- May 29, 2018
Posted by Moonchild at palemoon forums This is rumor control, here are the facts - Summer 2019 edition - Pale Moon forum
It's been a few years since I originally wrote the rumor control blog entry on this forum, I'm refreshing it with this new version to update a few points; some rumors and explanations are added for this summer 2019 edition.
Since there are still quite a few evangelists out there who keep spreading misinformation about Pale Moon, I'm providing a hopefully clear list of points here to clear up the misconceptions still being spread out there.
"This is rumor control, here are the facts" - as stated by the warden in Alien 3.
- Rumor: "Pale Moon is a one-man show and does not have the manpower to keep up with Firefox/the modern web"
Pale Moon is not "just me" and hasn't been for the majority of its life. There are some talented and dedicated people at work in our community to make Pale Moon what it is, and actually has seen support in many ways by many people over the years. Despite e.g. the WikiPedia article for Pale Moon just talking about "Straver this" and "Straver that", the fact that I am the one leading this project and holding the keys and making the overall major decisions about direction and that "Moonchild Productions" is primarily a direct reference to my personal work (and the trademark and copyrights are mine) doesn't mean that no others are involved. That would be the same as saying that Bill Gates single-handedly wrote the Windows O.S. or that the Mozilla CEO is the only one working on Firefox. To name a few other people currently actively helping with the project's core development: Matt A. Tobin, Travis W. ("trava90"), "JustOff", "Ascrod", "kn-yami". Don't forget the people reporting issues while using the unstable channel builds, either. Or the people helping with extensions and extension compatibility or theme porting (thanks FranklinDM and Ryan C.!). Or even the community as a whole providing support to users. Also hats off to all the people doing translations for our language packs. I can go on. One man? I think not. Of course since it's crowdsourced, it's easy to forget the numerous people in the background who play their part, but please don't forget them.
- Rumor: "Pale Moon is just a rebranded rebuild of an old Firefox version"
Rumor: "Pale Moon is an obsolete and insecure version of Firefox"
Rumor: "Pale Moon is based on old and unmaintained code"
Rumor: "Pale Moon is based on Firefox 28/38/52/56 (or just "an old Firefox version")"
Pale Moon has been on a divergent path with its own code for a long time already. It was a rebuild in 2009, yes. It was a rebuild with minor changes in the Firefox 4.0 era, yes. But we've come a very, very long way since then with an increasing amount of different code being carried over each time it was re-based on later Firefox code. It's a true fork now, building on a completely independent fork of Mozilla code called the Unified XUL Platform (UXP) and has employed rapid development (as opposed to rapid release) to solidify this independent direction with its own focus and attempt at keeping the browser sane, lean, and offering users choice and stability - not corporate strong-arming or gadgeteering.
At the same time, Pale Moon's strong focus on security/privacy and evolving networking standards has added features and kept pace with those developments in other browsers, by e.g. adding TLS 1.3 support the moment it was standardized, by keeping a close eye on encryption and the browser's security by continuing to port or re-implement security fixes that apply to Pale Moon as a browser and the underlying platform. It is neither old nor outdated, it is not a "rebuild" and it does not use obsolete technologies and does not have known security holes or vulnerabilities.
Just because we use a slower versioning scheme than rabid-release Chrome and Firefox, doesn't mean we're based on Firefox of the same version. It is also completely incorrect that we are basing the browser on any sort of old and unmaintained snapshot of the Firefox source. Pale Moon's application code is its own; in fact, with our forking and rebasing on various platform code (Tycho, UXP), nothing of the Firefox application was retained at all, and the Pale Moon application is developed on top of the available platform APIs. As such there is no requirement to use any sort of rapid versioning scheme or constantly-increasing major version number. Our versioning is milestone.major.minor and feature based, not calendar-enforced -- unlike Chrome and Firefox who before long will end up with a version going into 3 digits.
- Rumor: "Pale Moon will have to adopt Australis/Photon or die"
Unlike other "Firefox alternatives" that basically ride Firefox's release cycle and add extra layers on top of that like Classic Theme Restorer, Pale Moon's front-end and user interface is its own, is built on the fully-customizable XUL/toolkit framework of UXP, and there is no reason at all why this would have to change as Pale Moon continues to develop as its own application. In fact, since our forking of the application code from Firefox 24, our user interface has not been adopting any "Firefox" front-end code at all, and has been developing on top of the different platforms (Mozilla/Tycho/UXP) as a flexible XUL application in its own right!
- Rumor: "Pale Moon doesn't have a content sandbox and is therefore insecure"
This rumor was rooted in a completely misinformed news article that saw a commit to our source repository that "removed sandbox code" and without verifying with us published a scare-article about how this was insecure and dangerous. A complete misunderstanding, but not in any way rectified by the editor; the code that was removed was the multi-process sandboxing code, i.e. the specific sandboxing container code to run content processes in. This kind of sandboxing does not apply to a single-process application, and the involved code was therefore dead and could be removed, considering UXP does not support electrolysis/multi-process.
The misunderstanding is that without this specific kind of sandboxing, there would not be a strict separation between content and application code. Nothing could be farther from the truth: we have very strict separation of content and application code, just like pre-electrolysis Mozilla applications, which is essential for any application that loads and displays foreign content, especially if that content includes scripting/active content. It can even be argued that, because a multi-process model inherently relies on the O.S's security and a messaging system to communicate between the different processes, multi-process even with a sandbox container is less secure than a single process where it is (internally) always unambiguous which data belongs to content and which data does not.
- Rumor: "Pale Moon disables too many components to be useful"
Common mentions of disabled components are accessibility and WebRTC in this context. First off, WebRTC is functional and included in the platform code, but it is not built or included in the browser because the user base as a whole voted against it with a vast majority. This underlines one key statement about the Pale Moon browser: user involvement. As far as accessibility goes: Pale Moon supports full accessibility features as one can expect from a browser, like caret browsing, adaptation to high-contrast themes, etc. -- but what it does not support is specialized hardware for the severely disabled. This has been a choice since day 1 of its publication, and falls in line with another key statement about the Pale Moon browser: that it does not attempt to cater to all possible usage scenarios, but instead tries to find a sane balance between features and performance/stability. This inevitably means that deeply-complexity-impacting components that would be used by a disproportionately small portion of the users are disabled.
The browser is no less useful because of what is disabled - but it may of course not cater to specific specialized needs that specifically rely on those components and fall outside of what should be considered the scope of a web browser.
- Rumor: "Pale Moon has redirected search engine revenue to its developer"
Developing Pale Moon is a full-time job (and then some). It is not a hobby; it is a profession. The browser is free for anyone to download and use, and keeping development up, keeping myself supplied with food, paying rent, etc., and paying for the more than a few servers to provide all additional services needed for its presence on the internet (like the website server, release download mirrors, blocklist server, Pale Moon Sync, the forum, automatic update server, ftp, mail server, CDN) all costs money. This money has to come from somewhere besides donations, because donations by themselves simply do not cut it, although we are slowly getting more support through Patreon. There has to be enough on the other side of the equal sign. Because of this, the privacy-conscious search engine DuckDuckGo was chosen as the primary search engine in Pale Moon. So yes, I'm proud to say Pale Moon has a partnership with DuckDuckGo and that we get a totally fair share of the revenue that is generated from search traffic when you use DDG as a search engine from within Pale Moon's search box.
In addition, every single other alternative browser out there does this to (either in part or as a whole) pay for itself, as well.
- Rumor: "Pale Moon is not truly Open Source"
Rumor: "Pale Moon is not 'free software'"
Pale Moon's source code is released under the Mozilla Public License v2.0. This is a fully Open Source/Free Software license with a strict requirement that all sources are open to be used, modified and republished by others. The misconception seems to still be that "Open Source"/"Free" would either mean "Public Domain" or without any property rights, neither of which are true. Pale Moon's binaries (the compiled version of the browser) are distributed under a more restrictive license to prevent rogue altered/bundled copies of the browser, or unstable or altered versions of the browser from negatively impacting the browser's reputation and to prevent fraud. This is tied in with the trademark claims that exist on the Pale Moon name, logo and other copyrighted branding materials included with the browser. Our branding is our own, and despite it being FOSS (Free and Open Source Software), you have no rights to use the trademarks and logos yourself unless specifically granted to do so.
Mozilla, by comparison, has the same (or extremely similar) restrictions on its officially-branded binaries, because officially branded Firefox binaries may also not be redistributed willy-nilly when they have been materially altered from their original source (hence re-branded versions exist of Firefox with different names and logos, too).
Then there are some people who claim that Pale Moon is not "free" or "libre" because it uses proprietary software to be built (The Microsoft C++ compiler used for Windows binaries is proprietary, for example). This kind of purist approach might be a conscious choice for some, but in fact does not make the browser itself proprietary. Pale Moon is being built and developed with some of the best-in-class tools available, and there is no point in limiting oneself to an inferior product or result just because the best tools for the job are not "libre" themselves. The source is still open-licensed; our toolchain doesn't matter for that.
- Rumor: "Pale Moon's tools are proprietary"
The profile backup tool, web installer stub, and some other helper applications are released under a different freeware license or other open licenses and may be using proprietary frameworks or tools to be created. These Pale Moon tools are not part of the browser and do not need to be Open Source. You also in no way need these tools to be able to fully use the browser in all its facets. There is no requirement or even reason why I should be forced to also release helper applications that are in no way tied to browser operation as Open Source as well.
- Rumor: "Pale Moon doesn't support extensions"
Rumor: "Your extensions won't work on Pale Moon"
In fact, Pale Moon supports many thousands of extensions, but it doesn't support one particular extension technology that has been pushed lately called "WebExtensions".
The important thing to note here is that Pale Moon, being a XUL application, supports 3 fully-capable extension technologies (overlay, bootstrapped and SDK extensions) that allow extensions to be created that both extend web functionality and browser functionality. These extensions have a very powerful arsenal at their disposal that cannot be equaled by the limited capabilities of WebExtensions.
Despite the popularity of WebExtensions (initially born from the idea to have a single extension with cross-browser compatibility with all mainstream browsers) mainly because of pushing for this technology by mainstream browser vendors, Pale Moon will not be supporting them now or in the future.
This remains a slightly complex point, but even so, the number of third-party developed, now labeled "legacy", extensions that work out-of-the-box with Pale Moon is quite significant, even though you may need a few tweaks here and there.
We also have a substantial and growing number of Pale Moon-targeted extensions generally of impressive quality (thanks to the extension developers!) to make the browser your own. We will continue to support these "legacy" technologies.
- Rumor: "Pale Moon is adware/spyware"
Pale Moon has never displayed, does not display, and will never display advertising materials (e.g. ad banners) during its run-time, nor will it transmit private data to us or third parties without your knowledge. I don't know who started this rumor but it is total nonsense.
Some of our websites (for the time being, at least, until we reach our Patreon goal that can have them removed) display ad banners to offset some of the costs, but that doesn't make Pale Moon "ad-supported", since that is reserved for applications that, by design, display ads in their UI or during normal operation, e.g. as an ad frame in the program interface, or as interstitials. Pale Moon does not do this -- and in fact I personally detest that kind of in-your-face monetization of applications. I understand this being the business model for some free (gratis) software, but it will never be ours.
See also the dedicated topic about the claim the browser is supposedly spyware.