The officially official Devuan Forum!

You are not logged in.

#1 2020-01-25 03:42:09

iio7
Member
Registered: 2020-01-25
Posts: 3  

Patch Firefox like OpenBSD

Hi,

I was wondering if you guys are going to patch Firefox like OpenBSD has done so that it doesn't default to DNS over HTTPS?

https://undeadly.org/cgi?action=article … 0911113856

With the agreement between Mozilla and Cloudflare, I think it's a really good idea not to have this enabled by default, and also to remove any default DNS servers so that the user provides his own.

Kind regards

Offline

#2 2020-01-25 15:20:27

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,404  

Re: Patch Firefox like OpenBSD

The most likely scenario (by a long shot) is that we will continue to provide the version of firefox-esr packaged by debian, just like we do for almost all the packages we provide.

It looks like trr is turned off by default. I'm looking at ff-esr 68.4 in beowulf.
network.trr.mode;0

However, if you turn it on, you'll get cloudflare. This value can be modified. I haven't tried it.
network.trr.uri;https://mozilla.cloudflare-dns.com/dns-query

To turn it on, they say to go into Preferences, Network Settings, and then way down at the bottom is a checkbox to turn on DNS over HTTPS and a place to enter a different server.

Thanks for the info.

https://wiki.mozilla.org/Trusted_Recursive_Resolver

network.trr.mode

The resolver mode. You should not change the mode manually, instead use the UI in the Network Settings section of about:preferences

    0 - Off (default). use standard native resolving only (don't use TRR at all)
    1 - Reserved (used to be Race mode)
    2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
    3 - Only. Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set). Note that the native resolver will be used anyway for portal detection and telemetry (Bug 1593873)
    4 - Reserved (used to be Shadow mode)
    5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default.

Offline

#3 2020-01-25 15:46:14

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 560  
Website

Re: Patch Firefox like OpenBSD

^ Well that is interesting, I though I had misunderstood the network.trr.mode options but it seems otto@ has set it to "3" in OpenBSD, which would still use CloudFlare for portal detection and telemetry.

DoT ftw!


"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher." — Antoine de Saint-Exupéry

Offline

#4 2020-01-25 16:41:44

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,404  

Re: Patch Firefox like OpenBSD

Head_on_a_Stick wrote:

^ Well that is interesting, I though I had misunderstood the network.trr.mode options but it seems otto@ has set it to "3" in OpenBSD, which would still use CloudFlare for portal detection and telemetry.

DoT ftw!

Well, that's confusing. The way I read it, Otto changed it from 3, not to 3, and that way the log message makes sense. But I just downloaded firefox from mozilla, and it's set to 0 by default there. (amd64 linux version). So which did Otto really do?

Offline

#5 2020-01-25 16:51:08

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 560  
Website

Re: Patch Firefox like OpenBSD

fsmithred wrote:

Otto changed it from 3, not to 3

The undeadly.org page says "to 3" but I can't find the relevant setting in either all-openbsd.js or the Makefile.

fsmithred wrote:

So which did Otto really do?

¯\_(ツ)_/¯


"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher." — Antoine de Saint-Exupéry

Offline

#6 2020-01-25 19:23:00

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,404  

Re: Patch Firefox like OpenBSD

It's ambiguous. (Maybe not in UK?) 

, and overriding the network.trr.mode setting from Otto's change to 3.

Could mean "Otto changed it to 3, change it to something else if you want DNS over HTTPS"
or "Change what Otto did ("Otto's change") and set it to 3 if you want DNS over HTTPS"

I think the latter makes more sense given the instructions from the wiki.

Offline

#7 2020-01-25 19:39:42

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 560  
Website

Re: Patch Firefox like OpenBSD

fsmithred wrote:

Could mean "Otto changed it to 3, change it to something else if you want DNS over HTTPS"
or "Change what Otto did ("Otto's change") and set it to 3 if you want DNS over HTTPS"

Yes, you're right.

I'm installing OpenBSD in QEMU now to test, back soon.


"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher." — Antoine de Saint-Exupéry

Offline

#8 2020-01-25 20:58:14

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 560  
Website

Re: Patch Firefox like OpenBSD

www/firefox-esr in OpenBSD 6.6 has network.trr.mode set to "0" (zero), just like Devuan.

EDIT: upgraded to -current and the setting is the same.

Last edited by Head_on_a_Stick (2020-01-26 14:49:01)


"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher." — Antoine de Saint-Exupéry

Offline

#9 2020-01-28 01:59:57

iio7
Member
Registered: 2020-01-25
Posts: 3  

Re: Patch Firefox like OpenBSD

It's great it's turned off by default in Devuan too.

However, I have been thinking whether Cloudflare even should be in the choice of DNS server if one turns it on. Also whether Google should be (can't remember if it still is) the default search engine.

I know this isn't a "free" vs "non-free" issue, but more of a privacy issue, but helping users make good choices seems to be a part of Devuan's core, and as such perhaps the field should be empty or at least provide a service that truly respects privacy.

I'm not sure if this is "to much", but I think it would fit Devuan well perhaps?

Offline

#10 2020-01-28 19:16:34

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,404  

Re: Patch Firefox like OpenBSD

From what I've heard, the task of building firefox is too difficult to justify for that simple change. However, something like that might be fixed by a script applied after the install. And such a script might be appropriate in the much-neglected devuan-sanity package. (It's an orphan and it would love to be adopted by some loving maintainer.)

Offline

#11 2020-01-30 01:47:34

iio7
Member
Registered: 2020-01-25
Posts: 3  

Re: Patch Firefox like OpenBSD

I just had a look at it, besides from the Vim part, it haven't got anything in it: https://git.devuan.org/devuan-packages/devuan-sanity

Hmm.

How is the procedure if someone would like to become a maintainer for that package, and he would like to add something like changing the default settings for Firefox?

Offline

#12 2020-01-30 02:11:26

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,404  

Re: Patch Firefox like OpenBSD

Like I said, it's been abandoned. We don't have an official procedure for becoming a maintainer, but you could make a personal project at git.devuan.org, make the necessary additions to the code, tell people about it here or mailing list or IRC, maybe make packages for people to test and use. And then maybe your changes will be brought into the repo.

One thing we do want from anyone who chooses to maintain a package is that you stick with it. It's no good if a package gets into the repo and then nobody updates it when it needs updating.

My personal vision for the sanity package would be to have a debconf dialog that listed all the sane changes and let you pick which ones you wanted. Obviously, there would need to be more than just one item on the list. And I don't want to do the work. I'd rather live without it than have to maintain it.

Another way to do it is with dpkg-divert, which will make a package that replaces a config file in another package. And it tells the package manager what's going on, so your custom changes don't get replaced during an upgrade.  Do you know what file in firefox stores the url for the dns server? (Knowing ff, it's probably a binary file.)

Offline

#13 2020-01-30 14:44:32

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 560  
Website

Re: Patch Firefox like OpenBSD

fsmithred wrote:

Do you know what file in firefox stores the url for the dns server?

I think it's set by network.trr.resolvers.

EDIT: deleted nonsense, I really should check before posting...

Last edited by Head_on_a_Stick (2020-01-30 20:19:31)


"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher." — Antoine de Saint-Exupéry

Offline

Board footer