Index | Thread | Search

From:
Volker Schlecht <openbsd-ports@schlecht.dev>
Subject:
Re: new port: LibreWolf Web browser
To:
ports@openbsd.org
Date:
Fri, 8 May 2026 00:57:01 +0200

Download raw body.

Thread 
On 4/24/26 12:06 PM, Leah Rowe wrote:

> New update: I updated the port to use LibreWolf 150.0-1 which recently came out, 
> mirroring the recent FireFox 150 update in OpenBSD -current

[...]

> With these changes, the versioning and configuration is now much closer to 
> OpenBSD's FireFox port. 

I absolutely second that. Bumping the port to 150.0.2 was a no-brainer, too.
Stellar work on the port (imho, fwiw etc)!

However there is something I find worth pointing out ...

> It should be noted that LibreWolf still adds several 
> more hardening options versus FireFox, including in this port. I would say that 
> an OpenBSD user, who likely wants the best security, will find this LibreWolf 
> port very useful.
I didn't look in depth at *all* the patches, but I needed to look a while to
find something that isn't all about rebranding Firefox as Librewolf.

Particularly the "Security" section of https://librewolf.net/docs/features/
seems to boil down to an opinionated set of default settings:

* Stay up to date with upstream Firefox releases, in order to timely apply
security patches.

They can't be faster than upstream, can they? So if you use Firefox you'll have
those patches faster. Add to that the inevitable delay until the port is updated
and packaged, and Librewolf on OpenBSD quickly turns out to be the worst option 
of all.

* Always force user interaction when deciding the download location of a file.

It's ~/Downloads on OpenBSD, why would we bother deciding all the time?
unveil(2) and a patch in the port makes that quite pointless.

* Enable HTTPS-only mode.

/** [SECTION] HTTPS */
https://codeberg.org/librewolf/settings/src/commit/aaed53fbdde76d4d3732a3a4a0d9f5254d557262/librewolf.cfg#L115

* Enable stricter negotiation rules for TLS/SSL.
* Revert user-triggered TLS downgrades at the end of each session.

/** [SECTION] TLS/SSL */
https://codeberg.org/librewolf/settings/src/commit/aaed53fbdde76d4d3732a3a4a0d9f5254d557262/librewolf.cfg#L287

* Disable scripting in the built in pdf reader.
* Protect against IDN homograph attack.
https://codeberg.org/librewolf/settings/src/commit/aaed53fbdde76d4d3732a3a4a0d9f5254d557262/librewolf.cfg#L323

* Implement optional extension firewall, which can be enabled manually.

/** [SECTION] EXTENSION FIREWALL
  * the firewall can be enabled with the below prefs, but it is not a sane default:
[...]
  */

... disabled and not a sane default. Some security feature.

* Set OCSP to hard-fail in case a certain CA cannot be reached.

https://codeberg.org/librewolf/settings/src/commit/aaed53fbdde76d4d3732a3a4a0d9f5254d557262/librewolf.cfg#L260


And that's it. All the "hardening" can be achieved on a stock OpenBSD Firefox
with a few settings. Is that really worth a fork and a port, or shouldn't we 
rather discuss the pros and cons of adding some of these to

https://cvsweb.openbsd.org/checkout/ports/www/mozilla-firefox/files/all-openbsd.js,v?rev=1.14

?