Updates to TenFourFox on Github

Happy New Year (I'd like to say nothing can be worse than 2021 was, but I don't want to tempt 2022). Fortunately, we're starting the year off right with new changesets on Github for the TenFourFox rolling release. Besides the periodic updates to TLDs, HSTS and timezone data, these two changesets also fix some security issues, include a minor update to NSS with new support for SHA-2 OCSP stapled responses (thanks to roytam1 for the suggestion), and correct a couple minor Mac OS X-specific widget problems. No clobber is needed for this go-around, so just pull down the changes and gmake -f client.mk build to fresh your installation. If you're new to self-building TenFourFox on your Power Mac (or unsupported Intel Mac), read this recent article.

The strawberry iMac that made the Wikipedia

Apparently the strawberry iMac G3 is to blame for Wikipedia, and in keeping with the stupid prices people are paying for collectable Power Macs (to the chagrin of those of us actually using them), you can bid on it. The first edit he allegedly made in 2001 is available as an NFT, also for $tupid money, which I have reproduced here for the nominal charge of your eyeballses:

In 2001 this was probably Microsoft Internet Explorer on OS 9, maybe OS X Cheetah, but the NFT doesn't say and this substantially diminishes the value of it in my eyes. Seriously, if you're buying for the history, provide the damn history. Also, the strawberry iMac G3 I have in the music room is in rather better condition and even has a Sonnet HARMONi upgrade card. I'm just saying, because I'm not selling.

Back briefly on topic, watch for a dump of security updates in the next few days now that I've made some more progress on the POWER9 JIT for my Raptor Talos II.

Do you run Void on your Power Mac?

If so, heads up, because builds for your configuration may be ending soon (along with Void PPC on big-endian platforms generally). If you want this to continue, and you've got the interest, chops or gumption, you can help by becoming a maintainer -- take a look at the Void PPC Github. Most of you are probably running the glibc variant, which will end by January 2023, but if you are running musl-based packages those repos will be taken down by the end of 2021. Don't whine to the maintainer, please: the current matrix is four different repos which all require their own maintenance and builds. Even just 32-bit glibc would probably benefit a whole lot of people and yourself. If this is important to you, there's no time like the present to step up.

The current status of DIY TenFourFox

Due to family and work issues my time has been curtailed for all kinds of things, but at this point, at least, there's something for you to work with: as promised, the TenFourFox source code has been updated to use 91ESR for the certificate and security base and the roots pulled up accordingly. I've also got a few security updates loaded and backported a performance tweak intended for Monterey systems but also yields a small boost on any version of Mac OS X. The browser will now be forever "45.41.6" (ESR32 SPR6) with the perpetual name "Rolling Release." This version number will not be revved again without good reason.

So now it's time for you to make your first build (and, if you feel adventurous, find a problem and try to fix it, but let's take baby steps). Officially, we have documentation for that already using MacPorts. A semi-frozen build of MacPorts what I use on my G5: I have three trees, one being the main testing debug tree which pulls from Github, and then two local subtrees that pull from the local debug tree (created with git clone --shared so that they are about 25% the size) which I use to make rolling G5-optimized (for my Quad) and 7450-optimized (for my iMac and iBook) builds. I do my work in the debug tree and make sure everything functions properly, then check it in and git pull and gmake -f client.mk build in the optimized subtrees to roll up the changes. When the subtrees are happy too, I'll git push from the main debug tree into Github. I consider this as officially supported a solution as presently exists under the circumstances. The Quad runs TenFourFox directly from the G5 subtree now.

However, MacPorts does have a lot of prereqs and requires some additional prep time (sometimes many hours) to build the tools from source. Macintosh Garden has an "unofficial TenFourFox toolkit" that contains an Automator workflow, a supervising script and a fully precompiled toolchain. You will have to install Xcode first (2.5 for Tiger, 3.1.4 for Leopard), but that is the only apparent requirement, and multiple users have reported it builds the browser successfully.

One common problem that gets reported on non-G5 systems is the dreaded internal compiler error. However, when the build is restarted, it usually progresses and continues for awhile without incident. The problem is likely tied to memory pressure and compilers really thrash memory. If your system hits this a lot and starts to annoy you, consider removing -j2 out of the build flags in whatever .mozconfig you're using (change your copy in .mozconfig, not the master *.mozcfg). This will only run one compiler instance at a time, which is slower, but requires less memory and is more likely to complete the build in one shot without manual intervention.

If you really don't want to build it yourself, however, you do have at least one option: InterWebPPC. This is a modified build of TenFourFox that explicitly removes some features for performance, so it is not equivalent with TenFourFox, and it is not necessarily built on any particular schedule either. It also does not have separate G4/7400 and G4/7450 builds, though this may not be noticeable on your particular system. You can download prebuilt binaries for G3, G4 or G5 as well as compile it from source using the "unofficial toolkit" above. I haven't seen other downstream builds yet but if you know of one, plan to make one or are using one, post it in the comments.

There are a couple other security fixes I'm reviewing, and I'm toying with some Github specific hacks to deal with its dependence on async/await, but these again will not be done on any particular timetable (I'll post here when or if I get around to them). Still, some of you have already built the browser successfully, and if you can build TenFourFox on your Power Mac you can build pretty much anything. Perhaps this might spark some additional development interest ...

TenFourFox FPR32 SPR5 available (the last official build)

TenFourFox Feature Parity Release 32 Security Parity Release 5 "32.5" is available for testing (downloads, hashes). Aside from the announced change with .inetloc and .webloc handling, this release also updates the ATSUI font blacklist and includes the usual security updates. It will go live Monday evening Pacific as usual assuming no issues.

As stated previously, this is the last official build before TenFourFox goes into hobby mode; version checking is therefore disabled in this release since there will be no new official build to check for. I know I keep teasing a future consolidated post about how users who want to continue using it can get or make their own builds, but I want to update the docs and FAQ first, plus actually give you something new to test your build out (in this case it's going to be switching the certificate and security base over to Firefox 91ESR from 78ESR). There are already some options already apart from the official method and we'll discuss those, but if you yourself are gearing up to offer public builds or toolkits, feel free to make this known in the comments. Work is a little hairy this month but I want to get to this in the next couple weeks.

curl, Let's Encrypt and Apple laziness

The built-in version of curl on any Power Mac version of OS X will not be capable of TLS 1.1 or higher, so most of you who need it will have already upgraded to an equivalent with MacPorts. However, even for later Intel Macs that are ostensibly supported -- including my now legacy MacBook Air with Mojave I keep around for running 32-bit Intel -- the expiration of one of Let's Encrypt's root certificates yesterday will suddenly mean curl may suddenly cease connecting to TLS sites with Let's Encrypt certificates. Yesterday I was trying to connect to one of my own Floodgap sites, unexpectedly got certificate errors I wasn't seeing in TenFourFox or mainline Firefox, and, after a moment of panic, suddenly realized what had happened. While you can use -k to ignore the error, that basically defeats the entire idea of having a certificate to start with.

The real hell of it is that Mojave 10.14 is still technically supported by Apple, and you would think updating the curl root certificate store would be an intrinsic part of security updates, but you'd be wrong. The issue with old roots even affects Safari on some Monterey betas, making the best explanation more Apple laziness than benign neglect. Firefox added this root ages ago and so did TenFourFox.

If you are using MacPorts curl, which is (IMHO) the best solution on Power Macs due to Ken's diligence but is still a dandy alternative to Homebrew on Intel Macs, the easiest solution is to ensure curl-ca-bundle is up-to-date. Homebrew (and I presume Tigerbrew, for 10.4) can do brew install curl-ca-bundle, assuming your installation is current.

However, I use the built-in curl on the Mojave MacBook Air. Ordinarily I would just do an in-place update of the root certificate bundle, as I did on my 10.4 G5 before I started using a self-built curl, but thanks to System Integrity Protection you're not allowed to do that anymore even as root. Happily, the cURL maintainers themselves have a downloadable root certificate store which is periodically refreshed. Download that, put it somewhere in your home directory, and in your .login or .profile or whatever, set CURL_CA_BUNDLE to its location (on my system, I have a ~/bin directory, so I put it there and set it to /Users/yourname/bin/cacert.pem).

Questionable RCE with .webloc/.inetloc files

A report surfaced recently that at least some recent versions of macOS can be exploited to run arbitrary local applications using .inetloc files, which may allow a drive-by download to automatically kick off a vulnerable application and exploit it. Apple appeared to acknowledge the fault, but did not assign it a CVE; the reporter seems not to have found the putative fix satisfactory and public disclosure thus occurred two days ago.

The report claims the proof of concept works on all prior versions of macOS, but it doesn't seem to work (even with corrected path) on Tiger. Unfortunately due to packing I don't have a Leopard or Snow Leopard system running right now, so I can't test those, but the 10.4 Finder (which would launch these files) correctly complains they are malformed. As a safety measure in case there is something exploitable, the October SPR build of TenFourFox will treat both .webloc and .inetloc files that you might download as executable. (These files use similar pathways, so if one is exploitable after all, then the other probably is too.) I can't think of anyone who would depend on the prior behaviour, but in our unique userbase I'm sure someone does, so I'm publicizing this now ahead of the October 5 release. Meanwhile, if someone's able to make the exploit work on a Power Mac, I'd be interested to hear how you did it.