They die the minute Firefox developers stop feeding them security fixes on the regular. They are not developing, they're packaging. If real development stops at Mozilla, if Gecko dies at Mozilla, there isn't a volunteer project on the planet that could keep it alive in Pale Moon or any other Mozilla derivative.

They're not using Mozilla's security fixes or browser engine. Pale Moon is a hard fork, so it is developed, and developed independently from Mozilla's Firefox.

Also check out this page - https://www.palemoon.org/info.shtml.

Goanna has been rebased over Gecko several times because they keep falling behind, hasn't it? So it's more of a periodically-hard fork.

They didn't "rebase" it though - just some code from Gecko was merged into it. And as I understand from https://www.palemoon.org/history.shtml, there were two merges - first with Firefox 38 ESR, and second with Firefox 52 ESR.

Thanks for the details! I was speaking from memory, but I see the last merge was quite a while ago. That somewhat increases my trust on the project then, although I'm not sure I'd ever trust a minor browser fork without further security assurances.