Feature-request Librewolf as standard browser

Hi all,

as https://librewolf.net/ is the better firefox it woul be nice to deliver librewolf with all the templates. I know that librewolf is not included in the repos of debian, fedora and so on.
But the repos of qubes are added to all these templates so that the special tools and integrations for qubes can be shipped to the templates.
My suggestion is to add librewolf to the qubes-os repo for the templates, so the qubes team can do a bit of version control and / or adding some good plugins if needed to ship their librewolf with every template supported. So we all could benefit from the better security aware browser librewolf and we would not have the small risk to allow an external repo to the distributions we use in the templates.

What do you think?

cheers

luja

3 Likes

Hi

This kind of topic was discussed in this GitHub issue create or fork a Linux distribution for default use by App Qubes for better security · Issue #9332 · QubesOS/qubes-issues · GitHub

3 Likes

Debian Bookworm included extrepo to address the security concerns.

2 Likes

Librewolf is not included in Debian or Fedora, so it’s unlikely to become part of their official templates.

https://www.qubes-os.org/faq/#what-is-qubes-attitude-toward-changing-guest-distros

1 Like

No.

Perhaps Mullvad Browser is a better choice? I don’t know how sustainable the development of Librewolf is, as, as far as I understand, the maintainers are volunteers.

Mullvad Browser on the other hand is developed by a financially sustainable vpn company. Mullvad Browser is also developed in collaborationn with Tor Browser developers and carries over the Tor Browser’s hardening and fingerprinting protections.

3 Likes

No, the browser was intentionally designed to work with a VPN, ideally theirs, not without it:

1 Like

Perhaps, but I have been using it without any vpn for a long time and it works without issues.

4 Likes

Using a browser against its designed use case should not be the basis of a feature request for replacing Firefox ESR in every templateVM.

Do I have to be a Mullvad VPN user to run the Mullvad Browser? #

No, you don’t have to be a Mullvad VPN user to run the Mullvad Browser. But we highly recommend that you use a trustworthy VPN in combination with the browser.


Can I use the Mullvad Browser without a VPN? #

Yes, but if you don’t use a trustworthy VPN in combination with the Mullvad Browser your IP address won’t be masked. To avoid data collectors and mass monitors to identify you thanks to your IP address (and hide your traffic from your ISP) – use a trustworthy VPN together with the Mullvad Browser.

2 Likes

Sure, how about verifying the quote I provided earlier?

I verified it as well. However saying “mullvad browser is intended to be used with vpn and if you are using it without a vpn this is out of its intended use” is a skewed way of looking at it. It is a browser. Developed by a VPN company. You can use it without vpn, in fact, you can remove the mullvad extension from it. And use it as a hardened firefox browser, that shares the tor browser’s fingerprinting hardening.

4 Likes

Okay, that should be a better argument for opening a GitHub issue about it and getting the feature implemented.

3 Likes

maybe, it is good to suggest the tor-browser developers to fork in librewolf into their tor-browser.
So the tor-browser gets better hardening

1 Like

Why not, I did not know about mullvad browser.
It is good to derive a patchset from librewolf and mullvad browser and have some
browser experts review the diffs of the browsers to decide what a qubes-os browser would need.
I know this would be hard work, so I suggested to just use librewolf and to trust them to some extend.

Also having the browser in a mount name-space could help to additionally secure the browser in order to stop exploits reading the file system of the VM that runs that browser.
Old Downloads would be protected.
Have a shell script wrapper which clears all cache, and removes Downloads and dumps them to a scratch directory, then enters a mount name space launches the browser and after terminating the browser and moves the Downloads to the scratch directory, so next time the browser is more or less “virgin” so there is nothing to see if the browser gets exploited.

BTW off-topic: sending cash to mullvad, does this work, as the workers at the post offices are not well payed and so money letters arriving in sweden could be ripped for cash.

Who has experience with payment to mullvad

1 Like

No, Tor Browser is designed for anonymity first.

Create a separate topic in the All around Qubes category.

LibreWolf is always a little behind Firefox, making it more vulnerable for zero days. Burdening the Qubes team with monitoring some external repo doesn’t increase the security of such a repo. I’d advice against using LibreWolf for banking etc.

Since I disliked the way Mozilla is going, I decided to switch to LibreWolf for daily untrusted browsing. It was easy to create a minimal-fedora 40 template Minimal templates | Qubes OS and add the LibreWolf repo to it. My untrusted browsing dvm contains both Mullvad and LibreWolf. So, as a happy LibreWolf user I quite disagree with your suggestion :slight_smile:

1 Like

Anybody that’s tried to use LibreWolf as a viable daily replacement knows this is a terrible idea - unless you embrace crashes 15 times a day for generic web browsing.

2 Likes

Before even I knew about Qubes I tried to install it once or twice and couldn’t due to errors. Didn’t invest time to it as it’s not worth it.

1 Like

I did not notice crashes.
Do you give enough RAM for the VM?

4GB RAM is good for 64 bit Linux with just a bit web browsing.
I know 20 years ago the people did complex ASIC designs in verilog
including simulations using only 4GB RAM using a 4 ultra sparc 2 CPU @400MHz,
with Sun E10K…

1 Like