14 files changed, 601 insertions, 61 deletions
diff --git a/palemoon/debian/bgstack15-palemoon-prefs.js b/palemoon/debian/bgstack15-palemoon-prefs.js
index cf00cb5..5848539 100644
--- a/palemoon/debian/bgstack15-palemoon-prefs.js
+++ b/palemoon/debian/bgstack15-palemoon-prefs.js
@@ -1,6 +1,6 @@
 // file: /usr/lib/palemoon/browser/defaults/preferences/bgstack15-palemoon-prefs.js
 // deployed with palemoon-stackrpms package (rpm or dpkg) built by bgstack15
-// last modified 2019-12-21
+// last modified 2020-04-15
 // reference:
 //    https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig
 pref("browser.allTabs.previews", false);
@@ -14,6 +14,12 @@ pref("browser.search.update", false);
 pref("browser.sessionstore.restore_on_demand", false);
 pref("browser.startup.page", 3);
 pref("browser.tabs.closeWindowWithLastTab", false);
+// These two have to stay undefined in Firefox 77+ in order for the drop-down for autocompletion to still work.
+//pref("browser.urlbar.disableExtendForTests", true);
+//pref("browser.urlbar.maxRichResults", 0);
+pref("browser.urlbar.trimURLs", false);
+pref("browser.urlbar.update1", false);
+pref("browser.xul.error_pages.enabled", false);
 pref("captivedetect.canonicalURL", "http://127.0.0.1:9980");
 pref("extensions.enabledAddons", "%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:28.3.0");
 pref("extensions.shownSelectionUI", true);
diff --git a/palemoon/debian/changelog b/palemoon/debian/changelog
index 9e48da7..a79d50c 100644
--- a/palemoon/debian/changelog
+++ b/palemoon/debian/changelog
@@ -1,3 +1,369 @@
+palemoon (28.13.0-4+devuan) obs; urgency=low
+
+  * Import xfce-helper/palemoon.desktop from stevep@mxlinux.org release
+
+ -- Ben Stack <bgstack15@gmail.com>  Wed, 09 Sep 2020 14:43:04 -0400
+
+palemoon (28.13.0-3+devuan) obs; urgency=medium
+
+  * This is a compatibility, bugfix and security update. Special thanks 
+    to our new code contributors this cycle (you know who you are)!
+    - Updated the included site-specific user-agent overrides for a 
+      number of websites that need them.
+    - Rewritten the browser's padlock code to use more modern APIs and 
+      provide more accurate security status indication.
+    - Now also with localized tooltips!
+    - Fixed a missing close button on the undo prompt after removing a 
+      thumbnail from the QuickDial new tab page.
+    - Fixed an issue with the alternative stylesheet menu in the 
+      browser's UI not working.
+    - Implemented the use of intrinsic aspect ratios for images to 
+      improve layout during load and page positioning.
+    - Added a preference to the use of node.getRootNode and disabled by 
+      default. See implementation notes.
+    - Added CSS -webkit-appearance as an alias for -moz-appearance to 
+      improve compatibility with websites that only try to use 
+      Chrome-specific keywords to style standard form elements.
+    - Updated the SQLite library to 3.33.0.
+    - Reinstated precise floating point precision model in JavaScript 
+      for those alternate builders who foolishly try to use the inaccurate 
+      "fast" model.
+    - Improved spec compliance of modular JavaScript use (ECMAScript 
+      modules).
+    - Changed media errors to be a more generic response, and added a 
+      preference (media.sourceErrorDetails.enabled) to enable detailed error 
+      reporting of media errors for debugging purposes.
+    - Previously, detailed errors were provided by default which could 
+      lead to privacy issues.
+    - Improved code stability of the AbortController implementation.
+    - Fixed a race condition in the secure connection library (NSS).
+    - Security issues fixed: CVE-2020-15664, CVE-2020-15666, 
+      CVE-2020-15667, CVE-2020-15668 and CVE-2020-15669.
+    - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1 
+      defense-in-depth, 1 rejected, 9 not applicable.
+  * Implementation notes
+    - In 28.11.0 we introduced node.getRootNode because some websites 
+      would fail with an error if this function was not present. 
+      Unfortunately, this caused problems with other sites that (incorrectly) 
+      assume Google WebComponents are available when this utility function is 
+      present (feature detection gone wrong). While it is considered by some 
+      to be part of the Google WebComponents implementation, it actually has 
+      utility value outside of that use. Because of the problems caused, 
+      we've added a preference and disabled it by default, fixing these kinds 
+      of websites.
+    - When needed, you can re-enable this function with 
+      dom.getRootNode.enabled
+    - This should improve web compatibility by default yet still allow 
+      users to enable this function for websites that use its utility but do 
+      not use WebComponents.
+
+ -- Ben Stack <bgstack15@gmail.com>  Fri, 04 Sep 2020 19:50:02 -0400
+
+palemoon (28.12.0-1+devuan) obs; urgency=medium
+
+  * This is a development, bugfix and security update.
+    - Added controls for WASM to the browser's preferences, and enabled 
+      by default.
+    - Enabled various arbitrarily-disabled CSS functions.
+    - Added the use of basic path descriptors (i.e. polygon) to css 
+      clip paths.
+    - Implemented multithreaded request signal handling for the Abort 
+      API. Please see implementation notes below.
+    - Updated the included US-English dictionary, adding approximately 
+      2500 additional words.
+    - Removed the DOM battery API. This was already disabled for 
+      privacy reasons for a long while.
+    - Fixed an erroneous warning displayed on toolkit-only add-ons like 
+      supplied dictionaries.
+    - Fixed an issue with the sessionstore tab load preference.
+    - Improved the generation of the names of downloaded files to 
+      prevent confusion. (CVE-2020-15658)
+    - Fixed a code issue with base64 encoding of data.
+    - Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656) 
+      DiD
+    - Fixed a spec compliance issue with regards to the cross-origin 
+      loading of scripts. (CVE-2020-15652)
+    - Improved the loading of a system DLL on Windows, preventing 
+      low-risk hijacking potential. (CVE-2020-15657) See implementation notes.
+    - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 
+      defense-in-depth, 15 not applicable.
+  * Implementation notes
+    - In 28.11.0, we introduced the Abort API as new code. The 
+      implementation of it still had an issue where especially web workers 
+      would not always see the availability of abort signals on fetch 
+      requests while AbortSignal was implemented in the browser. This 
+      effectively made some websites (especially those using a particular 
+      polyfill for the Abort API that would detect the need to polyfill by 
+      way of Request.signal) throw errors that were fine before. We offered 
+      users a workaround by temporarily disabling the AbortController in the 
+      browser by way of a preference (dom.abortController.enabled).
+    - v28.12.0 fixes the multi-threaded handling of signals, which 
+      should solve these problems. As such, the workaround is no longer 
+      needed and upon upgrade the preference will be reset to enable 
+      AbortControllers again.
+    - DLL-hijacking on Windows would only be possible if a malicious 
+      actor already either gained administrative access to the program's 
+      installation folder or otherwise have unrestricted access to the 
+      program folder (by having it installed in local application folders 
+      inside the user's profile space or other insecure program locations). 
+      In that case the system is already compromised and any executable can 
+      be replaced, so having dll loading hijacked would be the least of your 
+      concerns (i.e. the main program .exe could also be replaced/infected in 
+      that case).
+
+ -- Ben Stack <bgstack15@gmail.com>  Wed, 05 Aug 2020 14:43:18 -0400
+
+palemoon (28.11.0-1+devuan) obs; urgency=medium
+
+  * This is a development, bugfix and security update.
+    - Changed storage format for certificates and passwords to SQLite.
+    - Added a preference (browser.tabs.insertAllAfterCurrent) to enable
+      always adding new tabs after the current tab, whether related or not.
+    - Changed the way Firefox extensions are displayed in the add-on
+      manager (provide a clear warning).
+    - Denied other types of add-ons that aren't explicitly targeting
+      Pale Moon's ID.
+    - Improved the browser's DPI-awareness to be per-monitor instead of
+      system-wide, on supported Windows operating systems.
+    - Updated bookmark backups code with the other half of what should
+      have been done way back when, so they work fully as-intended.
+    - Added a preference
+      (browser.bookmarks.editDialog.showForNewBookmarks) to enable
+      immediately showing the edit dialog for new bookmarks.
+    - If set to true, clicking the star in the address bar will pop
+      open the edit dialog immediately for changing details/sorting.
+    - Fixed the useragent string in native mode, and updated UA code to
+      properly respond to live changes to some preferences.
+    - Tidied up front-end browser JavaScript.
+    - Changed the way sources are compiled (on-going de-unification).
+    - Improved compatibility with gcc v10
+    - Removed support for the obsolete and unmaintained NVidia 3DVision
+      stereoscopic interface.
+    - Fixed some build issues in non-standard configurations.
+    - Fixed wrong positions when calculating the position for
+      position:absolute child inside a table.
+    - Aligned file name extension of saved url files with other
+      applications (lower case)
+    - Fixed building with --disable-webspeech (to disable speech
+      synthesis)
+    - Added global menubar support for GTK.
+    - Implemented node.getRootNode
+    - Implemented AbortController (Abort API)
+    - Improved the uninstaller to use elevation when prudent and
+      actually remove program files.
+    - Fixed a rare issue with editable page content.
+    - Fixed a crash related to ES module scripts.
+    - Aligned ES module scripting better with the current spec and
+      removed eager instantiation.
+    - Fixed a potential issue with the JPEG encoder. (CVE-2020-12422)
+      DiD
+    - Fixed a potential issue with AppCache manifests. DiD
+    - Fixed a potential crash in JavaScript date parsing.
+    - Fixed a problem with RSA key generation that would make it
+      potentially vulnerable to side-channel attacks. (CVE-2020-12402)
+    - Fixed a potential crash due to multithread race condition. DiD
+    - Fixed a correctness issue in URL handling. (CVE-2020-12418) DiD
+    - Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 4
+      defense-in-depth, 10 not applicable.
+
+ -- Ben Stack <bgstack15@gmail.com>  Tue, 14 Jul 2020 14:28:53 -0400
+
+palemoon (28.10.0-1+devuan) obs; urgency=medium
+
+  * This is a development, bugfix and security update.
+    - Implemented URLSearchParams' sort() function
+    - Implemented ES2020 globalThis for web compatibility
+    - Improved our WebM media parser to be more tolerant to different encoding
+    - styles.
+    - Improved our MP3 media parser to be more tolerant to different encoding
+    - styles and particularly tiny files/stream chunks.
+    - Improved performance of table drawing for more corner cases
+    - Changed the way images without a src are handled in page layouts to align
+    - with the Chrome-pushed spec.
+    - Added modern MIPS support
+    - Split out the ICU data file from xul.dll on Windows
+    - Fixed a regression in WebAudio channel handling due to a landed security
+    - fix.
+    - Fixed a regression preventing scripting from properly disabling input
+    - controls
+    - Fixed an issue with border radius sometimes not being honored in tables
+    - Fixed some build issues in non-standard configurations.
+    - Removed more telemetry code
+    - Removed the in-browser speech recognition engine and API
+    - Removed support for the obsolete and unmaintained NVidia 3DVision
+    - stereoscopic interface.
+    - Changed handling of braille blanks in the ui (CVE-2020-12409) DiD
+    - Mitigated a potential timing attack against DSA keys in NSS
+    - (CVE-2020-12399)
+    - Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 1
+    - defense-in-depth, 8 not applicable.
+
+ -- Ben Stack <bgstack15@gmail.com>  Fri, 05 Jun 2020 09:15:04 -0400
+
+palemoon (28.9.3-1+devuan) obs; urgency=medium
+
+  * This is a security update.
+    - Fixed a potential vulnerability in the zip file reader. DiD
+    - Fixed a potential vulnerability in the JavaScript JIT compiler related to aliases. DiD
+    - Ported several upstream devtools fixes (addresses CVE-2020-12392 and CVE-2020-12393).
+    - Improved memory safety of some WebAudio calls.
+    - Improved memory safety in the XUL window destructor. DiD
+    - Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 Defense-in-depth, 16 not applicable.
+
+ -- Ben Stack <bgstack15@gmail.com>  Fri, 08 May 2020 10:39:55 -0400
+
+palemoon (28.9.2-2+devuan) obs; urgency=medium
+
+  * testing OBS build optimization and removing animation from about dialog
+
+ -- Ben Stack <bgstack15@gmail.com>  Tue, 06 May 2020 15:08:46 -0400
+
+palemoon (28.9.2-1+devuan) obs; urgency=medium
+
+  * This is a minor update for stability and compatibility.
+    - Re-based the 28.9 version of browsers on a separate development branch that excludes the extensive work being done for Google WebComponents, to avoid potential performance and stability issues caused by as-of-yet incomplete and in-progress code for the new milestone.
+    - Enabled DOM High Resolution timestamps for compatibility with websites that strictly rely on them for operation.
+    - Added a preference to allow copying the unescaped URL from the address bar (especially useful for internationalized domain names and paths).
+    - To enable this, set `browser.urlbar.decodeURLsOnCopy` to true in about:config
+    - Fixed several application crashes (thanks, Fysac!)
+
+ -- Ben Stack <bgstack15@gmail.com>  Thu, 30 Apr 2020 10:11:14 -0400
+
+palemoon (28.9.1-1+devuan) obs; urgency=medium
+
+  *  This is a minor security and bugfix release.
+    - Re-imported the ExtensionStorage js module for use by browser extensions.
+    - Fixed an issue with the WebRequest module having erroneously un-processed build directives in it. This might have caused some subtle breakage.
+    - Removed the use of high-resolution Windows system timers from the layout refresh driver; this should help with some performance and battery life issues.
+    - Fixed an issue where various parts of hardware acceleration weren't properly linked when changing the option from preferences.
+    - If you have changed the preferences option to "use hardware acceleration when available" between 28.9.0 and this release, it is recommended that you go into preferences and toggle the option off/on to the preferred setting to correct any discrepancies.
+    - Fixed an issue with building the user-agent string using the build date as ID.
+    - Fixed an issue with the release of document content viewers (CVE-2020-6819). DiD
+    - Fixed an issue with handling functions with rest parameters. DiD
+    - Unified XUL Platform Mozilla Security Patch Summary: 2 Defense-in-depth, 14 not applicable.
+
+ -- Ben Stack <bgstack15@gmail.com>  Fri, 10 Apr 2020 13:58:30 -0400
+
+palemoon (28.9.0.2-1+devuan) obs; urgency=medium
+
+  *  This is a small bugfix update addressing 2 more important issues in 28.9.0.
+    - Fixed an issue with browser migration and initialization code causing various browser run-time problems.
+    - Fixed an issue with cache behavior where some users would have trouble having their windows and tabs restored in "soft refresh" mode (see v28.9.0 release notes).
+    - To solve this, we reverted to the previous (pull from cache) mode for now while we investigate the cause.
+
+ -- Ben Stack <bgstack15@gmail.com>  Thu, 26 Mar 2020 07:50:02 -0400
+
+palemoon (28.9.0.1-1+devuan) UNRELEASED; urgency=medium
+
+  * From releasenotes.shtml: This is a small update to address a breaking issue with user-agent override strings, causing problems on certain websites for a number of our users.
+
+ -- Ben Stack <bgstack15@gmail.com>  Thu, 26 Mar 2020 06:50:02 -0400
+
+palemoon (28.9.0-1+devuan) UNRELEASED; urgency=medium
+
+  * From releasenotes.shtml: This is a major development update.
+  * New features
+    - Implemented asynchronous iterators (`await iterator.next()` and `for await` loops) (ES2018)
+    - Implemented promise-based media playback.
+    - Implemented non-standard legacy CSSStyleSheet rules functions.
+    - Implemented the html5 `<dialog>` element. To switch this on, flip `dom.dialog_element.enabled` to true.
+    - Implemented the optional hiding of pinned tabs in CtrlTab/AllTab panes. (controlled through the preferences `browser.ctrlTab.hidePinnedTabs` and `browser.allTabs.hidePinnedTabs`)
+    - Added 1.25x playback speed to html media elements.
+    - Added a hidden pref (`browser.places.smartBookmarks.max`) to control the sizes of default smart bookmarks categories.
+  * Changes/fixes
+    - Aligned `document.open()` with the overhauled specification.
+    - Aligned the way DOM styles are computed with mainstream browser behavior.
+    - Removed the (unused) DOM promise implementation.
+    - Enabled seeking to next frame in media files.
+    - Enabled dynamic UA updates for emergency use.
+    - Implemented rule processing stub for font-variation-settings.
+    - Increased the maximum XML nesting depth to 2048 levels for extreme corner cases and to conservatively align with other browsers.
+    - Improved the privacy of geolocation lookup calls, with thanks to a generous service donation from ip-api.com
+    - Improved reporting of the operating system in site-specific user-agent overrides.
+    - Improved table drawing performance again after the rewrite for sticky positioning making it slower.
+    - Updated CSP processing to allow custom scheme wildcards to be specified without a port.
+    - Aligned the behavior of outlines with other browsers when dealing with CSS-repositioned elements.
+    - Changed the way hardware acceleration is controlled from the application.
+    - Changed the default monospace font for main languages from Courier New to Consolas.
+    - This provides a more balanced font for fixed-width text that is slightly more condensed and more in line with the naturally compacter variable-width fonts used everywhere else.
+    - Changed the browser's behavior when restoring tabs from previous sessions. To prevent stale pages, it will now by default perform a "soft refresh" of the page instead of drawing it purely from cache without checking if the page needs updating. If you prefer the old behavior, set `browser.sessionstore.cache_behavior` to 0 in about:config.
+    - Updated NSPR to 4.24 and NSS to ~3.48.1-RTM, removing the previous custom patch level with NSS being able to support custom rounds for DBM now.
+    - For extensive release notes with all NSS changes, see [NSS_Releases](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases)
+    - Implemented an NSS performance optimization for Master Password use with limited effect.
+    - Fixed some potential crashing scenarios with WebGL on Linux.
+    - Completely removed `showModalDialog`.
+    - Disabled some logging in production builds.
+    - Removed various gadgeteering/redundant/dead DOM APIs (casting/presentation, FlyWeb)
+    - Removed support for a number of critical libraries being system-supplied.
+    - Removed "Copy raw data" button from the troubleshooting information page, since it's never used by us in that format, and users mistakenly keep using it instead of copying text.
+    - Removed a bunch of Android and iOS support code.
+    - Fixed an issue with form elements sometimes being incorrectly disabled.
+    - Fixed several crashes.
+    - Fixed an issue with Captive Portal detection sometimes firing even when disabled by the user.
+    - Performed various tree-wide code cleanups.
+    - Backed out a large code cleanup patch for causing subtle issues in website operation (e.g. WordPress). This will have to be revisited later; the reintroduced code is not in use in practice.
+    - Cleaned up the application updater code.
+  * Security-related fixes:
+    - Fixed a potential pointer issue in cubeb. DiD
+    - Disabled allowing remote jar: URIs by default for security reasons. If you need this functionality for your non-standard environment, you can enable it with the preference `network.jar.block-remote-files`, but please consider moving away from this method of providing web-based applications.
+    - Removed a potentially dangerous and otherwise ineffective optimization from the JavaScript engine.
+    - Fixed unwanted behavior where created/focused pop-up windows could potentially cover the DOM fullscreen notification, hiding it from users. (CVE-2020-6810)
+    - Fixed an issue where copying data as a curl request from developer tools would not properly escape parameters. (CVE-2020-6811)
+    - Updated our sctp library code with several upstream fixes.
+    - Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 3 already mitigated, 1 rejected, 11 not applicable.
+
+ -- Ben Stack <bgstack15@gmail.com>  Thu, 26 Mar 2020 05:50:02 -0400
+
+palemoon (28.8.4-1+devuan) obs; urgency=low
+
+  * From releasenotes.shtml: This is a small security and compatibility update.
+    - Implemented optional catch binding (ES2019).
+    - Fixed a hazardous crash related to module scripting (CVE-2020-9545).
+
+ -- Ben Stack <bgstack15@gmail.com>  Mon, 02 Mar 2020 16:37:14 -0500
+
+palemoon (28.8.3-1+devuan) obs; urgency=medium
+
+  * From releasenotes.shtml: This is a small bugfix and compatibility update.
+    - Fixed an issue in CSP blocking requests without a port for custom schemes.
+    - Fixed a potentially hazardous crash in layers.
+    - Fixed random crashes on some sites using IndexedDB.
+    - Changed the way the application can be invoked from the command-line to prevent a whole class of potential exploits involving modified omnijars.
+    - If your special-needs environment requires that you launch the browser with custom browser/gre omnijars from the command-line, you must set the UXP_CUSTOM_OMNI environment variable before launch from this point forward.
+    - Fixed an issue in the html parser after using HTML5 template tags, allowing JavaScript parsing and execution when it should not be allowed, risking XSS vulnerabilities on sites relying on correct operation of the browser. (CVE-2020-6798)
+    - Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 2 DiD, 10 not applicable.
+
+ -- Ben Stack <bgstack15@gmail.com>  Wed, 18 Feb 2020 11:06:28 -0500
+
+palemoon (28.8.2.1-1+devuan) obs; urgency=medium
+
+  * From releasenotes.shtml: This is a small bugfix and compatibility update.
+    -  This is a minor release in response to YouTube deprecating their old web UI. This change will enable the new YouTube UI by default.
+
+ -- Ben Stack <bgstack15@gmail.com>  Wed, 05 Feb 2020 08:08:06 -0500
+
+palemoon (28.8.2-1+devuan) obs; urgency=medium
+
+  * From releasenotes.shtml: This is a small bugfix and compatibility update.
+    - Reverted the addition of JavaScript regular expression lookarounds since the implementation caused crashes. We'll have to revisit this later.
+    - Fixed an issue where FTP servers would hang the browser if they were not sending answers according to the protocol specification.
+    - Added a workaround for GitHub trying to enforce more Google-isms (which we don't support at this time) to browsers that identify as "Firefox-alike".
+
+ -- Ben Stack <bgstack15@gmail.com>  Tue, 28 Jan 2020 16:50:56 -0500
+
+palemoon (28.8.1-1+devuan) obs; urgency=medium
+
+  * From releasenotes.shtml: This is an important security and stability release.
+  * Changes/fixes
+    - Fixed a sampling issue in libsoundtouch (DiD)
+    - Fixed an issue with a new upcoming Windows 10 feature not honoring Private Browsing mode by default (DiD)
+    - Fixed several stability and memory safety hazards. (DiD)
+    - Fixed an issue where files could inadvertently be executed with the designated file type handler instead of opened. (CVE-2019-17019)
+    - Fixed an issue with the JavaScript JIT compiler that could lead to exploitable crashes. (CVE-2019-17026) actively exploited
+    - Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 7 DiD, 12 not applicable.
+
+ -- B Stack <bgstack15@gmail.com>  Mon, 13 Jan 2020 10:24:21 -0500
+
 palemoon (28.8.0-1+devuan) obs; urgency=medium
 
   * From releasenotes.shtml:  This is a major development release. Many things have been improved, some landmark features have been added/enabled, and many libraries have been updated for added stability and performance.
@@ -559,7 +925,7 @@ palemoon (28.1.0~repack-1) obs; urgency=medium
     - Fixed toolbar styling in toolkit themes.
     - Fixed viewing the source of a selection.
 
-  * Now has full support for gcc-8, so stop forcing gcc-7 build on Buster and 
+  * Now has full support for gcc-8, so stop forcing gcc-7 build on Buster and
     recent Ubuntus where gcc-8 is default.
 
  -- Steven Pusser <stevep@mxlinux.org>  Mon, 17 Sep 2018 19:05:20 -0700
@@ -638,8 +1004,8 @@ palemoon (27.9.4~repack-1~mx17+1) mx; urgency=medium
     - Prevented various location-based threats. DiD
     - Fixed a potential vulnerability with plugins being redirected to different
       origins (CVE-2018-12364).
-    - Improved the security check for launching executable files 
-      (by association) on Windows from the browser. For users who have (most 
+    - Improved the security check for launching executable files
+      (by association) on Windows from the browser. For users who have (most
       likely accidentally) granted a system-wide waiver for opening these kinds
       of files without being prompted, this permission has been reset.
     - Fixed an issue with invalid qcms transforms (CVE-2018-12366).
@@ -656,13 +1022,13 @@ palemoon (27.9.4~repack-1~mx17+1) mx; urgency=medium
 palemoon (27.9.3~repack-1~mx17+1) mx; urgency=medium
 
   * New upstream security update:
-  
+
     - Changes/fixes:
-      - (CVE-2017-0381) Ported a patch from libopus upstream. Note, contrary to 
-        that report, the libopus maintainers state they don't believe remote 
+      - (CVE-2017-0381) Ported a patch from libopus upstream. Note, contrary to
+        that report, the libopus maintainers state they don't believe remote
         code execution was possible, so this was not a critical patch.
       - Fixed an issue with task counting in JS GC.
-      - Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject (thanks 
+      - Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject (thanks
         to Berk Cem Göksel for reporting).
 
  -- Steven Pusser <stevep@mxlinux.org>  Tue, 12 Jun 2018 11:12:06 -0700
@@ -675,18 +1041,18 @@ palemoon (27.9.2~repack-1~mx17+1) mx; urgency=medium
       - We changed the language strings for softblocked items so people will cry
         less when we do our job.
       - (CVE-2018-5174) Prevent potential SmartScreen bypass on Windows 10.
-      - (CVE-2018-5173) Fixed an issue in the Downloads panel improperly 
-        rendering some Unicode characters, allowing for the file name to be 
-        spoofed. This could be used to obscure the file extension of potentially 
+      - (CVE-2018-5173) Fixed an issue in the Downloads panel improperly
+        rendering some Unicode characters, allowing for the file name to be
+        spoofed. This could be used to obscure the file extension of potentially
         executable files from user view in the panel.
       - (CVE-2018-5177) Fixed a vulnerability in the XSLT component leading to a
         buffer overflow and crash if it occurs.
-      - (CVE-2018-5159) Fixed an integer overflow vulnerability in the Skia 
+      - (CVE-2018-5159) Fixed an integer overflow vulnerability in the Skia
         library resulting in possible out-of-bounds writes.
       - (CVE-2018-5154) Fixed a use-after-free vulnerability while enumerating
         attributes during SVG animations with clip paths.
-      - (CVE-2018-5178) Fixed a buffer overflow during UTF8 to Unicode string 
-        conversion within JavaScript with extremely large amounts of data. This 
+      - (CVE-2018-5178) Fixed a buffer overflow during UTF8 to Unicode string
+        conversion within JavaScript with extremely large amounts of data. This
         vulnerability requires the use of a malicious or vulnerable extension in
         order to occur.
       - Fixed several stability issues (crashes) and memory safety hazards.
diff --git a/palemoon/debian/control b/palemoon/debian/control
index 194753e..653be92 100644
--- a/palemoon/debian/control
+++ b/palemoon/debian/control
@@ -6,34 +6,28 @@ Bugs: mailto: <bgstack15@gmail.com>
 XSBC-Original-Maintainer: Steven Pusser <stevep@mxlinux.org>
 Build-Depends: debhelper (>= 12),
    autoconf2.13,
-   build-essential,
-   gcc-8, g++-8, cpp-8,
    libasound2-dev,
-   libbz2-dev,
    libdbus-glib-1-dev (>= 0.60),
-   libegl1-mesa-dev,
    libgconf2-dev (>= 1.2.1),
    libgtk2.0-dev (>= 2.14),
-   libsqlite3-dev,
    libssl-dev,
    libx11-xcb-dev,
    libxt-dev,
    lsb-release,
+   mesa-common-dev,
    pkg-config,
-   python (>= 2.7),
-   python-dbus,
+   python2 (>= 2.7.18-2~) | python (>= 2.7),
    unzip,
    yasm (>= 1.1),
    zip,
-   zlib1g-dev,
 Standards-Version: 3.9.6
 Homepage: http://www.palemoon.org/
 
 Package: palemoon
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends},
-         libavcodec54 | libavcodec-extra54 |libavcodec55 | libavcodec-extra55 | libavcodec56 | libavcodec-extra56 | libavcodec57 | libavcodec-extra57 | libavcodec58 | libavcodec-extra58 | libavcodec-ffmpeg56 | libavcodec-ffmpeg-extra56
-Provides: x-www-browser
+         libavcodec54 | libavcodec-extra54 | libavcodec55 | libavcodec-extra55 | libavcodec56 | libavcodec-extra56 | libavcodec57 | libavcodec-extra57 | libavcodec58 | libavcodec-extra58 | libavcodec-ffmpeg56 | libavcodec-ffmpeg-extra56
+Provides: gnome-www-browser, www-browser, x-www-browser
 Conflicts: palemoon-nonsse2
 Replaces: palemoon-nonsse2
 Description: Firefox-based, efficient and easy to use web browser
diff --git a/palemoon/debian/install b/palemoon/debian/install
index 506544e..f6a08b2 100644
--- a/palemoon/debian/install
+++ b/palemoon/debian/install
@@ -1,2 +1,3 @@
-application/palemoon/branding/official/palemoon.desktop usr/share/applications
+debian/xfce-helper/palemoon.desktop usr/share/xfce4/helpers
+palemoon/branding/official/palemoon.desktop usr/share/applications
 debian/bgstack15-palemoon-prefs.js /usr/lib/palemoon/browser/defaults/preferences/
diff --git a/palemoon/debian/mozconfig b/palemoon/debian/mozconfig
index bc45287..0d0a0a3 100644
--- a/palemoon/debian/mozconfig
+++ b/palemoon/debian/mozconfig
@@ -1,51 +1,55 @@
 mk_add_options AUTOCLOBBER=1
-mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/pmbuild
-ac_add_options --enable-application=palemoon
-
-ac_add_options --enable-optimize="-O2"
-
-ac_add_options --enable-official-branding
-ac_add_options --enable-official-vendor
-
-# Safeguard against someone forgetting to re-set EARLY_BETA_OR_EARLIER in
-# defines.sh during the beta cycle
 export BUILDING_RELEASE=1
 export MC_OFFICIAL=1
 export MOZILLA_OFFICIAL=1
 export MC_PALEMOON=1
 
+#mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/pmbuild
+
+ac_add_options --enable-application=palemoon
+ac_add_options --enable-official-branding
+ac_add_options --enable-official-vendor
+
 # Disable add-ons signing
 # Disable checking that add-ons are signed by the trusted root
 MOZ_ADDON_SIGNING=
 # Disable enforcing that add-ons are signed by the trusted root
 MOZ_REQUIRE_SIGNING=
 
+# Standard
+# Enables
+ac_add_options --enable-av1
+ac_add_options --enable-optimize="-O2 -Wl,--no-keep-memory -Wl,--reduce-memory-overhead"
 ac_add_options --enable-default-toolkit=cairo-gtk2
+ac_add_options --enable-devtools
 ac_add_options --enable-jemalloc
-ac_add_options --enable-av1
-#ac_add_options --enable-shared-js
-ac_add_options --enable-strip
 ac_add_options --with-pthreads
-
-ac_add_options --disable-tests
+ac_add_options --enable-strip
+ac_add_options --enable-phoenix-extensions
+# Disables
 ac_add_options --disable-debug
-ac_add_options --disable-crashreporter
 ac_add_options --disable-eme
-ac_add_options --disable-parental-controls
-ac_add_options --disable-accessibility
-ac_add_options --disable-webrtc
 ac_add_options --disable-gamepad
 ac_add_options --disable-necko-wifi
+ac_add_options --disable-tests
 ac_add_options --disable-updater
-# debian-style prefix
+ac_add_options --disable-webrtc
+# Disable temeletry
+export MOZ_TELEMETRY_REPORTING=
+ac_add_options --disable-crashreporter
+ac_add_options --disable-parental-controls
+ac_add_options --disable-accessibility
+
+# Debian style
 ac_add_options --prefix=/usr
-# devuan options
+# Devuan style
 ac_add_options --disable-dbus
 ac_add_options --disable-pulseaudio
 # even though this is redundant
 ac_add_options --enable-alsa
 
-# Disable telemetry reporting
-export MOZ_TELEMETRY_REPORTING=
-
+# primarily for 32-bit but tolerated for 64-bit
 ac_add_options --x-libraries=/usr/lib
+
+# limit to 4 cpus to limit memory usage (approximately 0.75 GiB RAM/thread)
+mk_add_options MOZ_MAKE_FLAGS="-j4"
diff --git a/palemoon/debian/mozconfig-unstable b/palemoon/debian/mozconfig-unstable
new file mode 100644
index 0000000..6fd829e
--- /dev/null
+++ b/palemoon/debian/mozconfig-unstable
@@ -0,0 +1,56 @@
+mk_add_options AUTOCLOBBER=1
+export BUILDING_RELEASE=1
+export MC_OFFICIAL=1
+export MOZILLA_OFFICIAL=1
+export MC_PALEMOON=1
+
+#mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/pmbuild
+
+ac_add_options --enable-application=palemoon
+ac_add_options --enable-official-branding
+ac_add_options --enable-official-vendor
+
+# Disable add-ons signing
+# Disable checking that add-ons are signed by the trusted root
+MOZ_ADDON_SIGNING=
+# Disable enforcing that add-ons are signed by the trusted root
+MOZ_REQUIRE_SIGNING=
+
+# Standard
+# Enables
+ac_add_options --enable-av1
+ac_add_options --enable-optimize="-O2 -Wl,--no-keep-memory -Wl,--reduce-memory-overhead"
+ac_add_options --enable-default-toolkit=cairo-gtk2
+ac_add_options --enable-devtools
+ac_add_options --enable-jemalloc
+ac_add_options --with-pthreads
+ac_add_options --enable-strip
+ac_add_options --enable-phoenix-extensions
+# Disables
+ac_add_options --disable-debug
+ac_add_options --disable-eme
+ac_add_options --disable-gamepad
+ac_add_options --disable-necko-wifi
+ac_add_options --disable-tests
+ac_add_options --disable-updater
+ac_add_options --disable-webrtc
+# Disable temeletry
+export MOZ_TELEMETRY_REPORTING=
+ac_add_options --disable-crashreporter
+ac_add_options --disable-parental-controls
+ac_add_options --disable-accessibility
+
+# Debian style
+ac_add_options --prefix=/usr
+# Devuan style
+ac_add_options --disable-dbus
+ac_add_options --disable-pulseaudio
+# even though this is redundant
+ac_add_options --enable-alsa
+
+# primarily for 32-bit but tolerated for 64-bit
+ac_add_options --x-libraries=/usr/lib
+
+# limit to 4 cpus to limit memory usage (approximately 0.75 GiB RAM/thread)
+# single-threaded for Devuan unstable
+mk_add_options MOZ_MAKE_FLAGS="-j1"
diff --git a/palemoon/debian/palemoon+devuan.dsc b/palemoon/debian/palemoon+devuan.dsc
new file mode 100644
index 0000000..1897122
--- /dev/null
+++ b/palemoon/debian/palemoon+devuan.dsc
@@ -0,0 +1,16 @@
+Format: 3.0 (quilt)
+Source: palemoon
+Binary: palemoon
+Architecture: any
+Version: 28.13.0-4+devuan
+Maintainer: B Stack <bgstack15@gmail.com>
+Homepage: http://www.palemoon.org/
+Standards-Version: 4.1.4
+Build-Depends: debhelper (>= 12), autoconf2.13, libasound2-dev, libdbus-glib-1-dev (>= 0.60), libgconf2-dev (>= 1.2.1), libgtk2.0-dev (>= 2.14), libssl-dev, libx11-xcb-dev, libxt-dev, lsb-release, mesa-common-dev, pkg-config, python2 (>= 2.7.18-2~) | python (>= 2.7), unzip, yasm (>= 1.1), zip
+Package-List:
+ palemoon deb web optional arch=any
+Files:
+ 00000000000000000000000000000000 1 palemoon.orig-platform.tar.gz
+ 00000000000000000000000000000000 1 palemoon.orig.tar.gz
+ 00000000000000000000000000000000 1 palemoon+devuan.debian.tar.xz
+Original-Maintainer: Steven Pusser <stevep@mxlinux.org>
diff --git a/palemoon/debian/patches/bgstack15-palemoon.patch b/palemoon/debian/patches/bgstack15-palemoon.patch
new file mode 100644
index 0000000..f0bd4fa
--- /dev/null
+++ b/palemoon/debian/patches/bgstack15-palemoon.patch
@@ -0,0 +1,11 @@
+diff -Naur 28.4.1-0/application/palemoon/branding/shared/locales/browserconfig.properties 28.4.1-1/application/palemoon/branding/shared/locales/browserconfig.properties
+--- 28.4.1-0/palemoon/branding/shared/locales/browserconfig.properties	2019-03-26 13:33:15.000000000 -0400
++++ 28.4.1-1/palemoon/branding/shared/locales/browserconfig.properties	2019-03-27 10:44:23.578435642 -0400
+@@ -3,5 +3,5 @@
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
+ # Do NOT localize or otherwise change these values
+-browser.startup.homepage=http://start.palemoon.org/
+-browser.startup.homepage_reset=http://start.palemoon.org/
++browser.startup.homepage=http://start.duckduckgo.com/
++browser.startup.homepage_reset=http://start.duckduckgo.com/
diff --git a/palemoon/debian/patches/pm-devuan.patch b/palemoon/debian/patches/pm-devuan.patch
new file mode 100644
index 0000000..4e694a9
--- /dev/null
+++ b/palemoon/debian/patches/pm-devuan.patch
@@ -0,0 +1,59 @@
+diff -Naur Pale-Moon-28.9.0.2_Release/palemoon/base/content/aboutDialog.xul Pale-Moon-28.9.0.2_Release-new/palemoon/base/content/aboutDialog.xul
+--- Pale-Moon-28.9.0.2_Release/palemoon/base/content/aboutDialog.xul	2020-03-25 09:49:13.000000000 -0400
++++ Pale-Moon-28.9.0.2_Release-new/palemoon/base/content/aboutDialog.xul	2020-05-05 09:12:48.776096853 -0400
+@@ -39,9 +39,9 @@
+     <vbox id="aboutHeaderBox" />
+     <vbox id="aboutVersionBox" flex="3">
+ #ifdef HAVE_64BIT_BUILD
+-#expand <label id="aboutVersion">Version: __MOZ_APP_VERSION__ (64-bit)</label>
++#expand <label id="aboutVersion">Version: __MOZ_APP_VERSION__ (64-bit) for Devuan</label>
+ #else
+-#expand <label id="aboutVersion">Version: __MOZ_APP_VERSION__ (32-bit)</label>
++#expand <label id="aboutVersion">Version: __MOZ_APP_VERSION__ (32-bit) for Devuan</label>
+ #endif
+         <label id="distribution" class="text-blurb"/>
+         <label id="distributionId" class="text-blurb"/>
+@@ -53,7 +53,7 @@
+ #ifdef MC_PRIVATE_BUILD
+           This is a private build of Pale Moon. If you did not manually build this copy from source yourself, then please download an official version from the <label class="text-link" href="http://www.palemoon.org/">Pale Moon website</label>.
+ #else
+-          <label class="text-link" href="http://www.palemoon.org">Pale Moon</label> is released by <label class="text-link" href="http://www.moonchildproductions.info">Moonchild Productions</label>.
++          This build of palemoon is released by custom.
+         </description>
+         <description class="text-credits text-center">
+           Special thanks to all our supporters and donors for making this browser possible!
+diff -Naur Pale-Moon-28.9.0.2_Release/palemoon/branding/official/content/aboutDialog.css Pale-Moon-28.9.0.2_Release-new/palemoon/branding/official/content/aboutDialog.css
+--- Pale-Moon-28.9.0.2_Release/palemoon/branding/official/content/aboutDialog.css	2020-03-25 09:49:13.000000000 -0400
++++ Pale-Moon-28.9.0.2_Release-new/palemoon/branding/official/content/aboutDialog.css	2020-05-05 09:02:38.318463672 -0400
+@@ -21,8 +21,6 @@
+ }
+ 
+ #aboutTextBox {
+-  animation: 3s fadeIn;
+-  animation-fill-mode: forwards;
+   text-shadow: 1px 1px 0px #9ABCD5;
+   color: #101020; 
+ }
+diff -Naur Pale-Moon-28.9.0.2_Release/palemoon/branding/official/locales/en-US/brand.dtd Pale-Moon-28.9.0.2_Release-new/palemoon/branding/official/locales/en-US/brand.dtd
+--- Pale-Moon-28.9.0.2_Release/palemoon/branding/official/locales/en-US/brand.dtd	2020-03-25 09:49:13.000000000 -0400
++++ Pale-Moon-28.9.0.2_Release-new/palemoon/branding/official/locales/en-US/brand.dtd	2020-05-05 08:28:53.071897555 -0400
+@@ -1,4 +1,4 @@
+-<!ENTITY  brandShortName        "Pale Moon">
+-<!ENTITY  brandFullName         "Pale Moon">
+-<!ENTITY  vendorShortName       "Moonchild">
++<!ENTITY  brandShortName        "palemoon">
++<!ENTITY  brandFullName         "palemoon">
++<!ENTITY  vendorShortName       "custom">
+ <!ENTITY  trademarkInfo.part1   "The Pale Moon logo and project names are trademarks of Moonchild Productions (M.C. Straver BASc). All rights reserved.">
+diff -Naur Pale-Moon-28.9.0.2_Release/palemoon/branding/official/locales/en-US/brand.properties Pale-Moon-28.9.0.2_Release-new/palemoon/branding/official/locales/en-US/brand.properties
+--- Pale-Moon-28.9.0.2_Release/palemoon/branding/official/locales/en-US/brand.properties	2020-03-25 09:49:13.000000000 -0400
++++ Pale-Moon-28.9.0.2_Release-new/palemoon/branding/official/locales/en-US/brand.properties	2020-05-05 08:28:07.923487413 -0400
+@@ -1,5 +1,5 @@
+-brandShortName=Pale Moon
+-brandFullName=Pale Moon
+-vendorShortName=Moonchild
++brandShortName=palemoon
++brandFullName=palemoon
++vendorShortName=custom
+ 
+ syncBrandShortName=Sync
diff --git a/palemoon/debian/patches/series b/palemoon/debian/patches/series
index 0ed32c3..054d3bf 100644
--- a/palemoon/debian/patches/series
+++ b/palemoon/debian/patches/series
@@ -1 +1,3 @@
 small-icons.patch
+bgstack15-palemoon.patch
+pm-devuan.patch
diff --git a/palemoon/debian/patches/small-icons.patch b/palemoon/debian/patches/small-icons.patch
index fa6017f..03d364a 100644
--- a/palemoon/debian/patches/small-icons.patch
+++ b/palemoon/debian/patches/small-icons.patch
@@ -1,5 +1,5 @@
---- UXP-PM28.3.0_Release.orig/application/palemoon/base/content/browser.xul	2019-01-08 11:42:01.000000000 -0500
-+++ UXP-PM28.3.0_Release/application/palemoon/base/content/browser.xul	2019-02-04 06:57:38.943983285 -0500
+--- UXP-PM28.3.0_Release.orig/palemoon/base/content/browser.xul	2019-01-08 11:42:01.000000000 -0500
++++ UXP-PM28.3.0_Release/palemoon/base/content/browser.xul	2019-02-04 06:57:38.943983285 -0500
 @@ -355,7 +355,7 @@
  
    <toolbox id="navigator-toolbox"
diff --git a/palemoon/debian/rules b/palemoon/debian/rules
index b56d4f7..2efbbcf 100755
--- a/palemoon/debian/rules
+++ b/palemoon/debian/rules
@@ -2,14 +2,21 @@
 
 export SHELL=/bin/bash
 
-# borrowed from stevepusser's logic
-# Build with gcc-8 on Buster (beowulf/ceres)
+## borrowed from stevepusser's logic
+## Build with gcc-8 on Buster (beowulf/ceres)
+## If you enable this, then d/control needs lsb-release as a build dependency.
+#distrelease := $(shell lsb_release -cs)
+#ifeq ($(distrelease),$(filter $(distrelease),buster beowulf/ceres))
+#export CC=gcc-8
+#export CXX=g++-8
+#export CPP=cpp-8
+#export LD=gcc-8
+#endif
+
+export MCFILE=debian/mozconfig
 distrelease := $(shell lsb_release -cs)
-ifeq ($(distrelease),$(filter $(distrelease),buster beowulf/ceres))
-export CC=gcc-8
-export CXX=g++-8
-export CPP=cpp-8
-export LD=gcc-8
+ifeq ($(distrelease),$(filter $(distrelease),sid unstable ceres))
+export MCFILE=debian/mozconfig-unstable
 endif
 
 %:
@@ -21,7 +28,7 @@ override_dh_auto_clean:
 	find . -name '*.pyc' -delete
 
 override_dh_auto_configure:
-	cp debian/mozconfig mozconfig
+	cp ${MCFILE} mozconfig
 
 override_dh_auto_build:
 	make -f client.mk build
diff --git a/palemoon/debian/watch b/palemoon/debian/watch
index 76575dc..cc46979 100644
--- a/palemoon/debian/watch
+++ b/palemoon/debian/watch
@@ -1,2 +1,7 @@
-# You must remove unused comment lines for the released package.
-version=3
+# Reference:
+version=4
+opts=filenamemangle=s/.+\/v?(\d\S+)_Release\.tar\.gz/palemoon_$1.orig\.tar\.gz/ \
+  https://github.com/MoonchildProductions/Pale-Moon/tags .*/v?(\d\S+)_Release\.tar\.gz
+# not working. Uscan does not want to download specific, untagged git commits.
+#opts="component=platform" \
+#  https://github.com/MoonchildProductions/UXP/archive/41e5925b4271c598601fdc77238bbf6497576594.tar.gz
diff --git a/palemoon/debian/xfce-helper/palemoon.desktop b/palemoon/debian/xfce-helper/palemoon.desktop
new file mode 100644
index 0000000..2b546c4
--- /dev/null
+++ b/palemoon/debian/xfce-helper/palemoon.desktop
@@ -0,0 +1,13 @@
+[Desktop Entry]
+Version=1.0
+Encoding=UTF-8
+Icon=palemoon
+Name=Pale Moon
+NoDisplay=true
+StartupNotify=false
+Terminal=false
+Type=X-XFCE-Helper
+X-XFCE-Binaries=palemoon;
+X-XFCE-Category=WebBrowser
+X-XFCE-Commands=%B;
+X-XFCE-CommandsWithParameter=%B "%s";