Language Selection

English French German Italian Portuguese Spanish

Mozilla: Thunderbird Rebuts EFF, Debugging Modern Web Applications, Firefox Performance, Rust Turning 3

Filed under
Moz/FF
  • Mozilla Thunderbird: EFail and Thunderbird, What You Need To Know

    DO NOT DISABLE ENCRYPTION. We’ve seen recommendations from some outlets to stop using encrypted Email altogether. If you are sending sensitive data via Email, Thunderbird still recommends using encryption to keep those messages safe. You should, however, check the configuration of the applications you use to view encrypted EMail. For Thunderbird, follow our guidelines below to protect yourself.

  • Debugging Modern Web Applications

    Building and debugging modern JavaScript applications in Firefox DevTools just took a quantum leap forward. In collaboration with Logan Smyth, Tech Lead for Babel, we leveled up the debugger’s source map support to let you inspect the code that you actually wrote. Combined with the ongoing initiative to offer first-class JS framework support across all our devtools, this will boost productivity for modern web app developers.

    Modern JS frameworks and build tools play a critical role today. Frameworks like React, Angular, and Ember let developers build declarative user interfaces with JSX, directives, and templates. Tools like Webpack, Babel, and PostCSS let developers use new JS and CSS features before they are supported by browser vendors. These tools help developers write simpler code, but generate more complicated code to debug.

  • Firefox Performance Update #8

    Talos is a framework that we use to measure various aspects of Firefox performance as part of our continuous integration pipeline.

    There are a number of Talos “suites”, where each suite contains some number of tests. These tests, in turn, report some set of numbers that are then stored and graphable via our graph viewer here.

    Here’s a full list of the Talos tests, including their purpose, the sorts of measurements they take, and who’s currently a good person to ask about them if you have questions.

    A lot of work has been done to reduce the amount of noise in our Talos tests, but they’re still quite sensitive and noisy. This is why it’s often necessary to do 5-10 retriggers of Talos test runs in order to do meaningful comparisons.

    Sometimes Talos detects regressions that aren’t actually real regressions1, and that can be a pain. However, for the times where real regressions are caught, Talos usually lets us know much faster than Telemetry or user reports.

    Did you know that you can get profiles from Try for Talos runs? This makes it much simpler to diagnose Talos regressions. Also, we now have Talos profiles being generated on our Nightly builds for added convenience!

  • This Week in Rust 234
  • Thoughts on retiring from a team

    The Rust Community Team has recently been having a conversation about what a team member’s “retirement” can or should look like. I used to be quite active on the team but now find myself without the time to contribute much, so I’m helping pioneer the “retirement” process. I’ve been talking with our subteam lead extensively about how to best do this, in a way that sets the right expectations and keeps the team membership experience great for everyone.

  • Rust turns three

    Three years ago today, the Rust community released Rust 1.0 to the world, with our initial vision of fearless systems programming. As per tradition, we’ll celebrate Rust’s birthday by taking stock of the people and the product, and especially of what’s happened in the last year.

    [...]

    Finally, the Rust community continues to work on inclusivity, through outreach programs like Rust Reach and RustBridge, as well as structured mentoring and investments in documentation to ease contribution. For 2018, a major goal is to connect and empower Rust’s global community, which we’re doing both through conference launches in multiple new continents, as well as work toward internationalization throughout the project.

More in Tux Machines

Servers: Red Hat, Kubernetes, OpenShift, WriteFreely and WordPress

  • Taking System Monitoring to the Next Level: an Interview with Scalyr CEO Steve Newman [Ed: Linux Journal back to the pre-PIA days of promoting proprietary software?]
  • Time zone data (tzdata): 2018 data format changes and Red Hat Enterprise Linux
    Red Hat Enterprise Linux (RHEL) needs time zone information in order for all applications in the operating system to correctly print local time. The GNU C Library (glibc) makes use of the tzdata package in order to make APIs such as strftime() work correctly, while applications such as /usr/bin/date make use of this information to print the local date. The tzdata package contains the data files documenting both current and historic transitions for various time zones around the world. This data represents changes required by local government bodies or by time zone boundary changes, as well as changes to UTC offsets and daylight saving time (DST).
  • Upcoming Silicon Valley OpenShift Commons Gathering, March 11 on Operating at Scale with Speakers Google, Facebook, Uber, Red Hat and Rook
    The OpenShift Commons Gathering brings together experts from all over the world to discuss the container technologies, operators, the operator framework, best practices for cloud-native application developers and the open source software projects that underpin the OpenShift ecosystem to help take us all to the next level in cloud-native computing. This next gathering will feature 400+ developers, project leads, cloud architects, DevOps professionals, sysadmins, and cloud-native practitioners coming together to explore the next steps in making container technologies successful and secure at scale.
  • 7 Key Considerations for Kubernetes in Production
    Today Enterprise IT does not question the value of containerized applications anymore. Given the move to adopting DevOps and cloud native architectures, it is critical to leverage container capabilities in order to enable digital transformation. Google’s Kubernetes (K8s), an open source container orchestration system, has become the de facto standard — and the key enabler — for cloud native applications, and the way they are architected, composed, deployed, and managed. Enterprises are using Kubernetes to create modern architectures composed of microservices and serverless functions which scale seamlessly. However, two years of working with Kubernetes for enterprise applications, and large-scale production deployments have taught us valuable real-world lessons about the challenges of Kubernetes in the enterprise, and what it REALLY takes in order to make it ready for prime time and enable organizations to safely bet on Kubernetes to power mission-critical enterprise application. Large and complex enterprises that have invested in container-based applications often struggle to realize the value of Kubernetes and container technology, due to operational or Day-two management challenges. In this post, we share seven fundamental capabilities large enterprises need to instrument around their Kubernetes investments in order to be able to effectively implement it and utilize it to drive their business.
  • Kubernetes job interview questions: How to prepare
    As Kubernetes adoption grows, so does the need for IT pros with the skills and experience needed to run it in production. “There’s a strong correlation between the popularity of Kubernetes and the demand for engineers who have in-depth knowledge of the system,” says Leo Shemesh, CTO at Jackpocket. Signs suggest that demand for Kubernetes skills is pointing skyward. That creates a tricky proposition for IT executives and hiring managers. Don’t worry, we’re not here to moan and groan about another skills shortage. Actually, Shemesh notes that it’s relatively easy for IT pros to begin learning about Kubernetes, thanks to a wealth of articles and other resources available online, a vibrant open source community, and the commercial platforms and services that sit on top of the Kubernetes project. It’s also relatively simple to start running a single-node cluster on a local machine with Minikube, a good option for getting your hands messy.
  • OpenShift platform seen as biggest IBM gain from Red Hat acquisition

    IBM's acquisition of open source company Red Hat means that Big Blue is betting that the future of cloud computing is hybrid and it has made the purchase to cover its flanks in this area, the technology analyst firm Gartner says.

  • Four Startup Engineering Killers

    Startup engineering is different from any other type of software engineering. It demands short- and medium-term productivity, relative to the “right way” of building systems. It values people who are able to iterate quickly and are comfortable with hacky code. It rewards pragmatism in technology choices versus picking the most hyped — or most stable — technology.

  • Phoronix Test Suite 8.6.1 Released For Open-Source, Cross-Platform Benchmarking
    Phoronix Test Suite 8.6.1 is now available as a minor update over Phoronix Test Suite 8.6-Spydeberg that shipped at the start of February.
  • WriteFreely: Start a blog, build a community
    As more of our lives move online, we become dependent on large services with millions (or billions) of users to communicate with each other. Although we tend to notice problems only when these platforms change a policy, erect a paywall, or suffer a data breach, we can often feel how these mass-broadcast platforms don't always have our best interests in mind and often don't "connect" us in the ways they purport to. However, over the past few years, we've also seen a renaissance of small, close-knit online communities. New protocols for building federated social networks, like ActivityPub, are seeing more use, popularized by open source platforms like Mastodon. People still gather on forums to discuss their interests with like-minded people. And even on the large, centralized services, many people use "group" features to have more intimate conversations than they would by sending their latest status update to a wide swath of unrelated people. In the blogging world, we've also seen platforms like Medium and Tumblr become more popular, partially because of the networks they offer. With these large platforms, each blog is no longer an "island," but part of a huge community. Yet, like any other closed-source, centralized service, if they make a change that doesn't benefit their users, we're forced to find another platform. That's why I built WriteFreely.
  • WordPress 5.1 Improves Security With Site Health Mechanism
    WordPress 5.1 became generally available on Feb. 21, providing users of the popular open-source blogging and content management system (CMS) with updates to improve site operations and site health. WordPress is one of the most widely deployed CMS technologies, powering over 30 percent of all websites on the internet. The new WordPress release follows the open-source project's tradition of naming releases after famous Jazz musicians by code-naming the 5.1 release Betty, after jazz vocalist Betty Carter. Among the key new features in the release is a check to warn users if they are running older, unsupported versions of the PHP programming language that is needed to operate WordPress. "Following WordPress 5.0 — a major release which introduced the new block editor — 5.1 focuses on polish, in particular by improving the overall performance of the editor," WordPress founder Matt Mullenweg wrote in a blog post. "In addition, this release paves the way for a better, faster, and more secure WordPress with some essential tools for site administrators and developers."

Linus Torvalds on World Domination (x86 Servers)

  • Linus Torvalds pulls pin, tosses in grenade: x86 won, forget about Arm in server CPUs, says Linux kernel supremo
    Linux kernel king Linus Torvalds this week dismissed cross-platform efforts to support his contention that Arm-compatible processors will never dominate the server market. Responding to interest in Arm's announcement of its data center-oriented Neoverse N1 and E1 CPU cores on Wednesday, and a jibe about his affinity for native x86 development, Torvalds almost abandoned his commitment to civil discourse while doing his best to dampen enthusiasm for a world of heterogeneous hardware harmony. "Some people think that 'the cloud' means that the instruction set doesn't matter," Torvalds said in a forum post. "Develop at home, deploy in the cloud. That's bullshit. If you develop on x86, then you're going to want to deploy on x86, because you'll be able to run what you test 'at home' (and by 'at home' I don't mean literally in your home, but in your work environment)."
  • Linus on why x86 won for servers
    Responding to a forum post on upcoming ARM server offerings, Linus Torvalds makes a compelling case for why Linux and x86 completely overwhelmed commercial Unix and RISC...
  • ARM announces Ares
    I can pretty much guarantee that as long as everybody does cross-development, the platform won't be all that stable. Or successful. Some people think that "the cloud" means that the instruction set doesn't matter. Develop at home, deploy in the cloud. That's bullshit. If you develop on x86, then you're going to want to deploy on x86, because you'll be able to run what you test "at home" (and by "at home" I don't mean literally in your home, but in your work environment). Which means that you'll happily pay a bit more for x86 cloud hosting, simply because it matches what you can test on your own local setup, and the errors you get will translate better. This is true even if what you mostly do is something ostensibly cross-platform like just run perl scripts or whatever. Simply because you'll want to have as similar an environment as possible, Which in turn means that cloud providers will end up making more money from their x86 side, which means that they'll prioritize it, and any ARM offerings will be secondary and probably relegated to the mindless dregs (maybe front-end, maybe just static html, that kind of stuff). Guys, do you really not understand why x86 took over the server market?

Redis Licence/Licensing Getting Weirder, Swim Openwashing

  • Redis Labs drops Commons Clause for a new license
    Redis Labs is dropping its Commons Clause license in favor of its new "available-source" license: Redis Source Available License (RSAL). This is not an open-source license. Redis Labs had used Commons Clause on top of the open-source Apache License to protect its rights to modules added to its 3-Clause-BSD-licensed Redis, the popular open-source in-memory data structure store. But, as Manish Gupta, Redis Labs' CMO, explained, "It didn't work. Confusion reigned over whether or not the modules were open source. They're not open-source." So, although it hadn't wanted to create a new license, that's what Redis Labs ended up doing. RSAL covers some Redis Modules, which run on top of open-source Redis. The current modules covered by RSAL are: RedisSearch, RedisGraph, RedisJSON, RedisML, and RedisBloom. Redis remains under the BSD license.
  • Redis Labs changes its open-source license — again
    Redis Labs, fresh off its latest funding round, today announced a change to how it licenses its Redis Modules. This may not sound like a big deal, but in the world of open-source projects, licensing is currently a big issue. That’s because organizations like Redis, MongoDB, Confluent and others have recently introduced new licenses that make it harder for their competitors to take their products and sell them as rebranded services without contributing back to the community (and most of these companies point directly at AWS as the main offender here). “Some cloud providers have repeatedly taken advantage of successful opensource projects, without significant contributions to their communities,” the Redis Labs team writes today. “They repackage software that was not developed by them into competitive, proprietary service offerings and use their business leverage to reap substantial revenues from these open source projects.”
  • Redis Labs Changing Its Licensing for Redis Modules Again, Raspberry Pi Rolling Out the Linux 4.19 Kernel, Windows Subsystem for Linux Updates Coming, Facebook Removing Its Spyware Onavo VPN from the Google Store and openSUSE Leap 15.1 Beta Pizza Party
    Redis Labs has changed its licensing for Redis Modules again. According to TechCrunch, the new license is called the Redis Source Available license, and as with the previous Commons Clause license, applies only to certain Redis Modules created by Redis Labs. With this license, "Users can still get the code, modify it and integrate it into their applications—but that application can't be a database product, caching engine, stream processing engine, search engine, indexing engine or ML/DL/AI serving engine." The TechCrunch post notes that by definition, an open-source license can't enforce limitations, so this new license technically isn't open source. It is, however, similar to other "permissive open-source licenses", which "shouldn't really affect most developers who use the company's modules".
  • Swim Open Sources Its Machine Learning Platform for Edge Computing [Ed: "Taking the "open core" route" means proprietary software or 'free' bait, so this headline is a tad misleading to say the least]
    Taking the "open core" route, the startup wants the open source community to take its platform in more directions than it's been able to so far.

GNU/Linux Security Leftovers

  • Major 9.8 vulnerability affects multiple Linux kernels— CVE-2019-8912 (af_alg_release())
    Our assessment is that the cause is this commit, the introduction of a "sockfs_setattr()" function. This function neglects to null-out values in a structure, making their values usable after exiting from the function (a so-called ‘use-after-free’ error).
  • Linux use-after-free vulnerability found in Linux 2.6 through 4.20.11
    Last week, a Huawei engineer reported a vulnerability present in the early Linux 2.6 kernels through version 4.20.11. The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code was used to uncover the use-after-free vulnerability which was present since early Linux versions. The use-after-free issue was found in the networking subsystem’s sockfs code and could lead to arbitrary code execution as a result.
  • Taking Care of Your Personal Online Security (For Paranoids)
    So, use Linux, and preferably coreboot or Libreboot (open source BIOS). You can buy hardware based on the recommendations of well-known and respected (still a bit paranoid) cypherpunk Richard Stallman.
  • Why do PAM projects fail? Tales from the trenches
    Privileged accounts hold the keys to highly sensitive company information and once these credentials are targeted, they can easily lead to a breach of a company’s most valuable assets; from databases to social media and unstructured data. Most enterprises have implemented some form of Privileged Access Management (PAM), but many find these initiatives fail to live up to expectations. Below are some common reasons why a PAM project might fail to meet the initial expectations; coupled with practical insights on how to prevent it from becoming a dud.
  • Sailfish OS: Security and Data Privacy
    Mobile World Congress is back again! Like every single year during the Jolla journey, we are excited to take part in this event. We have had great experiences in the past MWC’s, our main drivers for attending are the current and relevant topics discussed during the congress. One of this year’s core themes is Digital Trust; “Digital trust analyses the growing responsibilities required to create the right balance with consumers, governments and regulators.” It makes us happy that these topics are being discussed, especially since several scandals have recently affected trust in digital solutions. At Jolla we work constantly towards providing a secure and transparent solution. Our value towards our customer’s privacy is reflected in our values and actions. Back in May of 2018 our CEO Sami Pienimäki wrote a blog post on the GDPR laws passed within the European Union and stated the cornerstones on how Jolla views data privacy. This stand on privacy is not rocket science – the core idea is to respect our customers’ privacy and allow them to be in control of their data.
  • Security updates for Friday
  • Which is More Secure: Windows, Linux, or macOS? [Ed: security is not an OS feature but a separate product, insists company that sells "security" as a proprietar ysoftware product]