MasterOne

Active Member

Reaction score: 16
Messages: 171

Is anybody interested in creating a port for this (preferably with libva support for HW accelerated video)?
There is an open issue for adding FreeBSD support but that hasn't found more interest since 2016, though I'm confident that @Eloston is willing to provide support if any questions arise.

Regular Chromium just doesn't cut it privacy-wise and I don't see the point in the many Chromium clones except that one project that just removes anything Google, resulting in a plain Chromium without all the nasty stuff. I know that there is Iridium browser in ports, but that one gets updated quite infrequent (so I'm concerned about possible security issues) and since ungoogled-chromium lists Iridium browser as one of the sources for borrowed features it's just not the same.

P.S. I would (try to create a port for it) if I could, but I'm not a programmer or developer but just a user. I'm currently still on Arch Linux, but I think I want to try with FreeBSD after quite some time on my laptop again.
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

:-/ Have you considered adapting the www/iridium port to do what you want?
I have no experience in that and I'm not using FreeBSD yet (the missing ungoogled-chromium port just came up when I was looking through FreshPorts for the apps the I'm regularly using). ;)
 

kpedersen

Daemon

Reaction score: 1,648
Messages: 2,471

I have no experience in that and I'm not using FreeBSD yet (the missing ungoogled-chromium port just came up when I was looking through FreshPorts for the apps the I'm regularly using). ;)

Yeah, Iridium goes one step further than the ungoogled-chromium port in that it actively tracks for remaining telemetry / tracking behavior in the browser. I would suggest that even if both were in ports, to go for Iridium regardless.
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

Yeah, Iridium goes one step further than the ungoogled-chromium port in that it actively tracks for remaining telemetry / tracking behavior in the browser. I would suggest that even if both were in ports, to go for Iridium regardless.
Really? AFAIK it's the other way around, so Iridium does some improvements, but ungoogled-chromium is the project that takes some patches from Iridium and takes care that all traces to Google are eliminated. It's been a while that I have taken a look into that matter (when I was searching for something like Bromite for my Linux laptop), but ungoogled-chromium was the recommendation then, also because Iridium always lagged behind in updates.
 

unitrunker

Aspiring Daemon

Reaction score: 240
Messages: 537

I've adopted the strategy of periodically running pkg audit to check for vulnerabilities. When something pops up, I can read the CVE to see if it actually affects me. It might be for a feature that I've disabled. I can refrain from using the software until it's fixed or limit its use in a way that has less risk.

In your example, that may require running a different browser (like Midori) until the software is updated.
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

I've adopted the strategy of periodically running pkg audit to check for vulnerabilities. When something pops up, I can read the CVE to see if it actually affects me. It might be for a feature that I've disabled. I can refrain from using the software until it's fixed or limit its use in a way that has less risk. In your example, that may require running a different browser (like Midori) until the software is updated.
Certainly a valid option, it's not about having the latest version of a browser because of features, but security & privacy, so unless someone takes on the ungoogled-chromium port (@forkbomb9 has shown interest in the mentioned GitHub issue), Iridium togehter with regular pkg audits and an alternative browser in case of problems may be the better way to go than using plain Chromium, with which I'm just not comfortable with.
 

kpedersen

Daemon

Reaction score: 1,648
Messages: 2,471

Really? AFAIK it's the other way around, so Iridium does some improvements, but ungoogled-chromium is the project that takes some patches from Iridium and takes care that all traces to Google are eliminated.

You are right, I have just read the site and that is what ungoogled-chromium does say. However I read on the mailing lists that Iridium also obtains patches from ungoogled-chromium.

I think it is possibly more of a situation that they both share their changes and benefit from one another. I am quite sure that the tracking detection put into Iridium (to trace where in the code potential tracking code is hidden) certainly first started there.
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

I think it is possibly more of a situation that they both share their changes and benefit from one another. I am quite sure that the tracking detection put into Iridium (to trace where in the code potential tracking code is hidden) certainly first started there.
Surely just a matter of preference, it's just that I know and use ungoogled-chromium but not Iridium, and having a FreeBSD port for it surely is of no disadvantage.
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

You are right, I have just read the site and that is what ungoogled-chromium does say. However I read on the mailing lists that Iridium also obtains patches from ungoogled-chromium.
I have just taken a look, and the real catch indeed is that the releases of Iridium are just too infrequent:
  • Current version of Chromium: 81.0.3990.1
  • Current version of ungoogled-chromium: 78.0.3904.108-2
  • Current version of Iridium: 2019.11.78 (78.0.3904.87?)
The current release of Iridium is from 7th November, the previous was from 10th April (based on Chromium 73.0.3683.103), so a lot was going on in the meantime as can be seen from the number of releases of ungoogled-chromium during that period.
 

kpedersen

Daemon

Reaction score: 1,648
Messages: 2,471

I have just taken a look, and the real catch indeed is that the releases of Iridium are just too infrequent

Yes true. I tend to not really care about versions when it comes to the web (every version is terrible XD). However yes, I notice Iridium lags slightly compared to others. I also notice that the maintainer for OpenBSD keeps it slightly more up to date (and includes extensions such as pledge(2) support). However so long as it has "javascript and html5 support", I am mostly happy with the FreeBSD version haha.

That said, this version is for upstream; potentially there could be many more updates (security updates) done by the project itself rather than Google so potentially this is why Iridium uses a different versioning system entirely.
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

Yes true. I tend to not really care about versions when it comes to the web (every version is terrible XD). However yes, I notice Iridium lags slightly compared to others. I also notice that the maintainer for OpenBSD keeps it slightly more up to date (and includes extensions such as pledge(2) support). However so long as it has "javascript and html5 support", I am mostly happy with the FreeBSD version haha.
I just don't want to wait for any security fixes when it comes to a web browser, it's already frightening enough that a web browsers is mainly a JavaScript interpreter nowadays.

And it actually involves a two-step delay, at first it comes down to the release of a new version (which is already lagging behind official Chromium, but for other reasons), then on how long it takes till the port gets updated, which obviously is another problem with the Iridium port, because although FreshPort shows that the port got updated on 7th November, so the same day a new version of Iridium was released, the port still features the previous version that was released on 10th April.
 

kpedersen

Daemon

Reaction score: 1,648
Messages: 2,471

I just don't want to wait for any security fixes when it comes to a web browser, it's already frightening enough that a web browsers is mainly a JavaScript interpreter nowadays.

Indeed. Though in 2019; "Newer" doesn't always mean more secure. Each release brings more broken shite with it.

Also, you might well do this already but just run the browser in a Jail and you are quite possibly more secure than running the latest version of any browser. If you are (correctly) worried about tracking, just reset the Jail each time you launch it.

I would trust IE6 in a FreeBSD Jail over an uncontained upstream Google Chrome any day for both security and privacy :D
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

Indeed. Though in 2019; "Newer" doesn't always mean more secure. Each release brings more broken shite with it. Also, you might well do this already but just run the browser in a Jail and you are quite possibly more secure than running the latest version of any browser. If you are (correctly) worried about tracking, just reset the Jail each time you launch it. I would trust IE6 in a FreeBSD Jail over an uncontained upstream Google Chrome any day for both security and privacy :D
As stated above, I'm not using FreeBSD yet (writing this from my laptop with Arch Linux). Running the web browser in a jail definitely is a tempting option, but I don't know how difficult this to set up yet (I just started re-reading the FreeBSD manual and I may not find the time to actually install FreeBSD before the Christmas Holidays).

Check mark on investigating on how to run the web browser in a jail.

I know that newer is not actually better, as can be seen from the current unfortunate steps with Chome/Chromium and controversial Manifest v3 hindering essential ad-blocking plugins like uBlock Origin, or the missing WebEx API for the new 'dns' CNAME 1st-party tracker trickery that can be dealt with in Firefox but not in Chrome/Chromium.

Right now I'm torn between Firefox and ungoogled-chromium, and in my opinion both are just not ideal. I use Firefox with the Multi-Account Containers + Temporary Containers plug-in, but I often get an annoying TLS error in a certain container, which forces me to restart Firefox or close all tabs of that container. That and some other annoyances make me want to use ungoogled-chromium with multiple profiles instead, but the way Chromium is going does not really look good for its future.

And yes, this is going way off-topic. I just wish there were another valid browser option, but right now I'd say the best way to go would be ungoogled-chromium with multiple profiles and the usual essential plug-ins like uMatrix / uBlock Origin running in a jail. ;)
 

kpedersen

Daemon

Reaction score: 1,648
Messages: 2,471

With Linux, it won't be quite as effective but you can still consider using a standard chroot. Most malware still don't expect the browser to be ran in a chroot so will not attempt to break out. It is still pretty effective.

Arch makes it fairly easy to set up: https://wiki.archlinux.org/index.php/Chroot

A more secure alternative could be Linux Containers (LXC) but I have never used them. I am sure by the time I get round to learning, they will be replaced with something else (probably starting with "systemd-" ;)
 

rufwoof

Active Member

Reaction score: 78
Messages: 235

With Linux, it won't be quite as effective but you can still consider using a standard chroot. Most malware still don't expect the browser to be ran in a chroot so will not attempt to break out. It is still pretty effective.

Arch makes it fairly easy to set up: https://wiki.archlinux.org/index.php/Chroot
If you also use capsh to drop cap_sys_chroot within the chroot (blocking the otherwise common escape by chroot'ing out of a chroot) then that's generally good enough.
 

Trihexagonal

Daemon

Reaction score: 1,682
Messages: 2,258

I just don't want to wait for any security fixes when it comes to a web browser, it's already frightening enough that a web browsers is mainly a JavaScript interpreter nowadays.

I use the NoScript extension with www/firefox-esr and only allow scripts on an as-needed basis as I go. I also use uBlock Origin with a hosts file, HTTPS Everywhere, Privacy Badger, Toggle Referrer and the User-Agent Switcher extensions in addition to tweaking settings in Preferences and about:config.

I run portsnap fetch update, pkg audit -F, freebsd-update fetch and security/rkhunter on a daily basis. When there is a vulnerability listed for Firefox it's usually taken care of in a short amount of time, and if it is something that takes an extended period of time I limit where I go online till a patch becomes available.

I rarely ever use the Private Browsing feature and running it in a jail seems like overkill to me.
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

With Linux, it won't be quite as effective but you can still consider using a standard chroot. Most malware still don't expect the browser to be ran in a chroot so will not attempt to break out. It is still pretty effective.
I'm not considering any more improvements to my current Arch Linux setup, because if the hardware of my laptop plays along, it will be replaced by FreeBSD as soon as I find the time.

I use the NoScript extension with www/firefox-esr and only allow scripts on an as-needed basis as I go. I also use uBlock Origin with a hosts file, HTTPS Everywhere, Privacy Badger, Toggle Referrer and the User-Agent Switcher extensions in addition to tweaking settings in Preferences and about:config.
Any particular reason why you stick to ESR instead of the latest version?

I haven't thought about the general web browser issue for a long time, but I kept myself busy reading up on that matter just recently when I fiddled around with installing and tweaking Arch Linux on my laptop and LineageOS for microG on my Android mobile phone.

Although I have installed Firefox with a useful selection of privacy related add-ons on my phone as well, I find myself mostly using the Bromite web browser with JavaScript disabled lately. The typical stuff I read on my phone using the web browser usually works more or less fine with JavaScript disabled, as long as no site navigation or other functions are involved, and if needed it can be enabled quickly from the main menu. JavaScript really has become a nasty cancer making it unthinkable to surf the web without any kind of protection.

Bromite is based on Chromium as well, which was the reason for my desire to have an ungoogled version available on my laptop as well.

I run portsnap fetch update, pkg audit -F, freebsd-update fetch and security/rkhunter on a daily basis. When there is a vulnerability listed for Firefox it's usually taken care of in a short amount of time, and if it is something that takes an extended period of time I limit where I go online till a patch becomes available. I rarely ever use the Private Browsing feature and running it in a jail seems like overkill to me.
Security and privacy has become so much more important to me lately (which was also a reason why I could not resist to sign up at that Surfshark VPN special). Your daily routine is very much what I had in mind as well.
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

I have seen that both ports for Chromium and Iridium are maintained by the freebsd-chromium@freebsd.org mailing list, to which I have just subscribed to and sent the following message:

I've just seen on FreshPorts that Iridium browser is shown with version 2019.04.73_2 (which is the release from 10th April) last updated on 2019-11-07 although version 2019.11.78 has been released on that same day:

https://github.com/iridium-browser/iridium-browser/releases

May I use that opportunity to suggest a port of ungoogled-chromium as well, because it is considered the superior version of a Google free experience:

https://forums.freebsd.org/threads/ungoogled-chromium.73240/

Hopefully that was not against any rules or etiquette, or is there a certain procedure in place to report an outdated port to its maintainer?
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

Well, some time has passed, but neither the Chromium & Iridium FreeBSD ports got updated nor any feedback on the freebsd-chromium mailing list, which is slightly disappointing considering that both ports are up-to-date for OpenBSD.

I don't know, maybe I should kick the idea of using a Chromium-based browser and just stick to Firefox (though I'm not really happy with my current setup using the Multi-Container and Temporary Container plugins; the easy use of different profiles in Chromium-based browsers just makes more sense to me).

If only there were a REAL alternative to the two (Chromium-based & Firefox)... :(
 

kpedersen

Daemon

Reaction score: 1,648
Messages: 2,471

If only there were a REAL alternative to the two (Chromium-based & Firefox)... :(

If the latest version is your main priority; then the www/netsurf port is completely up to date (3.9 at the time). XD

Joking aside; I used to use firefox because Mozilla at the time seemed less creepy than Google but that has since changed and they are pretty much as crap as each other; I possibly recommend an older version of Chrome over the latest firefox purely due to performance.

Also, there is an OpenBSD presentation on porting Chromium that explains why Chrome is years ahead of firefox when it comes to security (I couldn't find it again but if you really want a read, I'll give it another try).

I know it is for OpenBSD but the following might be useful to help give you ideas on how to lock down Chromium / Iridium.

https://www.c0ffee.net/blog/openbsd-on-a-laptop/#chromium

Though much of the outcomes of many discussions is that browsers in 2019/20 are malware and that you should sandbox them somehow. Jail, Chroot, LPAR, Zone, VM. OpenBSD's pledge system also does some of this behind the scene.

(Edit: Semi a talk; semi mailing list convo about why Chrome vs Firefox in terms of security / privacy: http://openbsd-archive.7691.n7.nabble.com/chromium-and-firefox-myths-and-facts-td345018.html)
 
OP
M

MasterOne

Active Member

Reaction score: 16
Messages: 171

OpenBSD devs seem to like Chromium which got enhanced by pledge and unveil support and is kept up-to-date. The use of Iridium seems to be discouraged because it's lagging behind quite a lot concerning the implementation of security and bug related patches.

The ideal solution really would be an ungoogled-chromium port, but with the lack of interest and the required effort in keeping such a complex piece of software up-to-date it is understandable if it is not going to happen. The alternative would be to stick to Chromium and lock it down as good as possible as described in the above link concerning OpenBSD on a laptop.

Has anyone seen a recent tutorial on how to install Chromium in a jail? Not sure what the opinion is on Bastille, they list Chromium and Firefox templates on their website, but in their GitLab group only the Firefox template can be found. With a method that's easy enough to jail Chromium this would be an interesting approach.

Something other thing that I have just read:
FreeBSD has Capsicum, but from what I’ve heard the Chromium upstream has been reluctant to integrate the patches, so they rotted. Which is kind of weird, given they (Google) have their own port of Capsicum to Linux. Oh well.
.
.
Yes, i guess there is little doubt that capsicum is the superior (compared to seccomp) capabilities framework, but if it's not used outside of FreeBSD's base, (e.g. ssh, bhyve, etc.) then it is indeed a shame.

The web browser situation really has become an annoying problem.
 
Top