Jump to content

My Browser Builds (Part 2)


Recommended Posts


16 hours ago, S75 said:

hey. I try install extension (pushbullet) in new moon and have this (error) warning! what this mean ? Its any way to install this extension ?

If my mind does tell me right - you could actually install Jetpack extensions in NM27 through the Moon Tester Tool extension. Download the XPI file for pushbullet, pipe it through MTT and hope that everything will work fine.

Edited by IntMD
Link to comment
Share on other sites

57 minutes ago, IntMD said:

If my mind does tell me right - you could actually install Jetpack extensions in NM27 through the Moon Tester Tool extension. Download the XPI file for pushbullet, pipe it through MTT and hope that everything will work fine.

Holly shirt =) Its mostly working, its not normal login, mast login every time when send push and it redirect me to webPush, but any way that's something.

Edited by S75
Link to comment
Share on other sites

@S75: Welcome to the MSFN forums :)

First thing you should ask yourself is whether you actually expect any legacy (XUL) version of the Pushbullet extension to work today; this extension relies on third-party infrastructure (secure logins to their servers, etc.) and they may have blocked old "unsupported" versions of their addon, on old "unsupported" browsers, on old "unsupported" OSes (you get my drift...) from even connecting to their service (for "security" reasons, no doubt... :angry:).

The latest version 347 of their Firefox extension is still available, but - as expected - in WebExtensions format, not compatible with New Moon 27/28, but possibly compatible with FirefoxESR 52.9.1 and Serpent 52/55:

https://addons.mozilla.org/en-US/firefox/addon/pushbullet/versions/

In the remote possibility any XUL Pushbullet version is still functional, then CAA extension

caa:addon/pushbullet/versions

reveals that the latest legacy version 316 dates from Dec 28th 2015, while the last "supposedly" NM27 compatible version 179[.1-signed] dates from Feb 22nd 2015

The Tycho platform (forked from FxESR 38) on which NM27 is built doesn't support Jetpack SDK legacy extensions, and that was a decision made at the time by the Moonchild team of developers; so you can't directly install such extensions in NM27, as the browser itself warns you about...

The tool pointed to by @IntMD was developed to mitigate that imposed limitation (among several others), but it does not work universally on all types of JetPack SDK extensions - don't ask me why, I'm not an XUL extension developer.

Force-installing an officially unsupported extension via the aid of the MTT always carries an inherent risk of browser profile corruption! Do keep this in mind and act accordingly (i.e. back up!). Second, if the unsupported extension is force-installed (in [TEST] mode) via said tool, you have no reassurance it will function as designed...

4 hours ago, IntMD said:

Download the XPI file for pushbullet, pipe it through MTT and hope that everything will work fine.

I have run some tests on my old NM27 version here, I first downloaded to disk file pushbullet-179-fx.xpi, selected it via MTT (about:addons => Moon Tester Tool 1.2.0 => Options => Select file...) and it was still impossible to install :realmad:

I then tried to do the same with latest legacy version 316, which claims to support Fx 38.0a1 - 49.*; since Tycho is forked from FxESR 38, we stand a fair chance of it being NM27 compatible; following the same procedure, file pushbullet-316-an+fx.xpi did manage to install successfully - but I can't vow about its usability...

OT: I wrote this post with NM27 that I seldom use now (UXP forks are mostly used here) and discovered the MSFN post editor has several minor issues (absent on UXP) - but is otherwise functional... :P

Edited by VistaLover
Link to comment
Share on other sites

On 10/28/2019 at 11:47 AM, VistaLover said:

The latest version 347 of their Firefox extension is still available, but - as expected - in WebExtensions format, not compatible with New Moon 27/28, but possibly compatible with FirefoxESR 52.9.1 and Serpent 52/55:

https://addons.mozilla.org/en-US/firefox/addon/pushbullet/versions/

Later versions won't install, but version 335 at the above link installs in Serpent 55 (Edit: but not Serpent 52 :() and appears to run. But my Android phone is too old for a complete test (Android 5.0 required).

 

On 10/27/2019 at 1:31 AM, luweitest said:

@roytam1: Could later releases provide a GPG signature? Security is quite a concern for browsers.

On 10/27/2019 at 4:29 AM, roytam1 said:

never think about it as these are just my personal builds.

On 10/27/2019 at 9:34 PM, luweitest said:

Then publish an SHA-1 hash of the file? Anyway I think your personal builds would get spread.

Presumably the purpose would be to ensure the downloads haven't been tampered with. If so, https: already provides adequate assurance against tampering "in transit."

As for someone hacking into @roytam1's server and altering the files, presumably such a hacker would be smart enough recalculate the SHA hashes and alter those files too, so publishing SHA hashes provides little additional assurance. You really would need a GPG signature to guard against that possibility. (Roytam would never put his private key on the server, so it would be impossible for a hacker to recalculate valid signatures for altered files.)

Luckily GPG is free, so signatures can be produced and published at no cost (unlike, say, code-signing certificates).

Edited by Mathwiz
Link to comment
Share on other sites

21 hours ago, roytam1 said:

this could be possible to put *.sha1 files to the server.

 

2 hours ago, Mathwiz said:

Presumably the purpose would be to ensure the downloads haven't been tampered with. If so, https: already provides adequate assurance against tampering "in transit."

As for someone hacking into @roytam1's server and altering the files, presumably such a hacker would be smart enough recalculate the SHA hashes and alter those files too, so publishing SHA hashes provides little additional assurance. You really would need a GPG signature to guard against that possibility. (Roytam would never put his private key on the server, so it would be impossible for a hacker to recalculate valid signatures for altered files.)

Luckily GPG is free, so signatures can be produced and published at no cost (unlike, say, code-signing certificates).

Hashes could be published in a different place (presumably here with weekly release announce) to prevent alteration with executables. As time goes, the files would get spread to different channels like software sites, P2P share etc., without a method to verify. The original release site may also get blocked, closed, etc. No doubt GPG signature is preferred, yet @roytam1 may not be ready for it; so SHA1 could be published right now.

Link to comment
Share on other sites

3 hours ago, luweitest said:

As time goes, the files would get spread to different channels like software sites, P2P share etc., without a method to verify.

but gpg generates .sig/.asc file for the signature which may not be spread together as well.

EDIT: I prepared my key and you can get it with command:

gpg --recv-keys --keyserver pgp.key-server.io 0xD3DD285F6205667A

Key fingerprint = 5705 CD21 AB46 17A9 0724  D3A6 D3DD 285F 6205 667A

Edited by roytam1
Link to comment
Share on other sites

3 hours ago, roytam1 said:

but gpg generates .sig/.asc file for the signature which may not be spread together as well.

Pack them together in 7z?

I think that disadvantage of separated GPG sig compared to integrated CA sig is not due to technical reason but OS support.

Link to comment
Share on other sites

Where is the trigger for email-subscription of this part2-thread. since part 1(til page 200) is closed i  dont get email-messages anymore.
SSE-installation
btw: I am now using portable loader-in the same directory like updates. each in its own. Because installer not working. we discussed it seems my pcs failure.
When time is ripe I will generate an SSE-sticky here. Have videodownload-workaround not implemented at the moment and  there are still palemoon 27-crashes. Maybe due to videodriver-problem-cannot solve at the moment or all trials didnt help. new-same type videocard didnt help.
Update: Have found it under Notifications but its looking completely different than yours in PM27-SSE. Where yours is on upper right side its showing Follow and No of people following and showing them after clicked.

MSFN_PALEMOON-NOTIFICATIONS.png

Edited by 3dreal
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...