Browsers (Was: A very basic blog about D)

[Joakim]

On Tuesday, 16 July 2013 at 01:09:18 UTC, Nick Sabalausky wrote:
> I really have had problems with Chrome (and other Google 
> software)
> forcefully installing always-resident processes before, and 
> giving me
> trouble getting rid of it. Never had such a problem with Iron.
Chrome, which is based on the open-source Chromium project, has a 
built-in auto-updater which always stays resident and checks for 
updates.  Since Iron is based on Chromium, not Chrome, it may not 
have the auto-updater.

> Even if
> Iron is just a few better defaults and some options I don't 
> even want
> anyway removed, that certainly doesn't qualify as a "scam". 
> Hell,
> Iron's website is already perfectly clear about the settings 
> existing
> in Chrome but being forced to a specific setting in Iron:
> <http://www.srware.net/en/software_srware_iron_chrome_vs_iron.php> 
> The
> article makes it sound like SRWare is being deliberately 
> deceptive,
> which is verifiably untrue.
Iron has always billed itself as some sort of privacy fork.  For 
example, their FAQ says:

"Can't i just use an precompiled unchanged Chromium-Build from 
the Google Server?

This is not useful because the original Chromium-Builds have 
nearly the same functions inside than the original Chrome. We can 
only provide Iron because we massively modified the source."
http://www.srware.net/en/software_srware_iron_faq.php

I verified that this is untrue in the linked article, at least 
back when they released Iron 3 and 4.  Nobody can verify it 
anymore, because even though there are still links for source 
download, they don't work, ie you can't download the source.  
This probably breaks the LGPL license, but I've read that they 
stopped providing source a while back, likely after I analyzed it:

http://www.insanitybit.com/2012/06/23/srware-iron-browser-a-real-private-alternative-to-chrome-21/

> Plus Chrome introduces bugs almost as much as it fixes them, so 
> less
> frequent releases doesn't really bother me. And I wouldn't be 
> using
> Chrome's auto-updater anyway (and if I did, I would only do it 
> in a VM).
I don't track Iron closely, but I think they follow the same 
release schedule for major stable releases, only delayed, and 
likely without all the smaller point releases with security fixes 
that Chrome provides.  So you have all the disadvantages of 
google's six-week release schedule, with the added disadvantages 
of Iron's delays and omissions: I don't see the benefit.

Chrome does introduce some bugs as it updates, but I don't think 
any other browser is any better.  I don't get your paranoia about 
the auto-updater: what makes you think it does anything other 
than check for updates?  My understanding is that the source for 
the updater is available.

> Iron may not be a big change, but it's proven itself to me in
> real-world usage to still be worthwhile.
There is one advantage to Iron: it provides occasional builds of 
the stable branch of Chromium, which google does not provide 
except as part of the Chrome Stable channel.  You could build the 
stable branch of Chromium yourself, but I understand if you don't 
want to put in the effort.  I suspect you would be as happy with 
the Chromium builds that are provided, which are only from the 
trunk branch:

http://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html

> And that archived article seems pretty biased. Ex: "...likely 
> only to
> evade source analysis like I'm doing..." Uhh, accusational and
> speculative anyone? Especially since it's perfectly reasonable 
> to
> figure the different version numbers could have more to do with
> divergent forks than actually "Iron deliberately changed the 
> version
> number to be sneaky". Perfectly likely that Iron had merged in 
> v4.x,
> then merged in various other changes, and just missed a line 
> diff
> involving the v4->v5 version number change. But no, we're 
> supposed to
> just *assume* it was intentional deception because that better 
> supports
> the initial "Iron is a scam" position.
The reason it's intentional deception is because I analyzed the 
Iron source, which certainly doesn't "massively modify the 
source" for Chromium, as they claim.  I made a guess that they 
chose to go in and change the version number to evade such 
analysis, which fits the pattern of deception.

I didn't get into all this in the article, but they've never had 
a public source code repo, which is suspicious for someone who 
claims to be "open source."  They were dumping code in 7z 
archives on rapidshare instead!  Without a repo where I could 
track commits, I had to download the Iron source then manually 
track down which version of Chromium corresponded to that version 
of Iron, since the version number was changed.  That took time, 
and given their pattern of deception, I can only assume it was a 
deliberate move to throw off such analysis.

I understand your suspicion of google.  I don't use their 
services other than search and have never signed up for facebook 
either, but that's no reason to use shady software just because 
it's "not google."  There are real privacy concerns with all 
these services, but if we don't stick to the facts, we damage our 
case.  I don't like what the Iron guy did and have documented the 
issues, it is up to you and others to decide what to believe.