It appears a decision has been made, but as a LibreWolf enjoyer I wanted to respond to the dialogue I’m seeing here. I’m also no expert so please correct me if I misspeak.
Firstly, please stop comparing LibreWolf to Chromium based browsers. If LibreWolf is too insecure to recommend simply because it’s not Chromium, then so is Firefox. And if Firefox is secure enough to recommend, then a fork like LibreWolf must make significant enough regressions to lose that status.
So then, what exactly are the downgrades LW makes from FF? Here’s the main points I see brought up here, and my response to each:
- it bundles uBlock Origin, which uses Manifest v2 and increases attack surface.
Ignoring the fact that the arkenfox project (which I see cited here as the alternative to using LW) profusely recommends using uBO, removing it is a simple 2-click process if you don’t want it. Many necessary security settings for FF, such as enabling HTTPS everywhere, are harder and more hidden than that. Also, after removing uBO, any Manifest v2 extensions must be added manually, so any risks around that apply to FF as well.
- [Insert setting here] isn’t set properly by default (Google Safebrowsing, etc).
By definition, this can be changed by the user. FF requires changing preferences as well – arguably far more extensively – so this criticism doesn’t hold up if FF is to be recommended.
- Being a software fork, it will be behind in updates, which is a security risk.
This is a valid concern, and the most we can ask for is a dev team that proves their ability to push timely updates. Projects like Brave or Vanadium have proven themselves, so we carefully recommend them.
That said, I’m tired of this FUD that LW can’t be trusted with updates. I sometimes see it suggested but never justified. My lazy searching found that the LW flatpak was updated within 1 day of the current FF update, which seems reasonable to me. I’m not saying I’m certain that the LW devs have never fallen behind on updates, I just asking the people who do say so to back up their claims.
- There are no automatic updates, which is a security risk.
This is a serious concern, and probably enough for LibreWolf to not be recommended by Privacy Guides.
However, I would suggest that it deserves something like an “honorable mention” slot. When automatic updates are available, such as on Linux via flatpak, it matches or outclasses Firefox in every way; save for the slight delay in updates. Everything can be configured the same way as Firefox, but LibreWolf is far more convenient and minimal. People learning from this site deserve to know about LibreWolf and the conditions that make it viable.