, that's for sure.

pcalvert wrote:It also allows me to easily revert to the previous version if I experience any problems with the new version. That's because I do this before I reinstall:
Code: Select all
# cd /opt
# mv seamonkey seamonkey_prev

Well then just make it a "cp" instead of "mv " and you are done. ;)

pcalvert wrote:I never said that I don't do it that way because of security concerns.

Well, I remember you said:

pcalvert wrote:I would need to run SeaMonkey as root in order to do that, which is something I am not fond of doing (as well as being a little bit of a hassle). And yes, I know I could install SeaMonkey in my home directory as a normal user, but doing it that way is not as secure as installing it as root in /opt.

Which makes me think you do as you do exactly for security reasons.

So, since you now seem to agree that there are no security concerns either in installing in the user's home or in /opt and using the built-in upgrade feature as root, and given that using the built-in upgrade feature is always much simpler than how you currently do, I think you can reconsider your procedure. ;)

Of course you will still do as you like, personal preference always trumps even best procedures when is a matter of trivial decisions, but since you joined the discussion maybe you are interested in a new approach. Who knows!

Bye Phil, take care. :)
User avatar
mor
 
Posts: 970
Joined: 2010-08-28 15:16
Location: mor@debian

Re: O Iceape, where art thou?

Postby gradinaruvasile » 2013-11-24 22:03

First i did the root install route and all, but i got lazy and just extracted Seamonkey in my home folder. As i have a 64 bit system and use their 64 bit "unofficial" builds from their site, i get no automatic updates anyway (so far at least).
Anyway, if there is some malware that manages to run code i really really doubt it will go against the browser's binaries/libraries. It will either try to compromise the system by trying to install services and whatnot, either run code as the user/access your data in your home dir or maybe go after your user profile's saved passwords - none of these cases are mitigated by installing as root and running as user.
Seamonkey is very very handy if you use a browser all the time and use a mail client - it saves the ~150-200 MB overhead (Thunderbird) and still runs fast and stable.
User avatar
gradinaruvasile
 
Posts: 935
Joined: 2010-01-31 22:03
Location: Cluj, Romania

Re: O Iceape, where art thou?

Postby mor » 2013-12-18 11:11

And as feared, Iceape is officially dead.
viewtopic.php?f=19&t=109937

Time to move on (or back) I guess. :(
User avatar
mor
 
Posts: 970
Joined: 2010-08-28 15:16
Location: mor@debian


Re: O Iceape, where art thou?

Postby mor » 2013-12-19 10:53

Are you a brother Iceaper/Seamonkeyer too?

Yesterday I wasn't gonna do it at first, that "aptitude purge iceape" was really impossible to type.
I guess I wanted to have closure by holding onto it for a few more days, but then I decided to pull the tooth and there, no more Iceape, back to Seamonkey, like before Lenny (or around that time I think).

Well, it was a nice ride, I will miss that icy gorilla in my dash, now I have to readjust my eyes to the Seamonkey logo (that I never even liked from the very beginning when it was chosen).

Who knows, maybe one day we will see it again. :?
User avatar
mor
 
Posts: 970
Joined: 2010-08-28 15:16
Location: mor@debian

Re: O Iceape, where art thou?

Postby curtaintwitcher » 2013-12-19 17:42

I used to be a seamonkey user, but switched back to firefox for reasons I can't recall.

You can install seamonkey in /opt from the binaries, or Debianise the source, and build your own package. Of course this means rebuilding every time there's an update.
curtaintwitcher
 
Posts: 160
Joined: 2013-12-05 13:46

Re: O Iceape, where art thou?

Postby oswaldkelso » 2013-12-19 17:48

Well I've removed iceape :cry: and installed seamonkey . I didn't purge just removed and everything on the outside seems the same. Bookmarks all there and even chatzilla works as before with all my channels and settings working just fine.

I'm not sure if I'll stay with seamonkey in it's base form or at all. I always liked it when the browser and composer were separate packages as in squeeze. I may try and build it from source as I never really use the mail-news or address components. I use claws and abook for that. I'm not sure if it's worth the effort.

I am a little worried about the lack of security patches. Having Debian at your back was very reasuring. I guess I don't trust mozilla as much as I trust Debian.

While I'm very happy with chatzilla I avoid iceweasel/firefox the interface sucks in comparison to iceape no matter how I configure it. I've already started to experiment for a life without iceape on my wheezy machine using dwb as my browser and loqui for irc maybe it's time for me to move on but it's hard All the other browsers have issues for me where as iceape was a sanctuary of sanity. Sad sad day
Ash init durbatulûk, ash init gimbatul,
Ash init thrakatulûk agh burzum-ishi krimpatul.
User avatar
oswaldkelso
 
Posts: 1079
Joined: 2005-07-26 23:20
Location: UK

Re: O Iceape, where art thou?

Postby mor » 2013-12-19 18:31

curtaintwitcher wrote:I used to be a seamonkey user, but switched back to firefox for reasons I can't recall.

You can install seamonkey in /opt from the binaries, or Debianise the source, and build your own package. Of course this means rebuilding every time there's an update.

Thanks, I did see the links in your previous post, and I had already made the switch back to Seamonkey.
I know well how to set and configure SM from the Seamonkey Project site. I used it (and all that it was before) for all my internet life (from the mid 90's) and even when Ice* products were created by debian, I kept using Seamonkey for some time. Only after it was reintroduced in Lenny I dropped Seamonkey for Iceape.
Until yesterday. :shock:

oswaldkelso wrote:Well I've removed iceape :cry: and installed seamonkey . I didn't purge just removed and everything on the outside seems the same. Bookmarks all there and even chatzilla works as before with all my channels and settings working just fine.

Purging doesn't affect the user's profile (with the bookmarks, extensions, mail or whatever), which is in ~/home/user/.mozilla/seamonkey/profile name.
You can safely purge Iceape, although it is not like you have to.

oswaldkelso wrote:I'm not sure if I'll stay with seamonkey in it's base form or at all. I always liked it when the browser and composer were separate packages as in squeeze. I may try and build it from source as I never really use the mail-news or address components. I use claws and abook for that. I'm not sure if it's worth the effort.

It probably isn't.
At least it was never worth for me: I never needed Composer and still never bothered to get rid of it. :D

oswaldkelso wrote:I am a little worried about the lack of security patches. Having Debian at your back was very reasuring. I guess I don't trust mozilla as much as I trust Debian.

Oh boy, do you have any idea about when was the last update for Iceape?
This is not a matter of trusting or not Mozilla over debian, if we were talking about Iceweasel/Firefox I could even understand. But Iceape is basically dead since last February (read my earlier posts) and even before then, it was never updated in a timely fashion in regard to security updates or otherwise. ;)

You will get all the patches just by keeping Seamonkey updated directly through the built-in update/upgrade feature.

And anyway, I don't think that unless you have very specific and sound reasons (i.e. not just "a feeling") not to trust Mozilla's packages as much as you trust debian, I think you can feel fairly safe in using Seamonkey.

Would it help to know that Seamonkey is developed by a sort of subsidiary of Mozilla, from an independent team that operates under the umbrella of Mozilla.org (the non-profit organization) and not Mozilla.com (the Firefox enterprise)?

oswaldkelso wrote:While I'm very happy with chatzilla I avoid iceweasel/firefox the interface sucks in comparison to iceape no matter how I configure it. I've already started to experiment for a life without iceape on my wheezy machine using dwb as my browser and loqui for irc maybe it's time for me to move on but it's hard All the other browsers have issues for me where as iceape was a sanctuary of sanity. Sad sad day

If you found yourself comfortable with Iceape so far, I think you you should really reconsider your concerns about Mozilla's Seamonkey. ;)

Bye
User avatar
mor
 
Posts: 970
Joined: 2010-08-28 15:16
Location: mor@debian

Re: O Iceape, where art thou?

Postby mrkapqa » 2014-04-22 08:37

hello , i'm new here to this forum.

i also like iceape because it is really fast and kinda switched after i heard richard stallman talking about flash (about how it it "rings home" every time i watch content).
felt really at ease, and i still do.

using iceape 2.7.11 installed via a package archive
http://pkgs.org/debian-squeeze/mozilla- ... 4.deb.html

but it is also available (the 2.0.x) version via squeeze or backports i guess.


only thing that annoys me is that there is no autoplay on youtube which i really like and also if you install GNASH which should be a shockwave-flash alternative you are not able to play streamed movies 8which probably is not so bad either :)

so as long as i can do i will hang on to ICEAPE hopefully that someone is gonna revive it.

yours,
rich
:)
mrkapqa
 
Posts: 56
Joined: 2014-04-22 08:30

Re: O Iceape, where art thou?

Postby gradinaruvasile » 2014-04-22 09:20

mrkapqa wrote:hello , i'm new here to this forum.

i also like iceape because it is really fast and kinda switched after i heard richard stallman talking about flash (about how it it "rings home" every time i watch content).
felt really at ease, and i still do.

using iceape 2.7.11 installed via a package archive
http://pkgs.org/debian-squeeze/mozilla- ... 4.deb.html

but it is also available (the 2.0.x) version via squeeze or backports i guess.


only thing that annoys me is that there is no autoplay on youtube which i really like and also if you install GNASH which should be a shockwave-flash alternative you are not able to play streamed movies 8which probably is not so bad either :)

so as long as i can do i will hang on to ICEAPE hopefully that someone is gonna revive it.

yours,
rich
:)


That 2.7.11 is old. Nowadays browsers get updated very often and many times these updates contain security-related bugfixes. Keeping an old version of a program that might come in contact with malicious content every day might not be a good idea.

IMHO there is no point in clinging to .deb packages in this case, as the seamonkey site has perfectly functioning 32 and 64 bit Linux builds ( i use them for a long time). The 32 bit version even auto updates if you have it in a user-writable location (or at least reports if new updates are available if the user cannot write there).
User avatar
gradinaruvasile
 
Posts: 935
Joined: 2010-01-31 22:03
Location: Cluj, Romania

Re: O Iceape, where art thou?

Postby pcalvert » 2014-04-22 17:24

pcalvert
 
Posts: 1737
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: O Iceape, where art thou?

Postby hjheins » 2015-01-21 21:19

Hi All,

somewhat late in this thread (I hope not too late).
I did a build of Seamonkey on Wheezy.
I saw the Mepis solution, but that is a static binary which is dumped in a deb file.
This version is actually built on and for Debian Wheezy.
Due to the fact that the underlying libraries are a bit of a moving target, and to limit the amount of dependencies, I made a build including xul, nspr, nss, libjpeg, sqlite3. (the Wheezy versions are too old).

You can check out the version here:
http://hjh.syssap.nl/Debian/Wheezy/amd64
http://hjh.syssap.nl/Debian/Wheezy/i386

or as apt location:
deb http://hjh.syssap.nl/Debian/Wheezy ./
deb-src http://hjh.syssap.nl/Debian/Wheezy ./

Hendrik-Jan
hjheins
 
Posts: 3
Joined: 2015-01-21 21:13

Re: O Iceape, where art thou?

Postby mrkapqa » 2017-10-12 07:58

Hello Hendrik-Jan,


thank you very much, Seamonkey is great , too.


Unfortunately it is not available for Powerpc ; i always relied on Iceape , but now it is no more downladable via Debian.
mrkapqa
 
Posts: 56
Joined: 2014-04-22 08:30

PreviousNext

Return to Debian Development

Who is online

Users browsing this forum: No registered users and 4 guests

fashionable