Future of Nano Project Firefox Port? #187
Comments
|
I will push one urgent update to disable issue reporter first, their new privacy policy is too shady for me. |
|
i hope them can support you more |
Who are them refers to? If you mean "new developers", they are unlikely to support me because they refuse to being interacted with. |
it's like that they are working on offical version for firefox??? maybe not? |
Their privacy policy only claims for Google Chrome. They leave no words about Firefox so their stance are still unknown. Similarly, the Edge version still showing the former developer name. Most likely they don't care at all. |
|
Did you ask new devs for make a port version, or you did and they dont care about that? |
|
New devs never show up or provide any ways to contact them. No one knows who they are and how to contact them except former developers. I can only ask via former developer and he reply he do forward the information to them, but I receive no words from them for more than a week. Anyway, I decide not to port for them now. Many users are asking who they are for a week here, they still no-show, no reply. |
|
A quick FYI: I still control |
|
Also for this: https://github.com/LiCybora/NanoCoreFirefox#what-should-i-do Migrating to uBlock OriginDue to the many differences, I strongly recommend you to copy the settings over
|
|
Thanks for the guide. I will add it and link it such that your past effort on this guide not waste but benefit users to migrate. |
|
@LiCybora Do you want to maintain the Quick Issue Reporter? I can give you some of my backend code. Let me know if you're interested. |
|
@jspenguin2017 Yes I am interested. If I have enough resources I can try to implement it. |
|
So first, you need a server, a domain, a GitHub bot account, and some knowledge of Node.js. For server, I use AWS. You can use Digital Ocean, GCP, etc. I think GCP is the cheapest, but I'm not sure. I recommend DO or AWS Lightsail if you have no experience with cloud. This should cost you at most $5 a month, it currently costs me USD $3.5 a month. For domain, I'm with Namecheap. I recommend a You can also give Heroku a try if you don't want to spend money, but I think you still need to give them a credit card. I recommend you to register a new GitHub account for your bot to use. You can use your current account, but if something goes wrong, it can be a pain to clean up. If you accidentally leaked your API key, revoke it immediately and generate a new one, don't hope that "no one saw it". My server is written in Node.js, so you need to know how that works. I didn't use any packages, but using a good server package (for example, Express.js) should make things easier. Be sure to set up a vulnerability watcher if you use a package. Also remember to update your server regularly to make sure you're not running vulnerable software. I update my server once a week. I can't tell you exactly how my server accepts and stores reports as I don't want to reveal how the anti-spam system work, but take a look at the frontend code (the one in the extension) to see what the backend server should be expecting. I can tell you how I process reports and call GitHub APIs if that's needed. Let me know how it goes. |
There is also https://glitch.com/, which doesn't require giving credit card. |
|
Umm... Seems lots of services I have to purchase before goes on. I need several days to look up and compare available services. This weekend I will finalize and terminate Nano Adblocker and launch new project to continue Nano Defender since users are too fear about the product name "Nano" and looking for alternative. @jspenguin2017 I may ping you again once I have resources ready. Thanks for your details on per-requisite. |
|
How many resources does hosting it require? I host quite a few things for FOSS-focused Discord communities and the like, and I wouldn't mind adding something else on top as long as it doesn't use like 20GB of RAM or similar 😅. (For the record, I would also understand if anyone is reluctant to take the help of a random GitHub user, given what just happened with Nano...but do note that I work with many open source projects and have been active on GitHub for a very long time, so it's not exactly the most completely random thing.) |
|
Since the installation of Nano Defender for Firefox required changing the |
It wasn't forked yet, so for now no.
Same case, for now nothing to change. |
Says the guy who sold his main extension to secretive people who immediately turned it into malware. Anyone who trusts this guy's server to accept and store reports, even though the owner doesn't want to reveal how it's done, at this point is just asking for trouble. I would urge caution in dealing with anything even distantly relating to this guy and his current or former projects at this point. The one thing that might be okay, is the Firefork fork of NanoDefender that is being renamed and was always maintained and will continue to be maintained by someone not in the line of authority of the old Nano developer or the new Nano developers- and even there I would wait until it's renamed and people who know what they are talking about weigh in on the new code and how it operates. And I would urge him to not take anything the old owner says at face value- if he needs a mentor in figuring out how to work the system, trying to talk to someone like gorhill (Who maintains UBO) or another trusted developer who may be able to reverse engineer how the old system was working before it became malware would be a much better option. |
You will receive guiding information once I release the update. Before that release, you can still keep it for now. His repo is archived and cannot do anything harm if secure is your concern.
I understand your concern, but just knowing how he made the backend server without actual implementation harms nothing. Don't worry, I am not going to blindly apply whatever he say and give. |
|
You can get started with Heroku (or Glitch), but be careful that those services tend to not offer a persistent file system. So you need to store data in a proper database. I think Heroku also offers a free database, you'll have to look into that. If you use Heroku (or Glitch), your app (backend service) will be shut down (I think it's Also, I would discourage you to use a server provided by someone else unless you can trust them with your API key. |
|
@jspenguin2017 I want to say thank you for developing and maintaining Nano Adblocker and Nano Defender and whatever you did for the community as a whole. Nano Defender's Quick issue reporter was what got me into using Nano Adblocker. It helped me immensely as most of the website I used implemented anti-adblocks, pop-ups, popunders, had broken websites, etc. and uBO didn't exactly made it easy to report website issues. I had to go through several steps to report websites using their GitHub repo, Reddit, etc. but Nano Adblocker made reporting websites really really easy in just a few taps and anonymous too (with a few extra steps like using VPN). I'm very thankful for what you have done. Everybody does mistakes and everyone should get chances to fix and/or at least acknowledge them that what they have done is wrong and accept that they will try to not do these kind of things again. We are human beings and we are made to make mistakes and we need to do them in order to not do them again. After all we are just human beings. What matters are the intentions with which they are doing what they are doing. Even the uBlock Origin's developer is criticizing like they have not done any mistakes whatsoever... I know you have always had good intentions to help the community; your actions, I think, spoke them all. Thank you very much for everything you have done. P.S. I keep deleting my online accounts and GitHub is not an exception. |
My server code is always proprietary, It's been like this for years. Funny how it's only now that you criticize me for it. Did you find anything wrong with my comments above? Or you're just trying to find all possible ways to criticize me?
Honestly I'm not even sure why I'm here, I have other things to do. If someone wants to step up, I'm happy to leave this to them. @gorhill do you want to take over from here? |
Don't worry, I'm not going to give you anything that can be applied blindly. |
|
If I want to start fresh with Ublock Origin + NanoDefender, does these steps still applied to me? |
@jspenguin2017 I have no pre-existing beef with you. To be honest, I don't even use your (former) extensions. However, these issues have been news a lot of places I read and sometimes participate in conversations on, and of course have implications in the broader concepts of extensions and how much power they are given over APIs, something both Google and Mozilla have been chipping away at for years in various ways, which is something that is a concern for me as a user of extensions in general. On mobile, I had years ago begun to use Firefox on that platform because it was a mobile browser with extensions, and then I switched from it to the Iceraven fork of Firefox in part because Firefox cut the number of mobile extensions they offered from thousands to nine (Yes, nine), though that was not the only reason I switched, or the primary one (Although it was related, the general lack of customization and information flow to the user and such were big deals to me, something their lack of complete extension support related to, but was not synonymous with.). What has and is happening with Nano is going to be used as an example of security issues with extensions and an excuse for the big browsers to cut back on what they allow extensions to do for a long time to come. I am sure that you are aware of the issues with Chrome's Manifest v3, and the ways they would have limited your primary extension as soon as Manifest v2 is deprecated (Edge actually looks like it'll be doing that before Chrome, oddly enough). Fortunately, Firefox and it's forks aren't going to be immediately affected, and some Chromium forks may be able to keep some API support there for this stuff in the short-term, but things tend to follow the market leader, which sets expectations, eventually. What has happened here with Nano has implications that actually go way beyond you, the people you sold to, and even the users of the extensions. You have really hurt a cause a lot of us care about, which is having powerful user extensions. You've given browser companies another talking point and another excuse. And that could impact everyone who uses extensions, eventually. It'd be nice if you would provider a fuller explanation of exactly how this sale transpired, exactly how much you made from it, why you initially said there were two developers and now talk about "developer(s)" as if there may only be one, who, or what company, wrote you a check, why you didn't look into them more closely or pass your extension on to a trusted contributor or developer, and so on and so forth. Taking a little personal responsibility would be nice, too. You blew it, and you owe people an apology. Instead, you are being defensive and snarky and saying things like "Honestly I'm not even sure why I'm here, I have other things to do". If you want your public image as a developer to rebound from this mess, you would be well advised to take a different tact. A lot of your users have potentially been compromised by this. They could incur very real financial losses and have to go through a lot of bureaucracy and spend a lot of time trying to fix certain things. Have you even looked at what's been done to the code to tell them just what could be being sent? You know, like, should they be calling their banks? I'm going to assume you live in a free country and don't have to do any of that. You can use your new money and, if you're not in an area with a Covid outbreak, hit the beach or whatever it is you want to do with the money and ignore what's happening with your old extensions. However, while that may be legal and whatever, you probably at some level know that you have an ethical obligation to your former former user base to try to explain this, to apologize, and, if you can, make it right. |
|
Hello @LiCybora
|
|
Thanks @LiCybora for all of this! And thank you for adding the notification in Firefox about what had occurred. I would have never have known otherwise. Much appreciated! |
|
Came to basically just say the same as thelittlemike. |
Resources and filter are required and should be safe for now. I may make a quick clone if people fear to archived repository. Second image still link to upstream website which is something I need to migrate as well. Thanks for reminder. |
|
correct me if i wrong somethings: The 2 counterparts for chrome it's not anymore avaiable (and we all know the right reasons or not). The project "Nano Defender for Firefox" it is not abandoned but it will most likely change its name right ? At today therefore it would be recommended to switch to "Ublock Origin" and remove (or better disable) "Nano Defender for Firefox" and wait some next news in future right ? Honestly I have read a lot and not understanding English very well I have a lot of confusion in my head :) EDIT |
|
Nano Defender for Firefox is still safe to be enabled for now, but it is up to user decide keep, disable or remove. Perhaps you may mention which language you understand so other volunteers may assist you? |
|
@LiCybora Hello and sorry for PMing you but I really need an answer from you, because you may be the person that knows the best - first of all, I used the nano defender for firefox for the moment, i deleted it until new instructions are set However, my biggest concern - So, for the last time, just to be extra-sure - the nano filters/ nano integration filter ( the ones tat can be downloaded from here https://jspenguin2017.github.io/uBlockProtector/#extra-installation-steps-for-ublock-origin) were under original dev, and new devs don't have acess to them? (PLEASE confirm if so). So, they practically released a new extension (probably with new filters) that have nothing to do with those @jspenguin2017 if u can, waiting for an answer as well. Just tell me that those filters werent compromised, please... |
oh yeah... i'm italian :) |
|
Still doesnt have a clear answer, but I understand that they are safe, for the moment? I've already deleted them, but I understand that it wasn't a problem having them, right? |
@GrPK If you step back to use "Ublock Origin" someone suggest to use it alone and report an issue on in his tracker when you found a website identify the ads blocker installed on your browser so that the developer or who manages the filter can apply a possible fix.... likewise i think a usage of config "Ublock Originin" + "Nano Defender for Firefox" it's also safe... the extra steps need to apply on ublock to "make a perfect association" whit Nano Defender they don't seem to refer to any of the new Turkish repo. on my side.. for now and on firefox i have untoch.. i din't touch anythings.... maybe I'll wait to see how it's reprogrammed/renamed the currectly "Nano Defender for Firefox" and at that point I'll see what to do. I hope you can understand my bad english...... |
|
If someone liked to have a loaded Firewall panel as the last one (form click "popupPanelSections": 47,"popupPanelLockedSections": 32,I can't really check if the |
but this where? on which addons and on which port? |
|
In avanced uBO settings:
Firefox no have stable UUID or something like " I liked the firewall to be hidden and the version of the addon was visible in the pop-up. |
|
May I suggest putting out a text on the AMO page of Nano Defender, stating that the Firefox version is maintained by you (and not @jspenguin2017) and is thus unaffected? This is not about shaming @jspenguin2017, this is about protecting you from low-rated reviews and undeserved malware reports reaching Mozilla. I can already see many 1 star reviews saying that the extension is malware despite this not being the case on Firefox, I think we should do our best to prevent such misunderstandings... |
Thanks for suggestion, it is done now. Sorry for my late response to everyone. I thought I can rebrand new product and publish shortly, but found many links are link to old repository and I need to clone and rebrand all of them. I also need to analysis the usefulness of each filter list and maintain the old rule in ND. So this will take some time before I can publish. It is no harm to keep using Nano Filter/Resources for now as former developer keep his control and archived as read-only, but it is up to users decide keep or not. Actually some rules will still work even Nano Defender run independently without any adblocker, but that is not a supposed behavior and very hard for us to handle such issue reports. Anyway, I will update them in future on another repository and announce the how to do it. @ameyvaidya I am sorry that I can't tell much as those aftermath thread are too long and fragmentary for me to read them all, but from MDN docs and gorhill's analysis seems do not contain web page payload, only header. The attack is via using |
|
By the way, what does NanoDefender(forFirefox) provides currently that cannot be solved simply by userscripts and filterlists? Asking because as far as I see from the commits, LiCybora only provided the maintenance for the Firefox package, jspenguin2017 provided all the code from upstream. So with jspenguin2017 retiring, what will happen with the addon? Is there even a need for the addon? |
Firefox obey too much on CSP that do not even allow extension to inject script (although most likely is browser bug). Some site may use this to ban script injection from uBO. I think this is the niche that Nano Defender may fill up, since standalone extension is allowed to modify web response. I will see if I can somehow handle "can't fix" issue on uAssets. uBO Extra is however, the story of Chrome and not about Firefox.
Of course for now, you may not see above happen because ND is not updated for quite a while. I am just starting to maintain in this direction. You might also think it may not worth to install extra extension for just small list of website, but if you frequently use affected site, you will find this extension is somehow useful. So whether you need is situational dependent. |
|
I don't want to discredit ND, just trying to understand the added value. Reading further since writing my original questions, I see gorhill stating that the AAK userscript, which ND was based off, is actually harmful for uBO.[1] So there might be a need to overview what ND is blocking via js versus what covered by uBO/uAssets already, but I understand that it would require a lot of effort and probably help from volunteers. I mentioned uBO Extra because NDforFirefox contains it[2], at least on file level. If it never worked for Firefox, it could probably be removed. Edit: [1] https://www.reddit.com/r/uBlockOrigin/comments/jd1cy3/nano_adblock_ublocko_fork_getting_shut_down_will/g94vwi5/?context=3 |
|
https://github.com/JustOff/scriptlet-doctor - few repair, but normal works on only few Russian sites. |
|
Scriptlet Doctor comes with a predefined list of known domains with restrictive CSPs, most of which are currently related to Russian sites, but this list is user configurable and allows uBO scriptlets to run on any site where 'unsafe-inline' is not allowed by CSP. |
|
I have 5 minutes free .... I prepare to return to the use of ublock origin. |
|
I'm here not to discredit ND, quite opposite and personally very appreciated for Quick reporter and @LiCybora 's intention to take over it. Just wanna add something to @NLZ 's question. Scriptlet is not the only solution for anti-adb, if it can't be used usually the combination of $ghide and redirect-resource solves the issue. I'm not aware of any single anti-adb labeled as Can't fix. It's possible there're some old anti-adb not reported to uAssets which ND's generic solution helps. These third-party anti-adb plugins are now so easy to disarm that one can write a template about how to disarm each types of them, and thus no more major. |
|
@LiCybora Question, do any new reports with anti-adblockers not getting blocked get moved here? Or do we bother reporting at all? |
I think it's better reporting directly here: |
|
I was updating some stuff, and saw this and the defender drama............wow, shit happened What TL;DR I can simplify/put together, is Nano Defender (Firefox Port) is still good for now this current version (15.0.0.206), but things might get hinky in the future, so .........wait and see, is that it? |
it's time to pass to ublock origin directly..... apparently using it it's not need nano defender. |
|
So it's been several months. Are there still no instructions for ND + uBO users? I've noticed that I'd also like a more detailed explanation of what ND does that uBO doesn't (and this information should probably be added to the project's readme too). The few sentences that the topic has been given in this thread so far haven't really helped my understanding much. |
@awebeer256 FYI: it's an open issue on the gitcdn.xyz project schme16/gitcdn.xyz#75 |
and others
As someone misunderstand my future plan, let me put words at begin.
Nano Adblocker is abandoned at the time new upstream devs push their privacy policy. There is no plan to continue Nano Adblocker and urge user migrate to uBO. v1.0.0.154 is released, meaning the end of Nano Adblocker.
Nano Defender is planned to rename as a new project which is independent form any entities or people. I have never claimed abandon Nano Defender, unless I make a typo I do not notice and please let me know in this case.
If you don't trust, check my edit history of this thread.
As upstream project has been acquired by new developers, and until the time this issue post, no words are received from new upstream developers. It is time to reconsider the future of the port. Again, I am neutral to upstream decision. Everyone may have their hard time and it is their rights to decide what to do in their life. Do not blame anyone for that.
Initially, I am not hostile to the new developers, but the recent updates seems untrustworthy to me. Although their removal of privacy policy on Chrome Store is suspicious enough, the bigger issue is that every links found on Chrome store still link to the old developers repository, while the former developer claims he already lost control of his extension. Given that I cannot find their repository anywhere, nor neither they exist on the issue tracker to introduce themselves as new developers, I really doubt whether the "two developers" exist, as I don't see any reasons to hide themselves to their users. It is unlikely I will maintain this port for them under current situation
, unless they at least show up on somewhere that can be interacted with. I hope these are just because they still not yet post or update anything in this early stage...So, the remaining options will be abandon or maintain as a new project in worst case. But the later case is a tough job. Not only just two extensions, but also Nano Filters, NanoMeow and Nano resources. Without them, Nano Adblocker is just a uBO clone and Nano Defender is just some user scripts. Given that I am not as active and experienced as the upstream developers, I really afraid I will do more harm than benefit to user if I make mistake on that.
For now, I will release one more version of NA that update included the last former developer changes, but I am not sure what's next if still no words from upstream. ND may still be updated when needed as it is designed working on uBO as well even decided to detach from upstream. Related links of announcement will be included in release notes and README as well when released, which is supposed to be within two days.
I am still open to any decisions, including the new developers given that they are good but just I misunderstood them[1]. Decision is now firmed, see below.TL;DR
unless upstream maintain themselves or at least, they contact me for that.whether maintain independently from upstream depends on their stance.might be renamed and released as a new product deal to bad reputation of the name "Nano Defender" since Chrome 15.0.0.206 can be consider as malware.NA and ND with LiCybora as author on AMO or on my GitHub repository are still under my control and independent from any entities or people.
[1] They update their privacy policy but still keep themselves stealth from GitHub, which means they are active and purposefully hide themselves. There is no point to maintain for an unidentifiable developer.
The text was updated successfully, but these errors were encountered: