Re: Extensions cannot be removed and explanation is broken link

[Clément Lassieur]

Hi Mark,

On Sat, Dec 30 2023, Mark H Weaver wrote:

>> Indeed, it's not obvious to me why Icecat is shipped with:
>> - discontinued HTTPS Everywhere (security issue)
>
> Do you have reason to believe that there's a security issue in HTTPS
> Everywhere?  If so, please substantiate this claim.

- The fact that it relies on a ruleset is a security flaw: all sites
  should be forced to HTTPS.  That's what the extension name implies
  anyway.  It's a security issue because a user could be browsing an
  HTTP site without knowing.

- This is actually worse: the ruleset is not updated anymore.

The built-in HTTPS-only fixes this.  If a site doesn't support HTTPS,
then a warning messages appears and the user has to manually enable
HTTP, temporarily, only for that site.

>> - some USPS related extension (not updated for years) (is having an
>> extension for each site that LibreJS breaks a good idea?)
>
> As I understand it, that extension was added to solve an important
> practical issue faced by those who avoid running nonfree software on
> their machines.
>
> If you know of a specific problem with any of our bundled extensions,
> please substantiate your claims.

The problem is that there are billions sites and we can't afford to have
one bundled extension for each site that is broken by LibreJS.  In other
words: this approach doesn't scale.

> If you have a better suggestion for how we should organize our
> workarounds for nonfree Javascript, please feel free to make a concrete
> proposal.

My suggestion is: we should not bundle them, but the people who need
them can still install them as profile extensions.  Those extensions, if
they are useful, could be listed in Mozzarella, or (for Guix users)
added as Guix packages, etc.

Clément