From: Leah Rowe Subject: Re: new port: LibreWolf Web browser To: Volker Schlecht , ports@openbsd.org Date: Fri, 15 May 2026 11:03:16 +0100 Brief follow-up: Stuff like WiveDine is also removed in LibreWolf. I'm not even sure whether such features work on FireFox in OpenBSD (is the binary available?) I don't use FireFox but I have studied OpenBSD's ff port closely. It's pretty conservatively patched, and that is how I think it should remain. That said, there's no reason why the FireFox port couldn't be further hardened, again as non-invasively as possible as it already does. LibreWolf is for people who want everything maximally hardened. Doing what you proposed would also mean duuplicating what LibreWolf already does :) Am 15.05.26 um 10:59 schrieb Leah Rowe: > > All good points, but I do think there is merit in having a separate > port for LibreWolf. > > The existing FireFox port is quite conservative about how it patches > Firefox, for OpenBSD-specific requirements. Look more carefully at > LibreWolf. They have hundreds of patches for Firefox, that they > maintain per release. > > In my experience, they're pretty good about syncing with Mozilla, > often providing new LibreWolf releases on the same day as each FireFox > release. > > I think it makes sense to have the relatively vanilla FireFox port in > its current form, alongside a LibreWolf port. I'll have more work done > on the port after the OpenBSD 7.9 release, such as: > > * Further consolidate the port, such that FireFox and LibreWolf both > use a common module, that I will add: www/mozilla-browser - then both > ports would more or less just have the same Makefile, with a few > tweaks, but both Makefiles would be smaller. Like how you have > www/mozilla with lots of common config. www/mozilla-browser will just > be a common module specifically for browsers, still piggybacking off > of common www/mozilla > > * Remove use of the mozconfig-based bootstrap in LibreWolf, and patch > using CONFIGURE_ARGS and co, as in FireFox. This will mean that the > Makefile is relatively in sync with FireFox > > * After these two are done, it's quite possible that I could perhaps > make LibreWolf a *flavour* instead, of the firefox port? > > There is already precedent for forks in OpenBSD, e.g. see www/tor-browser > > I haven't done these yet, plus there's been one or two new LibreWolf > releases. I'm not in any rush until after OpenBSD 7.9 is out, since > ports tree is  locked until then anyway. A few patches and I can have > the above done in a day (including time taken for compiling, which is > a lot, on my machine). > > But no, I disagree entirely with your fundamental point. Replicating > LibreWolf's modifications to FireFox would mean adding literally > handleds of patches. These patches from LibreWolf are Git patches, > which would be way more patches in OpenBSD which does not allow > specifying multiple files to change within the same diff file, when > patching sources, so your proposal would actually result in a much > messier FireFox port. > > Look at the source repo for LibreWolf, from git, and you'll see all > the patching plus bootstrapping they do. What I use in my OpenBSD port > is the resulting tarball generated from their bootstap. The LibreWolf > tarball is, for all intents and purposes, a drop-in that replaces the > Firefox tarball, and can be used in more or less the same way, but I > believe OpenBSD should regard it as a separate browser, hence this port. > > > Am 07.05.26 um 23:57 schrieb Volker Schlecht: >> On 4/24/26 12:06 PM, Leah Rowe wrote: >> >>> New update: I updated the port to use LibreWolf 150.0-1 which >>> recently came out, mirroring the recent FireFox 150 update in >>> OpenBSD -current >> >> [...] >> >>> With these changes, the versioning and configuration is now much >>> closer to OpenBSD's FireFox port. >> >> I absolutely second that. Bumping the port to 150.0.2 was a >> no-brainer, too. >> Stellar work on the port (imho, fwiw etc)! >> >> However there is something I find worth pointing out ... >> >>> It should be noted that LibreWolf still adds several more hardening >>> options versus FireFox, including in this port. I would say that an >>> OpenBSD user, who likely wants the best security, will find this >>> LibreWolf port very useful. >> I didn't look in depth at *all* the patches, but I needed to look a >> while to >> find something that isn't all about rebranding Firefox as Librewolf. >> >> Particularly the "Security" section of >> https://librewolf.net/docs/features/ >> seems to boil down to an opinionated set of default settings: >> >> * Stay up to date with upstream Firefox releases, in order to timely >> apply >> security patches. >> >> They can't be faster than upstream, can they? So if you use Firefox >> you'll have >> those patches faster. Add to that the inevitable delay until the port >> is updated >> and packaged, and Librewolf on OpenBSD quickly turns out to be the >> worst option of all. >> >> * Always force user interaction when deciding the download location >> of a file. >> >> It's ~/Downloads on OpenBSD, why would we bother deciding all the time? >> unveil(2) and a patch in the port makes that quite pointless. >> >> * Enable HTTPS-only mode. >> >> /** [SECTION] HTTPS */ >> https://codeberg.org/librewolf/settings/src/commit/aaed53fbdde76d4d3732a3a4a0d9f5254d557262/librewolf.cfg#L115 >> >> >> * Enable stricter negotiation rules for TLS/SSL. >> * Revert user-triggered TLS downgrades at the end of each session. >> >> /** [SECTION] TLS/SSL */ >> https://codeberg.org/librewolf/settings/src/commit/aaed53fbdde76d4d3732a3a4a0d9f5254d557262/librewolf.cfg#L287 >> >> >> * Disable scripting in the built in pdf reader. >> * Protect against IDN homograph attack. >> https://codeberg.org/librewolf/settings/src/commit/aaed53fbdde76d4d3732a3a4a0d9f5254d557262/librewolf.cfg#L323 >> >> >> * Implement optional extension firewall, which can be enabled manually. >> >> /** [SECTION] EXTENSION FIREWALL >>  * the firewall can be enabled with the below prefs, but it is not a >> sane default: >> [...] >>  */ >> >> ... disabled and not a sane default. Some security feature. >> >> * Set OCSP to hard-fail in case a certain CA cannot be reached. >> >> https://codeberg.org/librewolf/settings/src/commit/aaed53fbdde76d4d3732a3a4a0d9f5254d557262/librewolf.cfg#L260 >> >> >> >> And that's it. All the "hardening" can be achieved on a stock OpenBSD >> Firefox >> with a few settings. Is that really worth a fork and a port, or >> shouldn't we rather discuss the pros and cons of adding some of these to >> >> https://cvsweb.openbsd.org/checkout/ports/www/mozilla-firefox/files/all-openbsd.js,v?rev=1.14 >> >> >> ? > -- Company director, Minifree Ltd Registered in England, No. 9361826 | VAT No. GB202190462 Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK