New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is it abandoned? There is no more updates since december. What happened? #2603
Comments
Ah @#%+, here we go again. Check #2575 for dev's response, and just wait it out. We have no answer aside that the project isn't dead. If you need a temporary solution and you're fine with test versions/beta, check Uazo's test version repo for a more up to date Chromium version. |
Hello, thank you for it. I'll try uazo test version. |
please do not close this issue yet ... next time maybe i do not like to visit for closed issue (and recreate new/duplicated). |
sorry, I'll reopen it |
I think the time has come to accept the inevitable. Project is dead. Enough time has passed for this to make more sense than hoping for any kind of update. |
I hope you are wrong although I fear you are right. I like the browser and it's very sad that it seems to end this way. Without a reasonable notification. I would have full understanding if I knew that the developers have problems of personal nature. We are all only human. But somehow this feels like ghosting. Moreover, CalyxOS is a project that also depends on the browser because it's integrated into their OS. |
Anyone know of any good alternatives or forks? |
Woolyss android version perhaps? |
Mull, is a good option. A fork of Firefox Android with improved privacy. |
If you want a Chromium based browser, you can take a look at Mulch. It's from the developer of DivestOS. BTW, Mull is from the same developer. |
If you aren't using the Beta, swallowing (and forcing down) a crap filled browser like Brave is the only alternative. Bloated with toxic cryto%#@&, but on a privacy level (and security with the frequent if not instant updates) it's the only notBromite Chromium browser worth a damn. Unless you're on GrapheneOS, Vanadium is also good, but it works fully only on the rom. Brave is also the only alternative with an built in adblocker, for those like me drawn to Bromite for the feature. Vivaldi I stopped using because it lags behind two months of updates, so if you're thinking of jumping ship because Bromite is not secure, Vivaldi's not it. Mull is awesome with uBlock, but without Chromium sandboxing I use it only on trusted sites, lack of process isolation hurts it's security if you don't know how to use uBlock advanced mode. Mulch would be kind of good if not for lack of adblocker (last time I tried at least), aside process isolation Mull destroys it. |
Isn't Woolyss releases basically like Bromite? |
I'm gonna be honest, I don't give a damn about privacy. I just want normal Chrome for Android with an ad blocker. |
Firefox would be fine too, really I just want a browser that works and blocks ads |
Try using NextDNS or Adguard DNS for adblocking. I paired them with Bromite in the past and it works wonder. |
Yes it does |
Firefox or better yet, Mull from DivestOS (download the broser by searching on github a program called FFUpdater), can block ads by installing the extension uBlock Origin. (It's pretty easy to do so as well since extensions are a feature compared to Chromium) Better yet, just like Brave, uBlock will block ads even for Youtube compared to Bromite. (Which does still serve me ads for youtube, I use Newpipe for videos, but if you don't, that's a plus) Brave is also chromium like Bromite and Chrome if you don't mind the crypto bloat you can just not engage with. |
See my overview of available mobile browsers here: https://divestos.org/pages/browsers I also track update history for:
|
@welkinpc-91 Seems that you have a big misunderstanding here. Also it's about probably one or two years that firefox has been enabled it's strict site isolation feature also (A.K.A Project Fission) They also utilise some other ways of sandboxing that isn't exist in chromium for critical components called RLBox. These are outdated articles but you can check the validation of my responses by checking code, about:config and searching the Web (although nowadays many ones seems to get money to crush firefox so it's hard for you to find a decent up to date unbiased article and probably you should cave reddit, Mozilla wiki, Mozilla forums, Foss forums and maybe Hackernews (news.ycombinator.com) to find better information than news websites. Probably checking firefox Changelogs, blogs or asking on r/firefox on reddit also be a good option. Regards. Some old articles that I found: https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture/ https://blog.mozilla.org/performance/tag/fission/ https://blog.mozilla.org/security/2021/05/18/introducing-site-isolation-in-firefox/ https://wiki.mozilla.org/Security/Sandbox/Process_model https://hacks.mozilla.org/2021/12/webassembly-and-back-again-fine-grained-sandboxing-in-firefox-95/ |
@0xRustlang To be clear: Firefox on Android is inherently less secure than Chromium based browsers due to lack of process isolation, lack of isolateProcess enforcement, lack of CFI, among other security features. |
Per-site process isolation = false? Then what articles in wiki of Mozilla are saying about content processors and parent-child process sandboxing and what is the purpose of Project Fission that already has been enabled? The purpose of project fission is certainly security related as it made a lot of efforts for Mozilla employees to reduce the memory overhead of each process that it creates so that they could eventually turn it on by default in all platforms. Currently even simply checking the amount of sandboxes processes that firefox created in Windows and android can easily prove that. What am I missing? |
You're conflating Firefox for desktop with Firefox for Android, they do not have the same security properties.
"Fission Windows: 0/0 Disabled by default" You can further check about:processes to see if Fission is working:
if you enable Fission on Firefox for Android right now you will have a broken web browser. The remaining development tasks are tracked here: https://bugzilla.mozilla.org/show_bug.cgi?id=1610822 (as was literally linked in my writeup if you read it) |
Firefox on desktop is as secure as any Chromium browser. But we're on a repository for an Android browser, we're talking android browsers here, and site isolation is not yet implemented, making Chromium more secure. Hell, until 111 dFPI or Total Cookie Protection was only a desktop Firefox feature until this very month. Sorry to break it for you, but (Firefox) Android is playing catch up. |
Hmm, Thanks, as I'm not that much technical to read the code of Firefox like you, I can say you are right but what about fission that already is enabled in about:config of Firefox for Android or when I check memory part of Firefox, it shows many processes (Tab1, Tab2, ....) And also same as chromium for android checking its services shows there are about same amount of isolated process as chromium for android (I currently checked and both chromium for android compiled by bromite authors and Firefox beta for android have both 39 isolated tabs or child processes.) Aren't they sandboxing? What am I missing or mistake here? (Except the fact that Mulch, Bromite and vanadium have good performance by disabling the javascript JIT but I haven't tested that on Firefox as I don't want to mess with it when there isn't any official measurements by Mozilla regarding its side affects ;) BTW, your projects are great, I love them :) |
I can't understand, then what is purpose of enabling fission in android (you can check it and it is enabled on android) |
Firefox for Android uses multiple processes for things like pages, extensions, and the renderer process, but they share a lot of context and are not isolated.
Fission is NOT default enabled on Firefox for Android and manually enabling it will break the browser. |
I hope it catch chromium ;) |
all apps are already sandboxed on Android in-part through the use of seccomp |
Your grievances with Brave are fully valid but that said, the con of needing self motivation will permanently be a con for FOSS projects. So many pieces of software have been so close that it hurts, only to get archived or abandoned. There comes a point where you have to put your principles aside until you can use them to get alternatives working. You can turn off all of the rewards in settings > Appearances but if you didn't know that, then yea, it can be REALLY intrusive but it IS possible to have a clean experience with Brave and most important for me is the ability to sync everything. I'm tired of having to manually fiddle with extensions for bookmarks and there's no alternative for history and extensions besides the official Chrome with a Google account. At least with Brave, it's more p2p. |
Words wasted on me since while I don't really like it, I do already have it installed with all the #$%@ settings hidden. Still sucks, especially when compared to desktop (where I use Brave/Firefox/LibreWolf for different tasks) There is no way to remove or hide the wallet or VPN on the hambunger menu in android while on Desktop you absolutely can hide to an extent that crap (settings menus aside), there is also no css element picker for adblock on mobile either. Still while I use uazo's Beta and Mull, I have set it to default for security since it's the browser with the fastest and more frequent updates. Edit: just updated and now it has decided ro turn on Brave News, another useless feature like Firefox's pocket. %$&# with that alongside your rewards and wallet. |
Just a note regarding Brave and security: The 64-bit version from their GitHub releases and also available via FFUpdater is actually 32-bit for reasons unknown, which does mean reduced security. I'd recommend using Aurora Store to get it instead. |
@welkinpc-91 The conclusion seems to be that phones just suck in general. Portability is not even a feature per se. |
That's...annoying and disappointing. |
It's disappointing that brave, with strict anti fingerprinting enabled, does not pass bromites fingerprinting tests. https://www.bromite.org/detect |
May I know why 64bit version is less secure? Is there any technical article if you don't have time to explain it? Thank you BTW, Sorry, what is your opinion about HSTS Preload and certificates pinning questions that I asked from you before? (Here: #2603 (comment)) Thank you so much. |
Chromium and anti-fingerprinting is somehow joke in comparison to Firefox. Even anti fingerprinting techniques can detected in Firefox also but you will blend in TOR and Firefox users. The more they be, the better. Fingerprinting is a very big field. |
While I don't have the answer and I don't know exactly why, you've got one thing mistaken. It's the 32bit version that is less secure than 64bit version. So yeah apparently you have to use google services (or Aurora Store) if you actually want the 64bit version. Which is @#$% because why would they do that, and I'm not exactly thrilled by having one more app from the play store, just like I don't trust f-droid shipped apps. Edit: hopefully @SkewedZeppelin can shed more light on your question. All I found out is that 64bit handles ASLR (preventing exploitation of memory corruption vulnerabilities) much better than 32bit thanks to 64bit having access to more RAM than 32 bit. |
I suspect it is just a packaging issue, but they don't care since GitHub releases isn't their primary release method?
This is the crux, 64-bit offers much larger virtual address space enabling better memory-related mitigations. |
I'm assuming people recommending FFUpdater haven't heard of Obtainium? I'd recommend getting it on GitHub so you can update it through its own app. https://github.com/ImranR98/Obtainium Also on Izzy's repo, though. https://apt.izzysoft.de/fdroid/index/apk/dev.imranr.obtainium |
FFUpdater has the signatures pinned for extra verification among other small features that are beneficial. Obtainium may be fine for some uses, but is a footgun for something as important as a browser. |
Obtainium is too buggy. It has this bug where it keeps offering to update from the latest to a much older version of various apps, in other words to downgrade. This bug has been reported numerous times, but the developer refuses to accept that something is wrong. On github, the latest version clearly states "latest", but obtanium fails to see it and keeps offering old versions. This behavior can be whitnessed by adding uazo's Bromite fork. So yeah, great concept but not a good option until the developer accepts the fact that there is a problem and fixes it. |
@SkewedZeppelin good point regarding the signatures. @ViktorKahu I just tried Uazo's repo in Obtainium and it correctly pulled the correct version. I'll have to search through the issues for Obtainium to see which one you are talking about and how the developer addressed it. |
Yeah, I can confirm its currently working correctly. But one version ago it wasn't. I notice that currently the latest version is sitting at the top of the list. But some times, the latest version is not at the top of the list (even though it still has the "latest" label next to it), in this scenario, obtainium offeres the older version from the top of the list. Point is - it works on and off and that part of the code needs attention. It currently can't be relied on. |
Only Bromite and Uazo's test version pass Bromites fingerprint tests. Brave, Firefox and Mull all do not pass fingerprint tests. |
I've been using Firefox on android for a while and it's got everything I want except a good UI. The UI sucks so much I hate it |
Oh well. I've come to realize @uazo version is better anyway. More advanced ad blocking with custom lists being just one feature that makes it better. https://github.com/uazo/bromite-buildtools My preferred method to keep up to date is with Obtainium (Note that some comments above recommended against it so use your discretion). |
Where I can't use GrapheneOS' Vanadium Browser, I am using DivestOs' Mulch browser now from @SkewedZeppelin . |
It's been a few months since I last checked on this project and it looks like it's still dead, are there any good forks or alternatives yet? I've been stuck with brave since it was the best option but it has a ton of garbage I don't want in it, like the UI changes and crypto. Most of it can be disabled but there are a few things that can't. |
You can use Mulch browser from DivestOS by @SkewedZeppelin |
Uazo's test builds are very stable |
Does mulch have AdBlock? I didn't see it explicitly mentioned. |
My message above is "wrong" |
Preliminary checklist
Can the bug be reproduced with corresponding Chromium version?
No
Bromite version
108.0.5359.156
Device architecture
arm
Android version
12.0
Device model
Moto G60 / Moto G40 Fusion
Changed flags
no one
Is this bug about the SystemWebView?
No
Is this bug happening in an incognito tab?
No
Is this bug caused by the adblocker?
No
Is this bug a crash?
its is not a bug
Describe the bug
There is no more updates since december. What happened?
Steps to reproduce the bug
it is not a bug
Expected behavior
it is not a bug
Screenshots
No response
The text was updated successfully, but these errors were encountered: