as https://librewolf.net/ is the better firefox it woul be nice to deliver librewolf with all the templates. I know that librewolf is not included in the repos of debian, fedora and so on.
But the repos of qubes are added to all these templates so that the special tools and integrations for qubes can be shipped to the templates.
My suggestion is to add librewolf to the qubes-os repo for the templates, so the qubes team can do a bit of version control and / or adding some good plugins if needed to ship their librewolf with every template supported. So we all could benefit from the better security aware browser librewolf and we would not have the small risk to allow an external repo to the distributions we use in the templates.
Perhaps Mullvad Browser is a better choice? I don’t know how sustainable the development of Librewolf is, as, as far as I understand, the maintainers are volunteers.
Mullvad Browser on the other hand is developed by a financially sustainable vpn company. Mullvad Browser is also developed in collaborationn with Tor Browser developers and carries over the Tor Browser’s hardening and fingerprinting protections.
Do I have to be a Mullvad VPN user to run the Mullvad Browser? #
No, you don’t have to be a Mullvad VPN user to run the Mullvad Browser. But we highly recommend that you use a trustworthy VPN in combination with the browser.
Yes, but if you don’t use a trustworthy VPN in combination with the Mullvad Browser your IP address won’t be masked. To avoid data collectors and mass monitors to identify you thanks to your IP address (and hide your traffic from your ISP) – use a trustworthy VPN together with the Mullvad Browser.
I verified it as well. However saying “mullvad browser is intended to be used with vpn and if you are using it without a vpn this is out of its intended use” is a skewed way of looking at it. It is a browser. Developed by a VPN company. You can use it without vpn, in fact, you can remove the mullvad extension from it. And use it as a hardened firefox browser, that shares the tor browser’s fingerprinting hardening.
Why not, I did not know about mullvad browser.
It is good to derive a patchset from librewolf and mullvad browser and have some
browser experts review the diffs of the browsers to decide what a qubes-os browser would need.
I know this would be hard work, so I suggested to just use librewolf and to trust them to some extend.
Also having the browser in a mount name-space could help to additionally secure the browser in order to stop exploits reading the file system of the VM that runs that browser.
Old Downloads would be protected.
Have a shell script wrapper which clears all cache, and removes Downloads and dumps them to a scratch directory, then enters a mount name space launches the browser and after terminating the browser and moves the Downloads to the scratch directory, so next time the browser is more or less “virgin” so there is nothing to see if the browser gets exploited.
BTW off-topic: sending cash to mullvad, does this work, as the workers at the post offices are not well payed and so money letters arriving in sweden could be ripped for cash.
LibreWolf is always a little behind Firefox, making it more vulnerable for zero days. Burdening the Qubes team with monitoring some external repo doesn’t increase the security of such a repo. I’d advice against using LibreWolf for banking etc.
Since I disliked the way Mozilla is going, I decided to switch to LibreWolf for daily untrusted browsing. It was easy to create a minimal-fedora 40 template Minimal templates | Qubes OS and add the LibreWolf repo to it. My untrusted browsing dvm contains both Mullvad and LibreWolf. So, as a happy LibreWolf user I quite disagree with your suggestion
Anybody that’s tried to use LibreWolf as a viable daily replacement knows this is a terrible idea - unless you embrace crashes 15 times a day for generic web browsing.
I did not notice crashes.
Do you give enough RAM for the VM?
4GB RAM is good for 64 bit Linux with just a bit web browsing.
I know 20 years ago the people did complex ASIC designs in verilog
including simulations using only 4GB RAM using a 4 ultra sparc 2 CPU @400MHz,
with Sun E10K…