Hi,

I'm trying again to reach debian-devel, this time by subscribing first
to the list. I have also contacted your #debian-lists IRC channel for
more information on what happened, but I didn't got any reply.

I'll write a slightly shorter email here, the full email is forwarded
below (some typos corrected about dates).

The version of the Dillo web browser that you currently distribute with
Debian (3.0.5) is 10 years old. Since that version, a lot of changes
were done by the original developers, but they never got into a release
before the project was abandoned around 2017 (last email from Jorge was
from 2019). Among those changes was the support for floats or the switch
to mbedTLS instead of OpenSSL.

The 3.0.5 version has several issues on the network side, as it is
unable to properly handle TLS alerts. On the rendering side, there are
problems with floats, image ratios and with the lack of CSS units among
others.

You can easily see those yourself if you browse a bit:

$ dillo https://api.invidious.io/
...
Nav_open_url: new url='https://api.invidious.io/'
40178B7AD3700000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1
alert internal error:../ssl/record/rec_layer_s3.c:1590:SSL alert
number 80

In 2024 I decided to resurrect the project and fix those and many other
problems. You can try by yourself and see the difference on the sites
side by side. Here is the new website and changelog:

https://dillo-browser.github.io/
https://raw.githubusercontent.com/dillo-browser/dillo/refs/heads/master/ChangeLog

Our latest release 3.2.0 fixes A LOT of problems in the rendering side
and introduces new features like SVG support for Wikipedia math
equations. It also includes the unreleased changes from the original
developers. I presented some features and the overall state at FOSDEM
this year:



Dillo is designed to run on very old computers and/or low power devices
like Raspberry Pi. Given that newcomers to Linux often begin with Debian
based distros, it is unlikely that they know how to build an updated
Dillo browser from source, so I'm interested in distributing already
built binaries.

Do you have any interest in updating Dillo in the Debian repository, or
should I invest my time in finding other ways to distribute a binary
package to users?

Thanks,
Rodrigo.

----- Forwarded message from Rodrigo Arias Mallo <***@gmail.com> -----

Date: Sat, 29 Mar 2025 22:23:29 +0100
From: Rodrigo Arias Mallo <***@gmail.com>
To: debian-***@lists.debian.org
Cc: Axel Beckert <***@debian.org>
Subject: Help with Dillo package
User-Agent: Mutt/2.2.14 (516568dc) (2025-02-20)

Hi,

The Dillo web browser stopped its development in 2017, so I decided to
continue the development on my own in early 2024, even though I have not
previously contributed to the project. My current goal is to continue
with the original plan of keeping the browser fast and simple, so it can
be used in old computers and on slow networks.

I'm doing this in my free time, so the development is slow but steady.
You can read my announcement in the HN post:

https://news.ycombinator.com/item?id=38847613

I have contacted all previous developers via email, and some of them replied
and helped me retrieve some missing parts that I have archived, but I have
been unable to reach Jorge (the lead developer). None of them seem to be
interested in developing it further.

Here is the new website and git repository:

https://dillo-browser.github.io/
https://github.com/dillo-browser/dillo

The old dillo.org site was lost in 2022 and is now mostly serving AI-generated
SPAM:

https://dillo-browser.github.io/dillo.org.html
https://dillo.org/post-sitemap.xml

Here is an archived copy of the original old website:

https://dillo-browser.github.io/old/index.html
http://web.archive.org/web/20220508022123/https://www.dillo.org/

We also have a new mailing list (with the recovered old archives), an IRC
channel and mastodon account:

https://lists.mailman3.com/hyperkitty/list/dillo-***@mailman3.com/latest
irc://irc.libera.chat/#dillo
https://fosstodon.org/@dillo

I did a FOSDEM presentation this year talking about the resurrection process
as well as new features that we added with a live demo in an old netbook:

https://fosdem.org/2025/schedule/event/fosdem-2025-4100-resurrecting-the-minimalistic-dillo-web-browser/

Here is the color corrected video, as I forgot to turn off my blue filter:
http://youtu.be/sFJp8JDg8Yg

Debian currently distributes the last 3.0.5 release from 2015 before the
project development ceased, which is known to have several TLS issues (among
many others) that we have already fixed and we track the ones people reported
here:

https://github.com/dillo-browser/dillo/issues/305

You can see all the issues that we fixed here for each release we did, they
are organized in milestones:

https://github.com/dillo-browser/dillo/milestones?state=closed

Here is the changelog:

https://github.com/dillo-browser/dillo/blob/master/ChangeLog

I have communicated with the current maintainer Axel Beckert (in CC) the
current situation over email and Mastodon and my interest of updating the
current version of Dillo in Debian, but it seems that switching the upstream
would require reviewing the changes and being extra cautious (following the xz
incident).

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022726
https://chaos.social/@xtaran/112905124915743612

Just to be clear, to the best of my ability I have not introduced any backdoor
or otherwise any malicious code in Dillo. I have probably introduced
unintentional bugs but, as with any software out there, we do our best not to.
Regardless, I invite you to review all the commits.

I added a CI pipeline to pass several tests with the intention of catching new
bugs (Dillo was previously tested manually).

I have also decided to do this publicly, you can find my full name and
affiliation in my FOSDEM presentation, so it would be harder for me to do
something nefarious.

So, following the "Help from well-known DDs is very welcome!" suggestion, I
would like to request help from other Debian developers to update Dillo. The
last release is 3.2.0 from 2025-01-18:

https://dillo-browser.github.io/release/3.2.0/

Releases are signed with my GPG key under my current email, which is available
here:

https://keys.openpgp.org/vks/v1/by-fingerprint/32E65EC501A1B6FDF8190D293EE6BA977EB2A253

I tried to keep all commits readable and self-contained, so you should be able
to review all the changes if you wish so:

https://github.com/dillo-browser/dillo/commits/master/

Other distributions have already switched to our repo last year and they seem
to update their packages fairly quickly after each new release:

https://repology.org/project/dillo/history

I tried to make a package myself and propose a MR, but that didn't seem to be
such a good idea (I'm not very familiar with Debian or its packaging
procedures):

https://salsa.debian.org/debian/dillo/-/merge_requests/1

I hope that we can move the situation forward, as I start to believe that
users try the old Dillo in Debian, they see that many pages don't connect via
TLS and quickly stop using it without even considering that those problems
(among many others) are already fixed. So I'm starting to think that this is
hurting our efforts to resurrect the project.

I don't like the idea of distributing Dillo in Flatpak or similar
technologies, as that would make the TLS library not receive any security
updates until the user updates the bundle, which I don't think is a very good
idea. So I prefer distributing it via a proper Debian package with the
corresponding dependencies and security updates.

Please, let me know which further actions I can take to fix this problem. I'll
be happy to address any further questions or concerns.

Best,
Rodrigo.

----- End forwarded message -----