YSK: Garuda Lunux default browser (FireDragon) contains problematic extensions

tartarsauce, 10 months ago (edited 10 months ago)

These are literally default search extensions from Mozilla that come with every vanilla Firefox install - some basic digging would’ve told you that (in fact, your very screenshot shows that the extension IDs come from Mozilla). They’re what allows the search options for those sites in Firefox. If you go to search settings and turn those search engines off, they have zero effect on you. Or better yet, simply hit “remove” in those settings to completely get rid of them, which makes them no longer show up anywhere, even about:debugging.

You’re welcome to move away from Garuda; it just wouldn’t change anything. You could also fork the code to remove the extensions by default, but at that point ask yourself why neither LibreWolf nor the Garuda team found it necessary to remove these extensions by default if they were actually a privacy threat (and again, you could just remove them yourself in 5 seconds through search settings).

Honestly, these default search providers could potentially be removed simply because more privacy-focused users have no reason to use such search engines, but that’s something you should take up with the LibreWolf/Garuda team in a polite discussion.

Here, this post could potentially affect Garuda’s reputation for something that’s completely harmless and is 2 layers upstream from them (FF > LibreWolf > FireDragon). It also makes privacy enthusiasts look silly and paranoid.

I understand why seeing these would make you suspicious, but the next step would be to look it up somewhere rather than jumping to a conclusion.

OP, I’m not trying to scold you (and I’m sorry this comment feels that way) . Rather, this is a reminder to everyone here: please do some due diligence before posting stuff.

(P.S. As someone who once also used this distro and browser, I would also recommend to just setup FF or even LibreWolf the way you want instead of using this specialized distro fork. Not for any malicious reason, but simply because important security updates are bound to come late to a fork of a fork.)

rodneyck, 10 months ago

Well said.

tartarsauce, 10 months ago

Thanks, but I worry it may have been a little too assholish on my part. Again, I wasn’t trying to bring OP down and definitely don’t want to be one of those smug “I know better than you and will jump on every mistake of yours” types. I know what it’s like to have those kind of people jumping on your throat for a relatively minor thing, because I’ve made this kind of mistake before. Just want to state again that my intent isn’t to dogpile on OP but to remind everyone to be cautious before assuming.

I edited the comment to remove the unnecessary snarky chromium bit. !@elltee I’m sorry if this comment made you feel shitty. It isn’t what I intended to do.

rodneyck, 10 months ago

LOL, we can all come off sounding a little assholish, don’t worry about it. You made sound points. The OP came off sounding a bugle of fear without doing any research, or backing up any of their concerns. You stepped up.

dngray, 10 months ago

Just a reminder, we specifically recommend against Garuda due to their unsafe usage of Chaotic-AUR.

rodneyck, 10 months ago

I would not recommend this guide. It only recommends rolling releases, so basically Arch. I use Arch btw, Garuda. However, it then goes on to say that only moderate or advanced users should use Arch. It also doesn’t recommend Debian or any debian based distros. I find this funny as many corporate servers use Debian, and I don’t really see any huge security issues since the 90’s waving red flags of warnings and issues. By following this guide, it really leaves no option for beginner linux enthusiasts. I (we) recommend not folloing this guide as it reads like privacy paranoia propaganda piece.

dngray, 10 months ago

If you’re going to use Arch use Arch. It is incredibly dangerous to be blindly trusting things in AUR, when they can be contributed by anyone.

However, it then goes on to say that only moderate or advanced users should use Arch

Yes because there is less QA, there is nobody testing those things before they are released to you. It also requires you to make a lot of selections which unless you know what components to choose (I also use Arch) would be not great for a newbie user.

I find this funny as many corporate servers use Debian, and I don’t really see any huge security issues since the 90’s waving red flags of warnings and issues.

A lot of them are Ubuntu these days, or Centos. In a corporate environment you tend to be running a lot of containerized workloads because you want redundancy, and high availability.

By following this guide, it really leaves no option for beginner linux enthusiasts. I (we) recommend not folloing this guide as it reads like privacy paranoia propaganda piece.

TLDR being there is no reason to look beyond Fedora or Ubuntu for a newbie user. That is the point that it makes. These other obscure distributions don’t provide anything that you need.

rodneyck, 10 months ago

TLDR being there is no reason to look beyond Fedora…

This whole privacy issue is about trust. And clearly your privacy recommendations are biased. For example, you seem to put all your trust in Fedora, a corporation owned by Red Hat…OWNED. A distro starting to 'trample on user’s privacy with telemetry integration.’

Now you might say that telemetry isn’t like the others, it is “anonymised.” Except that is what corporations always say before they remove the username from the data collected and keep the unique user id. Again, it is about who you trust, and usually corporations are working and focused on the dollar, not the user.

I encourage anyone to look at other privacy recommendation sites, and form your own conclusions.

nan, 10 months ago

Those are search engines and created by Mozilla. That’s why they all have @search.mozilla.org.

Reliant1087, 10 months ago

From what I can see, these are search providers and vanilla Firefox ships with all of these as well, I think. You will find these under search settings rather then add-ons. I don’t think there’s anything nefarious about including search options used by a lot of people, especially when they include ddg side by side.

Why don’t you reach out to the Garuda team before jumping to conclusions and maybe work with them to remove problematic search engines and add more privacy aware ones?

yote_zip, 10 months ago

I’ll just note that I also have these extensions on my LibreWolf install, from the AUR.

moe, 10 months ago

Terrible. What’s even the point of including these?

rodneyck, 10 months ago

Curious, have you addressed this with the Garuda team?