Security Issues with PortableApps

Dear PortableApps Developers,

It came to my attention, that PortablApps has some pretty huge security issues, that could be easily avoided, if the person responsible for updating portable apps had just a smudge of understanding what an update on other than MS Windows system is and how it differs.

There is of course the second matter of abandoned apps and a complete mess with the choice of apps presented to the end user, with complete disregard over their privacy and security.

I will explain those multiple issues here, as best as I can, for a newbie who manages portable apps.

1. The newbie, who manages portable apps, doesn't know what a shared library is and how important it is for security of a system or individual apps. In MS Windows all apps have separate libraries. Each app has to be then updated. Lets say (for the sake of explanation), there is a bug in OpenSSL. The whole system is then compromised. On Unix-type of system, the sys-admin updates one library (here: OpenSSL) and the whole system is secure. The update is straightforward and very fast, due to the fact that only one small package that has to be updated. Moreover: not the whole package has to be updated - just the delta difference, so its even faster.

Contrary to the shared libraries concept- each MS Windows app has its own copy of a libraries. This means that each individual app has to be fully updated and repackaged for a few KiB of code. That leads to GiB of dowload and installations. It can also happen that some apps have outdated insecure libraries and each app maintainer has to be aware of all bugs in all libraries and repackage the whole app.

In PortableApps, one of the web browser, Falkon comes from 2019. But your, as a MS Windows user, misconception is, that Falkon hasn't been updated since 2019 and is totally insecure and has multiple bugs and issues. Soon 3 years will pass since the last version publication. This is not true. You are not aware that Falkon uses the concept of shared libraries and since then had been updated, hundreds of times. But how come? Well, Falkon is just a GUI for the rendering library called "Qt Webengine". Every other system that uses shared libraries has updated Falkon multitude of times. The only thing they had to do is update "Qt Webengine" and Falkon (GUI) is then up-to date. Three years of updates you are missing.

2. Let's look then at Intenet category and specifically web browsers and the choice that is given to the user.

There is of course, Google Chromium. I am not going to argue about security and privacy of this app, but privacy oriented user (I hope everyone should be) wouldn't want one corporation monopoly, wouldn't want flock, manifest V3, or constant calling home, telemetry etc.

Other choices should be given. And here the problem begins. One big, viable alternative for Google Chrome (and not a Chromium spin-off) is Mozilla Firefox. There are two versions of Firefox: Firefox ESR (Extended Support Rate) and Firefox "rolling release". The first one is a tested, stable browser for production-ready machines, the other with monthly releases (rolling release) is more of a test bed for future ESR, with constant changes, code added, new features etc. This is not a stable version, but the user of PortableApps is never given the choice of having a stable version. Quite contrary- the user is given yet antother unstable/beta/nightly/alpha version of Firefox, but not Firefox ESR.

Onother thing is that Firefox has a lot of telemetry build-in and the user has to spend endless hours of undoing it if they want just a smudge of privacy and faster browser. This procedure also icludes of hacking omni.js. This is not viable for the end-user. Fortunately there is a solution and a team of developers created a fork of Firefox. Its called LibreWolf and is regularly published- on the same day as Mozilla Firefox or the next day. The changes and code are published on github. Riddance of telemetry also means faster app. PortableApps has never given us a choice and does not include LibreWolf.

Onother very vaiable option is Basilisk. It retains older (but not too old) GUI of Firefx and has "non-fingerpinted-non-web-type" addons (e.g.: forks of uBlock and fork of Matrix). It uses Goanna web-engine (which has much fewer security bugs; most of CVEs of Firefox, don't even apply to Goanna engine, nor Basilisk itself). The code is leaner and more robust, hence Basilisk is faster than Firefox. Its actively developed and has a new corporate-independant developer. PortableApps has never given us a choice and does not include Basilisk.

Qupzilla- it's deprecated since 2018 and replaced by actively developed Falkon. So a browser, that is pushing being 4 years old now and isn't developed, is still hanging on PortbleApps. Not good.

There is also an issue of overabundance of closed source, proprietary software in PortableApps. As it is with every secret code- the risk is out there. There are more better choices that could be given to the user:

a) file manager: Double Commander (Qt version works better on Windows; available on Sourceforge);
b) photo viewer: PhotoQt, Quick Picture Viewer (very fast, very small- 3.4M, available on Github).
Just to name a few.

Other issues:

Lack of other protocols browsers, besides http. Good gopher client should be placed just next to Links. One of the best easy to use and tested is Gopherus. Why to promote just "the web for normies". There are better, smaller, faster, more secure and without java script, protocols for reading (news, blogs, weather, wikipedia and even "the normies websites" scraped- like reddit, twitter, etc.).

Another examle of outdated, abandoned and non-working software:
Golden Dic- last update: 2015. I bet none of the websites, that it tries too look up, exist in the form from 2015. So its 100% broken.