Reprinted with permission from Ryan Farmer

F

rom IRC and the Meeting Notes for today.

First off, Mozilla is “cutting SeaMonkey loose” and not allowing them to use any infrastructure soon. I think they’re just angry that the Suite they threw away in 2006 gets updates and is still cooler than Firefox.

Mozilla finally decided to fully cut us loose in Q3. Formally and legally this is all in order.

• Source code will probably be removed from comm-central because it seems parts of MZLA and/or the Thunderbird council are eager to do the same.



• Fortunately we are mostly independent already and it will not affect the 2.53 line or building releases.
  • Depending on when this will happen we will have a deplayed release and maybe broken updates for one release too.



• If this happens it is unlikely we will pursue upstream fixes for suite any longer and just concentrate on the 2.53 fork



• We need to find replacements for bugzilla, translations via Pontoon, add-on and the distribution site.
  • Reviews for SeaMonkey add-ons seem to no longer be done anyway. We don’t have any access there.

–SeaMonkey Meeting Minutes for August 20, 2023

There were also some disturbing notes about the status of SeaMonkey’s infrastructure:

Our infrastructure is using Azure.

• ewong has been looking at Kallithea, RhodeCode and other similar tools which are needed later to automate source code management for non mozilla repos (tools, website and others).
  • Also evaluation of Ansible and Terraform going together with it is done.

–SeaMonkey Meeting Minutes for August 20, 2023

Usage of Azure for anything is troubling, as it’s just not possible to make Microsoft products secure.

 According to data from Google Project Zero, Microsoft products have accounted for an aggregate of 42.5% of all zero-days discovered since 2014.

Microsoft’s lack of transparency applies to breaches, irresponsible security practices and vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about.

In March 2023, a member of Tenable’s Research team was investigating Microsoft’s Azure platform and related services. The researcher discovered an issue which would enable an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets. To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.

Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers’ networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service.

That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk-mitigating actions. Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully, threat actors don’t.

-Tenable CEO Amit Yoran “Microsoft: The truth Is even worse than you think”

It’s good that they’re getting away from Azure for building the binaries from their official Web site (apparently?). Should have never used it. Have no idea what Microsoft might be stuffing in there and there’s no reproducible build data that comes with the binaries, afaik.

Unfortunately, they also consider Azure CDN for hosting the binaries themselves. *facepalm*

Some Capacity planning to find the best price/performance ratio is carried out.

• Other than azure hosting options because of price are also evaluated.



• ewong started to look at Azure CDN as a download server.

-SeaMonkey Meeting Minutes for August 20, 2023

Mozilla has “stopped testing” 32-bit Linux builds of Firefox, but SeaMonkey plans to stop providing 32-bit builds on any platform as well, it seems. It affects SeaMonkey even more because it’s single-process and the Web is so bloated and full of trash that 4 GB of RAM is no longer enough to contain all of the shit people are loading in a Web browser.

frg proposes to end 32 bit release support in 2024. Main reason is that modern websites are memory hungry and the 32 bit only architecture cause more and more oom crashes and subsequent complaints. Mozilla recently stopped testing Linux x86 releases too.

• No consensus reached about it yet. So far building it is possible with gcc 8.3.1 under CentOS 7 and clang under Windows.

-SeaMonkey Meeting Minutes for August 20, 2023

An interesting insight into Mozilla’s Firefox build process. It seems they no longer use shit-ass Windows to create builds for shit-ass Windows. They cross-compile them from Linux in a process that needs Wine?

Mozilla switched Windows builds to cross compile on Linux.

• This would need backports but is not 100% native (needs Wine). So currently no plans to do this for SeaMonkey.



• Discussion for later when setting up jenkins. Even buildbot had some version specific files outside the tree.

-SeaMonkey Meeting Minutes for August 20, 2023

Some talk about wanting to eliminate excessive different compilers.

Microsoft compilers are garbage and the way I understand it, since 2019 they shove telemetry crap in your program whether you want it or not.

When I was looking at WavPack binaries for 64-bit Windows, I ended up using the MinGW builds that were cross-compiled from Linux because Microsoft’s compiler added bloat, ran slower on the CPU, and also pointlessly dropped Windows XP support (both 32-bit and 64-bit x86) although the MinGW builds were smaller, faster and even run on Windows 2000.

To reduce the use of different compilers we are looking into compiling future 2.53 Windows releases with clang 14 or later.

• Currently CentOS 7 can not use the mozilla provided compilers because of a downlevel libstdc.

VS2022 is supported since 2.53.10b1 pre but building is spotty because of changes in new compiler releases.

• The Windows build server will not be switched to it for now and currently compiling with it is broken.

-SeaMonkey Meeting Minutes for August 20, 202

Needs User Agent Hacks, per-site. This tracks with what I’ve experienced. Globally advertising Firefox UA is radically destructive. Currently, I advertise Firefox 102.14 ESR and then set per-site UAs to something else as-needed through about:config. This is advanced user stuff that most people wouldn’t want to do. I mentioned that I do this for GMail in an older blog post so Google’s “Secure Apps” shuts the hell up and gives me my email.

Because of bad user agent sniffing we updated the base UA version some time ago from Gecko 68 to 91.

• Youtube no longer seems to display correctly for some users only advertizing Firefox in the UA.



• Further enhancements are planned for a later release in bug 1737436.



• We want to implement overrides for bad web sites like Waterfox does using a json file containing the UA replacements.
  • The Fedora maintainer already added some of this and we will likely use this in the official release.

-SeaMonkey Meeting Minutes for August 20, 202

Google is being nasty and especially with YouTube. There’s major jank and I usually use it through Piped or Invidious proxies. It’s very helpful that my search engine, Searx Belgium, directs me to Invidious or Piped and also to Old Reddit, as these aren’t rotting bloated trash meant for Google Chrome. I ended up activating Web Components even though it’s not ready because it makes github and gitlab work again.

We are looking into adding support for Custom Elements and Shadow DOM in a later release. No ETA yet.

• What is there has been activated in the current prerelease for testing. Shadow Dom support is mostly still missing.



• Google owned/based websites like youtube are likely to break because of this in the near future. There are already reports of broken functionality on youtube.



• Some good progress has been made and sites which do not need shadow dom start to work with dom.webcomponents.customelements.enabled and dom.webcomponents.enabled set to true.

-SeaMonkey Meeting Minutes for August 20, 202

The situation for add-ons is horrible. Fortunately, old versions of ublock origin and NoScript work for me, and those are the only really important extension types anyway.

SeaMonkey can’t easily handle all of the JavaScript Garbage anymore considering that it doesn’t just hide the mess on other processor cores like Google Chrome and Firefox do.

Without the ads and JavaScript Crap, SeaMonkey normally works fine for me. I route my news and weather to the Gemini resources from gemi.dev over mozz.us’s Web proxy. Then I can get those without the absolute shit show that unfolds in a sad modern browser. There’s a gopher proxy that proxies Reddit to Gopher then mozz.us proxies it back into the Web.

My dad always said where there’s a will there’s a way around it. I took it to heart.

Of course sometimes I just access this stuff over Lagrange. It’s a browser for Gemini and Gopher, which don’t suck. You can read Reddit on Netscape Communicator 4 through Gopher through the native gopher support. Unfortunately, the images can’t be grabbed unless you have a TLS proxy like Crypto Ancienne.

There’s no technical reason why you can’t access information from the Internet except they want to be a big fat goddamn pain in the ass unless you’ve updated your browser 10 times this month and buy a new computer every few years that you shouldn’t need so you can deal with fucking Reddit again.

It’s all spyware and tracking nonsense. It’s basically the only reason you need new computers and the browsers that run on them.

If you’re not fighting them, you’re helping them, and Mozilla isn’t fighting them.

Mozilla claims they have a security app for Linux and can’t figure out what the root account does. (I swear the only reason I write these articles is the opportunity to make some sick burns.)

Anyway,

• WebExtension support in SeaMonkey is tracked in bug 1320556.
  • Work on theme or extension support has not started.
  
  
  
  • Support for Webextension dictionaries and language packs has been added.
  
  
  
  • Manifest v3 support will be mandatory in 2023. Google will no longer accept new extensions using v2 in 2022.
    • We do not plan to support this in the near future.

• NoScript Classic 5.x is still available. Currently 5.1.9.



• uBlock Origin is still available. The latest classic version is currently 1.16.4.30.



• Session Manager is still being updated. Latest version is 0.8.1.14 and supports SeaMonkey 2.53.x.



• Enigmail is supported again. Big thanks.



• The Stylish forks stylem and stylem df version work in 2.53.13.



• DownThemAll fixed 3.1.2 version for 2.53.10 and up.



• Palefill generic polyfill can be used for accessing github, gitlab and other broken sites. Latest working version version is 1.23. Later versions are no longer working in SeaMonkey because of the developers decision to not fix some incompatible changes. Please disable updates or uninstall it.



• github-wc-polyfill can be used for accessing github and gitlab. Both need Custom Elements support right now. Latest version is 1.2.19.
  • The add-on is outdated.

-SeaMonkey Meeting Minutes for August 20, 202

Finally, from IRC…

I gather that 2.53.18 will be a decent-sized release. 2.53.17 seems to have just cleaned up some build environment garbage and made a few changes to JavaScript and such.

More Web platform stuff seems to be on its way.

[8/20/23 09:22] Status of the SeaMonkey Source Tree
[8/20/23 09:23] All building I think. Need to do some central checkins but was real busy in the last weeks.
[8/20/23 09:24] Trying to get SpiderMonkey updated for 2.53. Great progress locally but not yet fully stable with the latest regexp stuff.
[8/20/23 09:28] Not much else here from me for source. But updating masters in git and hg is still just a matter of time. patching becomes slow.
[8/20/23 09:29] what’s the next big Javascript shiny in the radar?
[8/20/23 09:30] * njsg imagines Oracle implementing a JVM on top of Javascript
[8/20/23 09:31] tomman bigint and dynamic modules. But I need to fix my local queue first.
[8/20/23 09:32] dynamic modules are indeed getting a pest, thankfully the regex stuff seems solid on the .18b1 builds
[8/20/23 09:33] tomman yeah crahses pretty fast now in my queue so this needs to work.
[8/20/23 09:33] I either need to fix it or put more stuff in so that the original stuff applies clean(er).
[8/20/23 09:34] Release Train
[8/20/23 09:36] 2.53.17 is done. Wonder if we should do the next beta fast to get the regexp stuff out. Missing support now breaks tons of sites.
[8/20/23 09:39] probably
[8/20/23 09:40] Let my try to fix my queue and if not we do it next week.
[8/20/23 09:41] frg: yes, it would be nice to get your local queue in
[8/20/23 09:44] Extensions Tracking
[8/20/23 09:45] The pref changes still cause fallout but nothing else I think. Fortunately an easy fixer.