Language Selection

English French German Italian Portuguese Spanish

Mozilla

Syndicate content
Planet Mozilla - https://planet.mozilla.org/
Updated: 2 hours 3 min ago

Chris H-C: Four-Year Moziversary

Saturday 19th of October 2019 06:23:41 PM

Wowee what a year that was. And I’m pretty sure the year to come will be even more so.

We gained two new team members, Travis and Beatriz. And with Georg taking a short break, we’ve all had more to do that usual. Glean‘s really been working out well, though I’ve only had the pleasure of working on it a little bit.

Instead I’ve been adding fun new features to Firefox Desktop like Origin Telemetry. I also gave a talk at a conference about Data and Responsibility. Last December’s All Hands returned us to Orlando, and June brought me to Whistler for the first time. We held a Virtual Work Week (or “vorkweek”) a couple of weeks ago when we couldn’t find a time and the budget to meet in person, and spent it planning out how we’ll bring Glean to Firefox Desktop with Project FOG. First with a Prototype (FOGotype) by end of year. And then 2020 will be the year of Glean on the Desktop.

Blogging-wise I’ve slowed down quite a lot. 12 posts so far this calendar year is much lower than previous years’ 25+. The velocity I’d kept up by keeping tabs on the Ontario Provincial Legislature and pontificating about video games I’d played died in the face of mounting work pressures. Instead of spending my off time writing non-mozilla things I spent a lot of it reading instead (as my goodreads account can attest).

But now that I’ve written this one, maybe I’ll write more here.

Resolution for the coming year? More blogging. Continued improvement. Put Glean on Firefox. That is all.

Cameron Kaiser: TenFourFox FPR16 SPR1 available

Saturday 19th of October 2019 03:01:53 AM
TenFourFox Feature Parity Release "16.1" (SPR 1) is now available for testing (downloads, hashes, release notes). As noted, this is a pure security update and there are no user-facing changes; the big under-the-hood change of those is that we are now pulling entirely from 68ESR, including locale data, certificate roots and so forth. There is also a small update to the ATSUI font blacklist. Assuming no issues, it will go live Monday evening Pacific time as usual.

Mozilla VR Blog: Firefox Reality Top Picks - Bringing You New Virtual Reality Experiences Weekly

Friday 18th of October 2019 05:54:54 PM

So you bought yourself a fancy VR headset, you’ve played all the zombie-dragon-laser-kitten-battle games (we have too!) and now you’re wondering… what else is there? Where can I find other cool stuff to explore while I have this headset strapped to my face? We felt the same way, so we built Firefox Reality to help you in your quest for the most interesting, groundbreaking and entertaining virtual reality content on the Web.

The real promise of VR is the ability to immerse yourself into countless other places and perspectives - both real and imaginary -  and to experience things you’ve never done before. Our Top Picks page is a great place to start exploring, with fresh recommendations coming weekly so you always have new content to check out. Of course, if you want to explore on your own, you can use Firefox Reality for that too.

Firefox Reality Top Picks is the start of what we hope will evolve into a thriving and sustainable ecosystem connecting creators, VR content, and audience.

How Do We Pick Our “Top Picks”?


Unlike browsers that recommend content by mining your data and using AI, the content featured in the Firefox Reality Top Picks menu is curated by real humans. We build relationships with creator communities and scour the Web seeking the best experiences we can find from around the world. We keep our finger firmly on the pulse of what’s hottest, freshest and most engaging in the rapidly changing world of emerging tech content.

We seek out creators where they tend to congregate: at conferences, festivals, meetups and hackathons, on LinkedIn and in creator / developer Facebook and Reddit groups, and through artist networks. We also dig around the vast reaches of the Web and spend countless hours in headset watching and evaluating virtual reality videos and interacting with experiences, discovering first-hand what we need to have warnings for (like motion sickness, phobias, strong language or potentially triggering subject matter), so that you know before you dive in what you’re going into.

There are certain things we’re looking for, such as the quality of the video, editing, use of animation or special effects, the presence or absence of major technical flaws, and whether “best practices” for shooting and editing 360 video or building an interactive experience have been followed. If best practices aren’t followed, we like to see they’re being broken for a reason. We’re excited by new ways of storytelling, interesting ways to explore familiar places and concepts, simple-but-effective interactive games and experiences that can be played by anyone right over the Web.

Along with technical quality, we’re interested in the creative aspects of the work - the concept, the story, the theme, the characters and so on. But when evaluating immersive content, there’s another layer -  how the creator has made use of immersivity and/or interactivity. Does this feel like a story or experience that was specifically created for 360 space? Are the creators using traditional aspects of storytelling/journalism/art/music to do something new or different? Did the concept have to be told in 360 space or require interactivity to be effective?

For example:  The French piece Bebe Moche, featured currently in 360 Perspectives, tackles traditional physical slapstick comedy in 360 space. The French comedy troupe behind Bebe Moche have a whole series of short comedic “sketch” videos like this, and we’ll be showcasing them in Top Picks menu. Featuring the same cast and exploring physical comedy, they are a simple, effective experiments in physical storytelling that transcends verbal language. Perhaps equally important, it’s the kind of 360 video project that anyone could tackle with a decent 360 camera and video editing software.

Both content creators and audience are a key part of our journey as we work to make Firefox Reality a must-have tool for discovering, experiencing and sharing virtual reality content. If you are a creator interested in making a 360 video or interactive experience, or you want to know if the work you’re already making is WebXR-compatible, make sure to check out our Immersive Media Content Guide; it’s a great starting point for understanding more about how to make and share your own work.

If you have or know of an amazing 360 video or interactive experience you’d like our team to consider featuring on Firefox Reality Top Picks, please submit it to us here.

Firefox Reality 5 is available now. You can see our most recent release notes here. Go and get it!

Download for Oculus Go
Download for Oculus Quest
Download for Viveport

Hacks.Mozilla.Org: Faster Layouts with CSS Grid (and Subgrid!)

Friday 18th of October 2019 03:48:20 PM

CSS Grid has been available in most major browsers since early 2017, and it makes web layout more powerful than ever before. But complex-looking new syntax (line-names! grid-areas! minmax! fit-content! fr units!) and missing IE11 support can make it scary to many developers.

Don’t let that stop you: CSS Grid has made my layout process faster and simpler, with more flexibility. We can get started with a few basics, and the fallbacks don’t have to be overwhelming:

With Subgrid, we can also start to lay out nested elements on a shared grid, great for card layouts:

as well as common form patterns:

The post Faster Layouts with CSS Grid (and Subgrid!) appeared first on Mozilla Hacks - the Web developer blog.

Mozilla Localization (L10N): L10n Report: October Edition

Thursday 17th of October 2019 06:58:04 PM

Please note some of the information provided in this report may be subject to change as we are sometimes sharing information about projects that are still in early stages and are not final yet. 

Welcome! New localizers

Are you a locale leader and want us to include new members in our upcoming reports? Contact us!

New content and projects What’s new or coming up in Firefox desktop

As explained in detail in the previous l10n report, cycles are starting to shorten towards the goal of 4 weeks. While Firefox 70 is going to be released in a few days, on October 22, the deadline to ship any update in Firefox 71 will be on November 19.

Talking about Firefox 71, congratulations to Catalan (Valencian) (ca-valencia), Tagalog (tl), and Triqui (trs) for reaching an important milestone: with this version, they will move to Beta, and then will be officially released on December 3. Thanks to them, Firefox 71 will be shipping with 96 localizations.

We have also added two new locales to Nightly in 71: Bodo (brx) and Tibetan (bo). If you speak one of these languages and want to help, head to Pontoon!

Talking about new content to localize, there are two main focus areas in 71:

  • Separation of Sync and Firefox Accounts. So far, “Signed in” was often used to indicate that you are connected to a Firefox Account, and that Sync is enabled. Now it will be possible to be signed in to an account, but not have Sync enabled. This needs to be reflected in all preferences, dialogs, notifications, etc. and it’s likely going to take more than one release to complete. The reason for this change is that Firefox Account is going to be used for more services in the future – it’s already used to monitor logins for websites with known data breaches, for example.
  • It’s now possible to use a different search engine in private windows. This new feature includes preferences, as well as new items for the context menu, and a banner to explain this new functionality to users.
What’s new or coming up in web projects Firefox Accounts

A lot of content is made available for localization. The last code push to production is on October 21 which will include localized content for the October launch.

Mozilla.org

A few pages were made available for localization in the last two weeks.

  • footer.lang and navigation.lang are available to all locales. Though the deadline is set to mid November, we have enough locales completed which make up 90%+ user base. Both files will be activated on production in the coming days.
  • firefox/home-master.lang is open to all locales and will be on production as soon as the page is completed. P1 markets (de, en-CA, en-GB, es-ES, and fr) must be completed by October 20th.
  • firefox/welcome/page2.lang is available in languages supported by Pocket and will be activated on production as soon as the page is fully localized. P1 markets (de, en-CA, en-GB, es-ES, and fr) must be complete by October 20th.
What’s new or coming up in Foundation projects

The new donate website is available in Pontoon, with the most critical strings (UI and payment flow). As a reminder, the old project is still available on Pontoon as read-only, in case you need to find a previous translation not captured by translation memory. The FAQ and Ways to give pages will be added in the next few days.

The Advocacy team launched a YouTube Regrets site this week, sharing stories sent by YouTube users. Mozilla is showcasing these stories to draw attention to the human impact of optimization algorithms gone wrong and pressure YouTube to be more transparent in their work to fix the problems with their recommendation engine. You can read more about the specifics of the campaign and how it relates to Mozilla work to push for more trustworthy AI in consumer tech here and view the beautiful campaign site here.

What’s new or coming up in SuMo

Firefox 70 is releasing next week and a lot of new articles have been published or updated:

Firefox Monitor

Password manager = Lockwise

What’s new or coming up in Pontoon

Over the last year, we have been re-building Pontoon’s Translate page from scratch, to use better technologies and enable various sorts of improvements. This new app, nicknamed Translate.Next, has been released to all Pontoon users earlier this week! Find out more in our previous blog post about Translate.Next.

As a direct consequence of this work, we have been able to fix a few long-standing issues with placeables. Unexpected side-effects, better variable handling, catching more terms that should not be translated… the full list of changes can be seen on GitHub.

It’s Outreachy season, and Pontoon is participating! We have thus been seeing a lot of activity from new contributors these last few weeks, leading to more bugs being resolved. Notably, you can now very easily copy the link to a given string thanks to the “Copy Link” functionality:

Newly published localizer facing documentation

Mozilla general style guide is updated with revised branding policy.
Testing instructions for the new Mozilla Donate website have been updated.

Events

Want to showcase an event coming up that your community is participating in? Reach out to any l10n-driver and we’ll include that (see links to emails at the bottom of this report)

Friends of the Lion

Know someone in your l10n community who’s been doing a great job and should appear here? Contact on of the l10n-drivers and we’ll make sure they get a shout-out (see list at the bottom)!

Useful Links Questions? Want to get involved?

 

Did you enjoy reading this report? Let us know how we can improve by reaching out to any one of the l10n-drivers listed above.

Chris H-C: This Week in Glean: Glean on Desktop (Project FOG)

Thursday 17th of October 2019 03:57:03 PM

(“This Week in Glean” is a series of blog posts that the Glean Team at Mozilla is using to try to communicate better about our work. They could be release notes, documentation, hopes, dreams, or whatever: so long as it is inspired by Glean.)

The Glean SDK is doing well on mobile. It’s shipping in Firefox Preview and Firefox for Fire TV on Android, and our iOS port for Lockwise is shaping up wonderfully well. Data is flowing in, letting us know how the products are being used.

It’s time to set our sights on Desktop.

It’s going to be tricky, but to realize one of the core benefits of the Glean SDK (the one about not having to maintain more than one data collection client library across Mozilla’s products) we have to do this. Also, we’re seeing more than a little interest from our coworkers to get going with it already : )

One of the reasons it’s going to be tricky is that Desktop isn’t like Mobile. As an example, the Glean SDK “baseline” ping is sent whenever the product is sent to the background. This is predicated on the idea that the user isn’t using the application when it’s in the background. But on Desktop, there’s no similar application lifecycle paradigm we can use in that way. We could try sending a ping whenever focus leaves the browser (onblur), but that can happen very often and doesn’t have the same connotation of “user isn’t using it”. And what if the focus leaves one browser window to attach to another browser window? We need to have conversations with Data Science and Firefox Peers to figure out what lifecycle events most closely respect our desire to measure engagement.

And that’s just one reason. One reason that needs investigation, exploration, discussion, design, proposal, approval, implementation, validation, and documentation.

And this reason’s one that we actually know something about. Who knows what swarm of unknown quirks and possible failures lies in wait?

That’s why step one in this adventure is a prototype. We’ll integrate the Glean SDK into Firefox Desktop and turn some things on. We’ll try some things out. We’ll make mistakes, and write it all down.

And then we’ll tear it out and, using what we’ve learned, do it over again. For real.

This prototype won’t have an answer for the behaviour of the “baseline” ping… so it won’t have a “baseline” ping. It won’t know the most efficient way to build a JavaScript metrics API (webidl? JSM? JSContext?), so it won’t have one. It won’t know how best to collect data from the many different processes of many different types that Firefox now boasts, so it will live in just one.

This investigative work will be done by the end of the year with the ultimate purpose of answering all the questions we need in order to proceed next year with the full implementation.

That’s right. You heard it here first:

2020 will be the year of Glean on the Desktop.

:chutten

Mozilla Reps Community: Reps of the Month – September 2019

Thursday 17th of October 2019 11:11:18 AM

Please join us in congratulating our Reps of the Month for September 2019, Jyotsna Gupta and David Gonzalez Blanchard

Jyotsna is a Mozilla Rep and a Tech Speaker from Bangalore, India. The majority of her contributions goes to Add-ons, from building PrivateX to being an Add-ons Content Reviewer and a judge in the Firefox Quantum Extensions Challenge. She was also highlighted as a Friend of Add-ons in the last quarter of 2018 on the Add-ons blog. Besides all this, she mentored new extension developers in her local community and joined the Featured Extensions Advisory Board.

 

More recently she joined the Mozilla Tech Speakers Program through which she frequently speaks about cross-browser extension development at various events and conferences. She aims to hone her public and tech speaking skills to help and collaborate with open source developers and communities.

David has been a member of the Nicaraguan Mozilla Community since 2010 and a Mozilla Rep since 2011, the year in which the community began to participate and share knowledge related to the web and Mozilla. Since then he has supported different activities to promote openness on the web and everything related to the community both in Nicaragua and the rest of Central American countries.

 

He has collaborated giving talks, workshops, organizing activities with the aim of unifying the communities of Mozilla Central America. He is currently promoting the development of video games, virtual reality with WebVR, Rust, and Common Voice. His main interest is to share knowledge about software development and promote a web accessible to all. The most recent activity he participated in was Mozilla Activate 2019 in Nicaragua where they talked about different topics related to Mozilla Activate and about innovation on the web.

Congratulations and keep rocking the open web!

The Firefox Frontier: Get recommended reading from Pocket every time you open a new tab in Firefox

Wednesday 16th of October 2019 03:00:34 PM

Thousands of articles are published each day, all fighting for our attention. But how many are actually worth reading? The tiniest fraction, and they’re tough to find. That’s where Pocket … Read more

The post Get recommended reading from Pocket every time you open a new tab in Firefox appeared first on The Firefox Frontier.

Hacks.Mozilla.Org: Developing cross-browser extensions with web-ext 3.2.0

Wednesday 16th of October 2019 02:55:02 PM

The web-ext tool was created at Mozilla to help you build browser extensions faster and more easily. Although our first launch focused on support for desktop Firefox, followed by Firefox for Android, our vision was always to support cross-browser development once we shipped Firefox support.

With the 3.2.0 release, you can use web-ext to truly build cross-browser extensions! Here is an example of developing an extension in Google Chrome using the run command:

$ web-ext run -t chromium

What’s even better is you can run your extension in both Firefox and Chrome at the same time:

$ web-ext run -t firefox-desktop -t chromium

As you’d expect, you can develop in any other Chromium-based browser such as Brave, Microsoft Edge, Opera or Vivaldi. Here’s an example of developing in Opera:

$ web-ext run -t chromium --chromium-binary /usr/bin/opera

Firefox’s WebExtensions API has always strived for Chrome API compatibility but several improvements have resulted in subtle differences, like how WebExtensions APIs always return promises. Mozilla already offers the webextensions-polyfill library to normalize promises and other things across both browser platforms.

And now, we are excited to offer a robust development solution for cross-browser extensions! Once you give it a try, let us know if you run into issues or have ideas for improvement.

Here is an example of launching an extension in Firefox and Chrome then editing a CSS file in the extension source to show off the automatic reloading feature.

https://hacks.mozilla.org/files/2019/10/web-ext-firefox-chrome-screencast.mp4

 

Other new features in web-ext 3.2.0

Chromium browser support isn’t the only nice new feature. Thanks to parse-json 5.0.0, the parsing errors on the extension manifest and locale files will now include a code frame. This will make it a lot easier to track down and fix mistakes.

The post Developing cross-browser extensions with web-ext 3.2.0 appeared first on Mozilla Hacks - the Web developer blog.

Mozilla Security Blog: Improved Security and Privacy Indicators in Firefox 70

Tuesday 15th of October 2019 08:26:08 PM

The upcoming Firefox 70 release will update the security and privacy indicators in the URL bar.

In recent years we have seen a great increase in the number of websites that are delivered securely via HTTPS. At the same time, privacy threats have become more prevalent on the web and Firefox has shipped new technologies to protect our users against tracking.

To better reflect this new environment, the updated UI takes a step towards treating secure HTTPS as the default method of transport for websites, instead of a way to identify website security. It also puts greater emphasis on user privacy.

This post will outline the major changes to our primary security indicators:

  • A new permanent “protections” icon to access information about the restrictions Firefox is applying to the page to protect your privacy.
  • A new crossed-out lock icon as indicator for insecure HTTP and a new color for the lock icon that marks sites delivered securely.
  • A new placement for Extended Validation (EV) indicators.

 

Streamlining Security and Identity Indicators

Firefox traditionally marked sites delivered via a secure transport mechanism with a green lock icon. Sites delivered via insecure mechanisms got no additional security indicators. All sites were marked with an “information” icon, which served as an access point for more site information.

As part of the changes in Firefox 70, we will start showing a crossed-out lock icon as permanent indicator for sites delivered via the insecure protocols HTTP and FTP. Over two years ago, we started showing this indicator for insecure login pages. We also announced our intent to expand by showing a negative indicator for all HTTP pages as HTTPS adoption increases. By now, Firefox loads about 80% of pages via HTTPS.

The formerly green lock icon will now become gray, with the intention of de-emphasizing the default (secure) connection state and instead putting more emphasis on broken or insecure connections.

We will remove the “information” icon. The lock icon will be the new entry point for accessing security and identity information about the website.

 

Moving the EV indicator out of the URL Bar

A recent study by Thompson et al. shows that the display of the company name and country in the URL bar when the website is using an Extended Validation TLS certificate does not add any additional security parameters. One of the biggest downsides with this approach is that it requires the user to notice the absence of the EV indicator on a malicious site. Furthermore, it has been demonstrated that EV certificates with colliding entity names can be generated by choosing a different jurisdiction.

As a result, we will relocate the EV indicator to the “Site Information” panel that is accessed by clicking on the lock icon. This change will hide the indicator from the majority of our users while keeping it accessible for those who need to access it. It also avoids ambiguities that could previously arise when the entity name in the URL bar was cut off to make space for the URL.

 

Adding a new Protections Icon

The protections icon will be the entry point for the privacy properties of every page. It lets the user know about trackers or cryptominers on the page and how Firefox restricts them to improve privacy and performance. The icon will have 3 different states.

Protections Enabled
When no tracking activity is detected and protections are not necessary, the shield shows in grey.

Protections Active
When protections are active on the current page, the shield displays a very subtle animation and adopt the purple gradient.

Protections Disabled
When the user has disabled protections for the site, the shield shows with a strike-through.

 

We are excited to roll out this improved new UI and will continue to evolve the indicators to give Firefox users an easy way to assess their privacy and security anywhere on the modern web.

A big thank you to all the individuals that contributed to this effort.

The post Improved Security and Privacy Indicators in Firefox 70 appeared first on Mozilla Security Blog.

Mozilla Addons Blog: Search Engine add-ons to be removed from addons.mozilla.org

Tuesday 15th of October 2019 05:15:46 PM

For the last eleven years, Firefox Search Engine add-ons have been powered by OpenSearch. With the recent implementation of the search overrides API, a WebExtensions API that offers users more controls for opting into changes, Mozilla intends to deprecate OpenSearch and eventually remove it from Firefox. Search Engine add-ons will be removed from AMO on December 5, 2019.

For Search Engine add-ons to continue working, they must be converted to an extension using the WebExtensions API by December 3, 2019. For more information, please see the following documents on MDN web docs:

Unfortunately, it is not possible to automatically migrate users of Search Engine add-ons to their replacement extensions. If you are the developer of a Search Engine add-on, we recommend linking to your new extension’s listing page from your search add-on’s listing page so your users know where to install the update.

If you have any questions, please ask them in our community forum.

The post Search Engine add-ons to be removed from addons.mozilla.org appeared first on Mozilla Add-ons Blog.

The Firefox Frontier: Why you should review your credit report after a data breach

Tuesday 15th of October 2019 04:00:30 PM

When significant data breaches happen where high risk data is at stake, there’s often a lot of talk about credit reports. Some companies that have been hacked may even be … Read more

The post Why you should review your credit report after a data breach appeared first on The Firefox Frontier.

Hacks.Mozilla.Org: Firefox’s New WebSocket Inspector

Tuesday 15th of October 2019 02:35:20 PM

The Firefox DevTools team and our contributors were hard at work over the summer, getting Firefox 70 jam-packed with improvements. We are especially excited about our new WebSocket inspection feature, because you told us in feedback how important it would be for your daily work. The WebSocket inspector will be released in Firefox 71, but is ready for you to use in Firefox Developer Edition now.

To use the inspector now, download Firefox Developer Edition, open DevTools’ Network panel to find the Messages tab. Then, keep reading to learn more about WebSockets and the tricks that the new panel has up its sleeve.

But first, big thanks to Heng Yeow Tan, the Google Summer of Code (GSoC) student who’s responsible for the implementation.

A Primer on WebSockets

We use the WebSocket (WS) API to create a persistent connection between a client and server. Because the API sends and receives data at any time, it is used mainly in applications requiring real-time communication.

Although it is possible to work directly with the WS API, some existing libraries come in handy and help save time. These libraries can help with connection failures, proxies, authentication and authorization, scalability, and much more. The WS inspector in Firefox DevTools currently supports Socket.IO and SockJS, but more support is in the works.

Want to learn more about how to set up WebSocket for your client applications? Head over to MDN’s guides. In the meantime, let’s dive into the new feature.

Getting started with the WebSocket Inspector

The WebSocket Inspector is part of the existing Network panel UI in DevTools. It’s already possible to filter the content for opened WS connections in this panel, but till now there was no chance to see the actual data transferred through WS frames.

The following screenshot shows the WS filter in action. Only the 101 request (WebSocket Protocol Handshake) is visible. The response code indicates that the server is switching to WS connection.

Clicking on the 101 request opens the familiar sidebar, showing details about the selected HTTP request. In addition, the UI now offers a fresh new Messages panel that can be used to inspect WS frames sent and received through the selected WS connection.

The live-updated table shows data for sent (green arrow) and received (red arrow) WS frames. Each frame expands on click, so you can inspect the formatted data.

To focus on specific messages, frames can be filtered free text.

The Data and Time columns are visible by default, but you can customize the interface to see more columns by right-clicking on the header.

Selecting a frame in the list shows a preview at the bottom of the Messages panel.

The inspector currently supports the following WS protocols – and we have more planned:

    • Plain JSON
    • Socket.IO
    • SockJS
    • Coming soon
      • SignalR
      • WAMP

Payload based on those protocols is parsed and displayed as an expandable tree for easy inspection. Of course, you can still see the raw data (as sent over the wire) as well.

Use the pause/resume button in the Network panel toolbar to stop intercepting WS traffic. This allows you to capture only the frames that you are interested in.

What’s next for the WebSockets inspector

We wanted to release this initial feature set quickly to let you use it. We have a few things that we are still working on for upcoming releases:

  • Binary payload viewer
  • Indicating closed connections
  • More protocols like SignalR and WAMP (and making it extensible)
  • Exporting WS frames (as part of HAR)
  • See our backlog for more of what’s coming

We would love your feedback on the new WebSocket Inspector, which is available now in Firefox Developer Edition 70. It will be released in Firefox 71, to include some of your feedback and bugfixes. If you haven’t had a chance yet, install and open Developer Edition, then follow along with this post to master WebSocket debugging.

The post Firefox’s New WebSocket Inspector appeared first on Mozilla Hacks - the Web developer blog.

Daniel Stenberg: Me, curl and Dagens Nyheter

Tuesday 15th of October 2019 01:48:02 PM

In the afternoon of October 1st 2019, I had the pleasure of welcoming Linus Larsson and Jonas Lindkvist into my home in Huddinge, south of Stockholm, Sweden. My home is also my office as I work full-time from home. These two fine gentlemen work for Sweden’s largest morning newspaper, Dagens Nyheter, which boasts 850,000 daily readers.

Jonas took what felt like a hundred photos of me, most of them when I sit in my office chair at my regular desk where my primary development computers and environment are. As you can see in the two photos on this blog post. I will admit that I did minimize most of my regular Windows from the screens to that I wouldn’t accidentally reveal something personal or sensitive, but on the plus side is that if you pay close attention you can see my Simon Stålenhag desktop backgrounds better!

Me and Linus then sat down and talked. We talked about my background, how curl was created and how it has “taken off” to an extent I of course could never even dream about. Today, I estimate that curl runs in perhaps ten billion installations. A truly mind boggling – and humbling – number.

The interview/chat lasted for about an hour or so. I figured we had touched most relevant areas and Linus seemed content with the material and input he’d gotten from me. As this topic and article wasn’t really time sensitive or something that would have to be timed with something particular Linus explained that he didn’t know exactly when it would get published and it didn’t bother me. I figured it would be cool whenever!

On the morning of October 14 I collected the paper from my mailbox (because yes, I still do have a paper version newspaper arriving at my home every morning) and boom, I spotted an interesting little note in the lower right hand corner.

You can see the (Swedish-speaking) front-page blurb on the photo on the right.

Världens största programmerare du aldrig hört talas om (links to the dn.se site for the Swedish article, possibly behind a paywall)

The interesting timing this morning made it out so that this was the same morning I delivered a keynote at Castor Software Days at KTH in Stockholm titled “curl, a hobby project that conquered the world” (slides) – which by the way was received very well and I got a lot of positive comments and interesting conversations afterwards. And lots of people of course noticed the interestingly timed coincidence with the DN article!

<figcaption>Daniel in front of an audience at KTH, Stockholm.</figcaption>

The DN article reaches out to “ordinary” people in ways I’m not used to, so of course this made more of my non-techie friends suddenly realize a little more of what I do. I think it captures my “journey” and my approach to life and curl fairly well.

I’ll probably extend this blog post with links/photos of the actual DN articles at a later point once I feel I don’t risk undermining DN’s business by doing so.

(photos by Jonas Lindkvist, Dagens Nyheter, used in the online article about me)

Anne van Kesteren: Heading levels

Tuesday 15th of October 2019 01:10:14 PM

The HTML Standard contains an algorithm to compute heading levels and has for the past fifteen years or so, that’s fairly complex and not implemented anywhere. E.g., for the following fragment

<body> <h4>Apples</h4> <p>Apples are fruit.</p> <section> <div> <h2>Taste</h2> <p>They taste lovely.</p> </div> <h6>Sweet</h6> <p>Red apples are sweeter than green ones.</p> <h1>Color</h1> <p>Apples come in various colors.</p> </section> </body>

the headings would be “Apples” (level 1), “Taste” (level 2), “Sweet” (level 3), “Color” (level 2). Determining the level of any given heading requires traversing through its previous siblings and their descendants, its parent and the previous siblings and descendants of that, et cetera. That is too much complexity and optimizing it with caches is evidently not deemed worth it for such a simple feature.

However, throwing out the entire feature and requiring everyone to use h1 through h6 forever, adjusting them accordingly based on the document they end up in, is not very appealing to me. So I’ve been trying to come up with an alternative algorithm that would allow folks to use h1 with sectioning elements exclusively while giving assistive technology the right information (default styling of h1 is already adjusted based on nesting depth).

The simpler algorithm only looks at ancestors for a given heading and effectively only does so for h1 (unless you use hgroup). This leaves the above example in the weird state it is in in today’s browsers, except that the h1 (“Color”) would become level 2. It does so to minimally impact existing documents which would usually use h1 only as a top-level element or per the somewhat-erroneous recommendation of the HTML Standard use it everywhere, but in that case it would dramatically improve the outcome.

I’m hopeful we can have a prototype of this in Firefox soon and eventually supplement it with a :heading/:heading(…) pseudo-class to provide additional benefits to folks to level headings correctly. Standards-wise much of this is being sorted in whatwg/html #3499 and various issues linked from there.

Karl Dubost: This is not a remote work

Tuesday 15th of October 2019 07:00:00 AM
The Fallacy Of Remote Working

Everyone these days is working remotely in some ways. What people assume (both companies and employees) is that remote working is about working at distance from the office, and most of the time, from home. The notion of location here is a very important trope carried by the word "remote".

There is an assumption from corporations that time on site is equivalent to one of these:

  • Work quality
  • Work consistency
  • Tutoring
  • Control (covering many different layers of trust)
  • Salary for hours, another important trope in the corporate world tied to the time clock

As a note for managers, it makes me grin when a company is able to hire another company for a service or a specific deliverables without control on daily hours, locations, etc. but freak out when discussing with its own employees cohort about relaxing the constraints of the office location.

Criteria For "A-Localized" Work

So let's create a term for it. I prefer "alocalized" instead of remote. Remote too often induces the meaning of a central location, where some of the employees are working as satellites. Not all profession can be alocalized. Some jobs require someone to be physically on-site to be able to act on the task (in-house offices cleaners, receptionists, assembly line workers). Some jobs are done outside of the central location by their nature themselves (carpenters, high power lines workers). It's not usually the type of works we consider when we mention this topic.

Everyone who can execute their task in a distributed fashion, still cooperating with each other to be able to advance the work is a possible candidate for alocalized work.

If you are an employer, stop worrying about the abilities of your employees to work in an alocalized fashion. Before you need to assess if the company is able to work that way. Here some criteria that will make the environment friendly for workers.

  • All work items must be accessible, traceable and documented
  • Using emails? Create mailing-lists. Get web archives with unique urls for the emails, that you can point to. Learn how to use emails.
  • Doing physical or video meetings? Create an agenda, scribe the meeting, and keep the minutes.
  • Make sure you have control on your communications infrastructure OR make sure you can export the data in the case the service goes down.
  • All work must be planified based on task management first (above time management). Think issue tracking.
  • Have, Build trust in between everyone.
  • The evaluation should not be based on how long people stayed at work. But on how the tasks are effectively done.

Management must be part of it. Everyone should be included in the new way of working. The location is not important. Work in or outside of an office should not matter. That's critical.

Real Problems Of Not In An Office

There are issues, where this way of working will fail. But not necessary, the way most employers think about it.

  • "How do I control the person is working all hours?"
  • Does it matter if the work is done properly with quality and on time?
  • Usually the system of trust is based on the wrong criteria.
  • "The person is young and without access to answers…"
  • An office doesn't necessary mean the person will get an answer. The support, the onboarding of someone is as critical on-site or off-site. Skills, age doesn't matter as much as personality.

Many of the issues for people working alocalized are often created by the work organization in the company itself.

On the personal level, the employees should assess their ability to work outside of an office. It's unrelated to the skills level. Some employees with 20 years of work experience will always be unable to work outside of an office. See below.

My Own Experience

I have started working in a distributed environment very early. In 1994, when I was studying for my DEA in Astrophysics and Spatial Techniques, I was also doing my national service (mandatory at the time) at Observatoir de Meudon in France. The work included working with people and data across the world. Probably my first experience of having to deal with alocalized, asynchronous tasks.

But my skills of really working in a distributed environment was when I landed a job at W3C from 2000 to 2008. There is a specific culture at W3C which is first class in terms of working in a distributed fashion. This is essential. I worked both from offices and from home (or cafes or airports). Location didn't matter that much. I had years where I worked only in offices, and years working exclusively not from an office. I insist on saying "not from an office" compared "from home".

Then I worked for Opera Software from 2010 to 2013, again not in an office. And the same for Mozilla from 2013.

W3C is still the place which fares the best in terms of working in a distributed, alocalized fashion. At Mozilla, for example, too many people relies on slack discussions, closed google documents or private email threads for working. This should not happen.

For my work self-organization, things which worked.

  • Create a working schedule. At the opposite of the employers thinking, working at home means we often work more hours without noticing.
  • Morning, have breakfast, dress up, exactly like if you were going out. No pyjamas work.
  • If working from home, have a dedicated space for working.
  • If you need human contacts, recreate it. Go to a cafe, to a shared working space, to another place with a regular schedule (It's amazing how you will discover people are doing the same thing than you). The habits will create opportunities of encounters. Encounters will create the office "coffee machine" chats.
  • Keep a record of your activities. Basically create a trust system for yourself.
  • When you have finished your work schedule, your work is finished.
  • Don't put your work email in the same account than your personal email.
  • Request things to be documented. A culture is built by shared values. You need to remind people of these values and adjust them together.

Otsukare!

This Week In Rust: This Week in Rust 308

Tuesday 15th of October 2019 04:00:00 AM

Hello and welcome to another issue of This Week in Rust! Rust is a systems language pursuing the trifecta: safety, concurrency, and speed. This is a weekly summary of its progress and community. Want something mentioned? Tweet us at @ThisWeekInRust or send us a pull request. Want to get involved? We love contributions.

This Week in Rust is openly developed on GitHub. If you find any errors in this week's issue, please submit a PR.

Updates from Rust Community News & Blog Posts Crate of the Week

This week, we don't have one, nor two, but three crates of the week! There's Watt, a fast WASM-based proc-macro runtime, Anyhow, yet another error handling crate and spotify-tui, a console user interface for Spotify.

Thanks to Aloso, zicklag and Vikrant for the suggestion!

Submit your suggestions and votes for next week!

Call for Participation

Always wanted to contribute to open-source projects but didn't know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

If you are a Rust project owner and are looking for contributors, please submit tasks here.

Updates from Rust Core

302 pull requests were merged in the last week

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week:

Final Comment Period

Every week the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

RFCs Tracking Issues & PRs New RFCs Upcoming Events Asia Pacific Europe North America

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Rust Jobs

Tweet us at @ThisWeekInRust to get your job offers listed here!

Quote of the Week

If the Rust community has an ethos, it's that software should have strong static typing, but people should have soft dynamic typing.

Kyle Strand on Twitter

Thanks to Kyle Strand for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by: nasa42, llogiq, and Flavsditz.

Discuss on r/rust.

The Rust Programming Language Blog: Announcing Rustup 1.20.0

Tuesday 15th of October 2019 12:00:00 AM

The rustup working group is happy to announce the release of rustup version 1.20.0. Rustup is the recommended tool to install Rust, a programming language that is empowering everyone to build reliable and efficient software.

If you have a previous version of rustup installed, getting rustup 1.20.0 is as easy as:

rustup self update

Rustup will also automatically update itself at the end of a normal toolchain update:

rustup update

If you don't have it already, you can get rustup from the appropriate page on our website.

What's new in rustup 1.20.0

The highlights of this release are profiles support, the ability to get the latest available nightly with all the components you need, and improvements to the rustup doc command. You can also check out the changelog for a list of all the changes included in this release.

Profiles

Previous versions of rustup installed a few components by default along with each toolchain: the compiler (rustc), the package manager (cargo), the standard library (rust-std), and offline documentation (rust-docs). While this approach is fine while developing software locally, some of the components (like rust-docs) slowed down the installation, either because they're not used on build servers, or on Windows due to the large amount of installed files.

To address this problem, rustup 1.20.0 introduces the concept of "profiles". They are groups of components you can choose to download while installing a new Rust toolchain. The profiles available at this time are minimal, default, and complete:

  • The minimal profile includes as few components as possible to get a working compiler (rustc, rust-std, and cargo). It's recommended to use this component on Windows systems if you don't use local documentation, and in CI.
  • The default profile includes all the components previously installed by default (rustc, rust-std, cargo, and rust-docs) plus rustfmt and clippy. This profile will be used by rustup by default, and it's the one recommended for general use.
  • The complete profile includes all the components available through rustup, including miri and IDE integration tools (rls and rust-analysis).

To change the rustup profile you can use the rustup set profile command. For example, to select the minimal profile you can use:

rustup set profile minimal

It's also possible to choose the profile when installing rustup for the first time, either interactively by choosing the "Customize installation" option or programmaticaly by passing the --profile=<name> flag. Profiles will only affect newly installed toolchains: as usual it will be possible to install individual components later with: rustup component add.

Installing the latest compatible nightly

While most components are guaranteed to be present on stable releases of tier 1 platforms, the same guarantee doesn't apply to nightly builds. Frequently, tools such as rustfmt, clippy, or rls are missing in the latest nightly. If you depend on these tools, that makes updating nighties hard, as rustup will prevent the upgrade if a component you previously installed is missing.

Starting from rustup 1.20.0, if a component you previously installed is missing in the latest nightly, rustup update will walk backwards in time to find the most recent release with all the components you need. If there are no new nightlies with all the components you need you'll either need to wait or remove some of them.

Along with this change, rustup 1.20.0 introduces the --component/-c and --target/-t options to the rustup toolchain install command, allowing you to add components and targets as the toolchain is installed. These flags will also search past nightlies if the current one does not feature all the requested components.

Improvements to rustup doc

The rustup doc command opens the locally installed documentation on your browser, without any Internet connection required. rustup 1.20.0 enhances the command allowing you to open directly the API documentation of a specific item. For example to look at the documentation of Iterator you can use:

rustup doc std::iter::Iterator

This works for traits, structs/enums, macros, and modules, and can take you to the std, alloc, and core crates. Note, however, that this functionality will only work if you have the rust-docs component installed in your toolchain. We will be improving the command's UX over time, so if you have ideas, please do let us know!

Thanks

Thanks to all the contributors who made rustup 1.20.0 possible!

  • Andy McCaffrey
  • Artem Borisovskiy
  • Benjamin Chen
  • Daniel Silverstone
  • Jon Gjengset
  • Lzu Tao
  • Matt Kantor
  • Mitchell Hynes
  • Nick Cameron
  • PicoJr
  • Pietro Albini

Mozilla Security Blog: Hardening Firefox against Injection Attacks

Monday 14th of October 2019 07:07:21 AM

A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels. To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions.

Removing Inline Scripts and adding Guards to prevent Inline Script Execution

Firefox not only renders web pages on the internet but also ships with a variety of built-in pages, commonly referred to as about:pages. Such about: pages provide an interface to reveal internal state of the browser. Most prominently, about:config, which exposes an API to inspect and update preferences and settings which allows Firefox users to tailor their Firefox instance to their specific needs.

Since such about: pages are also implemented using HTML and JavaScript they are subject to the same security model as regular web pages and therefore not immune against code injection attacks. More figuratively, if an attacker manages to inject code into such an about: page, it potentially allows an attacker to execute the injected script code in the security context of the browser itself, hence allowing the attacker to perform arbitrary actions on the behalf of the user.

To better protect our users and to add an additional layer of security to Firefox, we rewrote all inline event handlers and moved all inline JavaScript code to packaged files for all 45 about: pages. This allowed us to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:’ which ensures that injected JavaScript code does not execute. Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks.

Removing eval()-like Functions and adding Runtime Assertions to prevent eval()

The JavaScript function eval(), along with the similar ‘new Function’ and ‘setTimeout()/setInterval()’, is a powerful yet dangerous tool. It parses and executes an arbitrary string in the same security context as itself. This execution scheme conveniently allows executing code generated at runtime or stored in non-script locations like the Document-Object Model (DOM). The downside however is that ‘eval()’ introduces significant attack surface for code injection and we discourage its use in favour of safer alternatives.

To further minimize the attack surface in Firefox and discourage the use of eval() we rewrote all use of ‘eval()’-like functions from system privileged contexts and from the parent process in the Firefox codebase. Additionally we added assertions, disallowing the use of ‘eval()’ and its relatives in system-privileged script contexts.

Unexpectedly, in our effort to monitor and remove all eval()-like functions we also encountered calls to eval() outside of our codebase. For some background, a long time ago, Firefox supported a mechanism which allowed you to execute user-supplied JavaScript in the execution context of the browser. Back then this feature, now considered a security risk, allowed you to customize Firefox at start up time and was called userChrome.js. After that mechanism was removed, users found a way to accomplish the same thing through a few other unintended tricks. Unfortunately we have no control of what users put in these customization files, but our runtime checks confirmed that in a few rare cases it included eval. When we detect that the user has enabled such tricks, we will disable our blocking mechanism and allow usage of eval().

Going forward, our introduced eval() assertions will continue to inform the Mozilla Security Team of yet unknown instances of eval() which we will closely audit and evaluate and restrict as we further harden the Firefox Security Landscape.

For the Mozilla Security Team,
Vinothkumar Nagasayanan, Jonas Allmann, Tom Ritter, and Christoph Kerschbaumer

 

The post Hardening Firefox against Injection Attacks appeared first on Mozilla Security Blog.

Cameron Kaiser: Chrome users gloriously freed from obviously treacherous and unsafe uBlock Origin

Sunday 13th of October 2019 02:36:01 PM
Thank you, O Great Chrome Web Store, for saving us from the clearly hazardous, manifestly unscrupulous, overtly duplicitous uBlock Origin. Because, doubtlessly, this open-source ad-block extension by its very existence and nature could never "have a single purpose that is clear to users." I mean, it's an ad-blocker. Those are bad.

Really, this is an incredible own goal on Google's part. Although I won't resist the opportunity to rag on them, I also grudgingly admit that this is probably incompetence rather than malice and likely yet another instance of something falling through the cracks in Google's all-powerful, rarely examined automatic algorithms (though there is circumstantial evidence to the contrary). Having a human examine these choices costs money in engineering time, and frankly when the automated systems are misjudging something that will probably cost Google's ad business money as well, there's just no incentive to do anything about it. But it's a bad look, especially with how two-faced the policy on Manifest V3 has turned out to be and its effect on ad-blocker options for Chrome.

UPDATE: I hate always being right. Peter Kasting, a big wheel and original member of the Chrome team, escalated the issue and the extension is back, but for how long? And will it happen again? And what if you're not a squeaky enough wheel to gain enough attention to your plight?

It is important to note that this block is for Chrome rather than Chromium-based browsers (like Edge, Opera, Brave, etc.). That said, Chrome is clearly the one-ton gorilla, and Google doesn't like you sideloading extensions either. While Mozilla reviews extensions too, and there have been controversial rejections on their part, speaking as an add-on author of over a decade there is at least a human on the other end even if once in a while the human is a butthead. (A volunteer butthead, to be sure, but still a butthead.) So far I think they've reached a reasonable compromise between safety and user choice even if sometimes the efforts don't scale. On the other hand, Google clearly hasn't by any metric.

This is a good time to remind people who may not know that TenFourFox has built-in basic adblock, targeted at the JavaScript-based nuisances that are most pernicious on our older systems. It's not only an integral part of the browser but it's also actually written in C++, so it's faster than a JavaScript-based add-on and works at a much lower level. It can also be combined with Private Browsing and other adblocker add-ons for even more comprehensive protection.

You may have suspected by the relative lack of activity on this blog and at Github that there aren't going to be any new features in the next TenFourFox release, and you'd be right. Between my wife and I actually being in the same hemisphere for a couple weeks, an incredible amount of work at the dayjob and work on the POWER9 side for mainline Firefox I've just been too short-handed to do much development this cycle. It will instead be numbered FPR16 SPR1 with security patches only and I'll use the opportunity to change our upstream certificate source to 68ESR. Watch for it sometime next week.

More in Tux Machines

Android Leftovers

Ubuntu 19.10 Review: Another Retrofitting Release

So you have seen the most important aspects about Ubuntu 19.10 so far. Unless you are motivated for change, there’s no need right now to upgrade to the new release, as you can wait 6 months till 20.04 gets released, which will be an LTS release supported for 10 years (up to 2030). However, if you are a GNOME lover and want to enjoy the latest release of it, along many other pieces of software, then it’s perfectly OK to upgrade to the new release as long as you don’t use Chromium as your web browser. For post-installation instructions, review our things to do after installing Ubuntu post. Read more

CentOS 8.0-1905

CentOS is a community-run project which builds its distribution from the source code of Red Hat Enterprise Linux. The project's goal is to provide a binary compatible, nearly identical experience to Enterprise Linux, but without the commercial support provided by Red Hat. This makes CentOS an attractive option for people who want to have a distribution with long-term support and the same technology Red Hat provides, but feel they do not need vendor support. I reviewed Red Hat Enterprise Linux 8 (RHEL 8), briefly covering the distribution's installer, software and settings management, several of its Workstation features, and a few of its server technologies, such as Cockpit. I ran into several issues during that experience - some of them relating to documentation, some dealing with permission problems, some due to missing applications in the official repositories - and I was curious to see if CentOS would provide the same experience, problems and all. One could assume so given CentOS uses the same source code, but CentOS has its own website and repositories so I thought it would be worth giving it a test run and seeing what differences, if any, I could spot. In particular, I planned to focus on the strengths and weaknesses I observed in the conclusion of my RHEL 8 review. Before I get to my experiences with CentOS 8.0.1905, I feel it is worth mentioning that CentOS is now available in two branches: CentOS Linux, the traditional, fixed release operating system based on RHEL; and CentOS Stream. The new Stream branch is described as a rolling release platform which will fit in somewhere between Fedora and RHEL. The idea appears to be that software and concepts will get their initial testing in Fedora. Then Red Hat will fork a version of Fedora to be the basis of a future RHEL release. Changes and improvements that would normally be made internally within Red Hat prior to the next RHEL will become available for the public to try and comment on in CentOS Stream. Ideally, the plan here seems to be that this will give a larger portion of the community a chance to try new ideas and report issues, giving Red Hat more feedback and a chance to polish their commercial offering. Read more

Docker, Podman and Kubernetes