Apathy towards the most popular category of extensions has to be for a reason. uBO Lite works well for now 
4 Likes
has to be for a reason
eh. I guess weāll have to disagree on that
for now
Even without UBO-lite (or any extensions for that matter, I have them fully disabled), I donāt see ads. This is because of Trivalentās utilization of the built-in subresource filter but then also by streaming youtube videos and twitch streams directly to celluloid/mpv, which blocks ads automatically. Thereās also Freetube, if you can tolerate Electron, and Pipeline, if you can tolerate using a Piped proxy
4 Likes
offtopic
@RoyalOughtness talking about less bad.
Iām aware that the project doesnāt recommend KDE. Can you share your perspective about the Gnome Sushi in Secureblue?
Thatās not true. You can install any MV2 extension, itās just that they provide a direct way to install 4 selected MV2 extensions should they be removed from the CWS. And also when Google removes support from upstream, they will keep MV2 support for all extensions, but they will only fix bugs if it concern one of the 4 approved extensions. At least thatās my understanding.
Brave includes a warning about the security risks of the Flatpak version and recommends different options, so they have considered security in this case.
Update: As of v1.81, we host the following Manifest V2 (MV2) extensions on Braveās backend: AdGuard, uBO, uMatrix, NoScript. These extensions operate independently from the equivalent versions that are currently present on the Chrome Web Store, and have to be downloaded separately. Users can download and enable these 4 extensions from the
brave://settings/extensions/v2page.
3 Likes
I made a feature request on the Brave Discourse that you can vote for, over the security concerns in this thread 
They already have an open issue for this. Iām not sure what purpose it serves to bring it up again on their forums. Use hardening patches from Trivalent Ā· Issue #45860 Ā· brave/brave-browser Ā· GitHub
The forum topic I made isnāt limited to Trivalent patches, it also talks about stuff like MV2
But thanks for bringing up the Github issue, I wasnāt aware of it
Slightly off-topic, but are there plans to package Trivalent for other Linux distributions besides Secureblue and Arch (AUR) in the future? Specifically Debian-based distributions and possibly NixOS?
We donāt have any plans to. Also, weāre not at all involved in the AUR package and it isnāt being kept up to date, so you shouldnāt use it. As of writing this, itās a month out of date, missing numerous CVE fixes including zero-days.
On top of that, using Trivalent outside of secureblue is a security downgrade compared to using it in secureblue, because youāll miss out on our SELinux policy that provides SELinux confinement for Trivalent. Our policy depends on interfaces from Fedoraās policy, so itās not usable outside of Fedora-based distributions. We have plans to package our policy as an rpm instead of directly installing it into the images, but that would only be for sake of convenience for Trivalent users on Fedora or Fedora-based distributions other than secureblue.
If we were to decide to package Trivalent for other distros at some point in the distant future, it would mean several prerequisites for those distros. Those distros would have to provide robust SELinux support ootb, including a thoroughly tested base policy, enforcing mode by default, and a thorough set of available interfaces. As far as I know, the only distros that satisfy this prerequisite are RHEL-family distros (including openSUSE which I believe uses Fedoraās SELinux base policy, in fact Trivalent may simply work ootb already on openSUSE although I havenāt tried this so no guarantees 
).
TLDR: No, since packaging Trivalent for a variety of distros would encourage users to use Trivalent without SELinux confinement, which we have no intention of encouraging or supporting.
Edit: I left an explanation to the same effect at nixpkgs here.
1 Like
Would there still be any sort of security benefit even without SELinux confinement or does Trivalent depend entirely on that? And what should non-Fedora Linux users use instead (besides Chrome, Edge, or Brave)?
Would there still be any sort of security benefit even without SELinux confinement or does Trivalent depend entirely on that?
Yes it would still have security benefit, but itās not something weāre interested in supporting/packaging for.
And what should non-Fedora Linux users use instead (besides Chrome, Edge, or Brave)?
You eliminated the only options I would consider recommending 
(Chrome/Edge, with certain changes via policy/config)
You eliminated the only options I would consider recommending
Basically what Cyber-Typhoon said, and Iām not sure Iād trust a browser that pushes AI and Crypto and has done things like inserting affiliates into URLs. Until thereās a security-focused Chromium fork that supports all major Linux distros thereās nothing to use (except Ungoogled Chromium, distro builds of Chromium, or any Firefox fork which Iād prefer anyways despite being less secure).
Cromite has some security patches, and itās available on Linux.
It may be important to note that Cromite enables JPEG XL, and it isnāt really known how big of a security concern that might be. Itās also not recommended by GrapheneOS due to its ABP adblocker and fingerprinting methods, but you can just use uBO Lite instead of ABP, and a fingerprinting expert said randomization anti-fingerprinting is just as valid for thwarting naive fingerprinters.
All that and Cromite is maintained by a single person afaik. It seems like Cromite enables Manifest V2 and until uBO Lite and other Manifest V3 extensions can support the advanced dynamic filtering capabilities of uBlock Origin, Iām not switching to a browser that only supports Manifest V3.
That was three years ago. Fingerprinting may have changed since then.
thereās nothing to use
I canāt speak for other distros, but before we built Trivalent we used Fedoraās chromium package, somewhat hardened using policies and config. It wasnāt nearly as good of a solution as Trivalent, but it was the best option at the time. I canāt speak for chromium packages by other distros though. I know historically some have disabled several key security features, so youāll have to do some investigating. But depending on how itās packaged, thatās potentially an option, albeit not optimal.
Alternatively, if you have the time to learn packaging for your distro, thereās nothing stopping third parties from packaging Trivalent.
1 Like
Iām confused, Trivalent only supports MV3 and you said you wanted to use it. Also MV3 filtering capabilities can be really strong too:
Also, GrapheneOSās Vanadium can be accessed with Desktop Mode, and Vanadium appears to meet your security criteria. Since GrapheneOS is a Linux distro, it technically would be something to use
Thereās different threat models and use cases. My point is someone who values security is probably better off using a browser like Trivalent or Vanadium but there isnāt really a browser like that supports all major operating systems or at least Linux in general.
I wasnāt going to switch to Chromium, and I have my own use case which canāt be satisfied with any MV3-only browser. I use uBlock Origin for itās dynamic filtering capabilities that uBO Lite and MV3 in general wonāt support. Yes Manifest V3 has legitimate security improvements and thatās great, and if it wasnāt enforced or if it allowed dynamic filtering which can actually improve privacy moreso than static filters, Iād have no problem with it.
This guide from RKNF404 (primary Trivalent maintainer) may be of interest to folks here: GitHub - RKNF404/chromium-hardening-guide: Harden chromium (somewhat)
3 Likes