Waterfox: [Classic] 2020.05 changelog is missing details about security fixes

Classic 2020.06 changelog, same thing.

@MrAlex94
Could you give us a comment on this matter? Does it mean security fixes are no longer ported to the full extent from upstream?

Sorry, I used an asterisk and so it got added as a bullet point, fixed so it's now using †. It says:

As the differences between Classic and later Firefox versions grow, we are doing our best to patch the security advisories as we think apply to Classic.

@MrAlex94
How critical is this? Does Waterfox Classic remain vulnerable to some of the recent CVEs if enough effort is applied?

Not that I’ve seen. A lot of vulnerabilities target features that Waterfox doesn’t even support at all. And I’ve kept the biggest attack surfaces (such as Skia and ANGLE up to date and patched). This was more a precautionary measure. Will have to do a big review once ESR68 is EOL.

@MrAlex94
I know you probably would not want to disclose too much details here but can you elaborate?

Is there something with low severity that remains unnpatched then? Or recent fixes can't cover some edge cases?

So far, everything that I’ve seen that could be possibly related to Waterfox Classic, I will apply. Of course I’m not perfect, so I just put it there as a disclaimer. I do also check other forks (such as TenFourFox) to see what patches they use as well, to make sure I’m on the right track and haven’t missed anything. (Just a note TFF is for PowerPC Macintosh so not all patches apply for them either.)

I’m sure a lot of the security patches will be applicable for time to come, but it’s more preparing for a time where that _may_ not be possible. But looking at some forks they’ve been keeping up to date with security advisories for years.

Hope that helps clarify things a bit :-)