Language Selection

English French German Italian Portuguese Spanish

Mozilla VR, Security, Surveillance and More

Filed under
Moz/FF

  • Virtual Tours of the Museum of the Fossilized Internet

    In March 2020, Michelle Thorne and I announced office tours of the Museum of the Fossilized Internet as part of our new Sustainability programme. Then the pandemic hit, and we teamed up with the Mozilla Mixed Reality team to make it more accessible while also demonstrating the capabilities of social VR with Hubs.

    We now welcome visitors to explore the museum at home through their browsers.

  • Review of the year so far, and looking forward to the next 6 months.

    In 2019 we started looking into our experiences and 2020 saw us release the new responsive redesign, a new AAQ flow, a finalized Firefox Accounts migration, and a few other minor tweaks. We have also performed a Python and Django upgrade carrying on with the foundational work that will allow us to grow and expand our support platform. This was a huge win for our team and the first time we have improved our experience in years! The team is working on tracking the impact and improvement to our overall user experience.

    We also know that contributors in Support have had to deal with an old, sometimes very broken, toolset, and so we wanted to work on that this year. You may have already heard the updates from Kiki and Giulia through their monthly strategy updates. The research and opportunity identification the team did was hugely valuable, and the team identified onboarding as an immediate area for improvement. We are currently working through an improved onboarding process and look forward to implementing and launching ongoing work.

  •        

  • What's new in ECSY 0.4 and ECSY-THREE v0.1

    Since the initial release of ECSY we have been focusing on API stability and bug fixing as well as providing some features (such as components’ schemas) to improve the developer experience and provide better validation and descriptive errors when working in development mode.

  •        

  • Understanding Web Security Checks in Firefox (Part 2)

    This is the second and final part of a blog post series that explains how Firefox implements Web Security fundamentals, like the Same-Origin Policy and Content-Security-Policy. While the first post explained Firefox security terminology and theoretical foundations, this second post covers how to log internal security information to the console in a human readable format. Ultimately, we hope to inspire new security research in the area of web security checks and to empower participants in our bug bounty program to do better, deeper work.

    Generally, we encourage everyone to do their security testing in Firefox Nightly. That being said, the logging mechanisms described in this post, work in all versions of Firefox – from self-build, to versions of Nightly, Beta, Developer Edition, Release and ESR you may have installed locally already.

    [...]

    An attacker could use a CSP bypass like this and target users on web pages that are susceptible to XSS or content injections. However, this bug was identified in a previous version of Firefox and has been fixed for all of our users since.

    To summarize, using the provided logging mechanism allows us to effectively detect security problems by visual inspection. One could take it even further and generate graph structures for nested page loads. Using these graphs to observe where the security context (e.g., the CSP) changes can be a very powerful tool for runtime security analysis.

    Going Forward

    We have explained how to enable logging mechanisms within Firefox which allows for visual inspection of every web security check performed. We would like to point out that finding security flaws might be eligible for a bug bounty. Finally, we hope the provided instructions foster security research and in turn allow researchers, bug bounty hunters and generally everyone interested in web security to contribute to Mozilla and the Security of the Open Web.

  •        

  • What’s new in Perfherder?

    Perfherder is one of the primary tools used by our performance sheriffs to triage and investigate regression (and improvement) alerts. It’s also a key part of the workflow any Firefox engineer may experience when working on performance, either responding to a regression, or proactively measuring the impact of their changes. This post will cover the various improvements that have been made to Perfherder so far in 2020.

  •        

  • Mozilla Performance Blog: Improving Firefox Startup Time With The about:home Startup Cache

    For the past year or so, the Firefox Desktop Front-End Performance team has been concentrating on making improvements to browser startup performance.

    The launching of an application like Firefox is quite complex. Meticulous profiling of Firefox startup in various conditions has, thankfully, helped reveal a number of opportunities where we can make improvements. We’ve been evaluating and addressing these opportunities, and several have made it into the past few Firefox releases.

    This blog post is about one of those improvements that is currently in the later stages of development. I’m going to describe the improvement, and how we went about integrating it.

    In a default installation of Firefox, the first (and only) tab that loads is about:home. (Note: this is only true if the user hasn’t just restarted after applying an update, and if they haven’t set a custom home page or configured Firefox to restore their previous session on start.)

  • How to use git branch aliases with Mozilla Central

    I just set up Mozilla Central with a git wrapper so I can contribute to the main Gecko codebase using Git. It works great, but the default branch has an unusual name compared to what I’m used to.

  •        

  • Automated end-to-end tests for Glean

    Last year at the Mozilla All-Hands in Whistler, Canada I went for a walk with my colleague Mark Reid who manages our Data Platform team. We caught up on personal stuff and discussed ongoing projects as well as shared objectives for the next half-year. These in-person conversations with colleagues are my favorite activity at our semi-annual gatherings and are helpful in ensuring that my team is working on the most impactful projects and that our tests create value for the teams we support. 

    [...]

    For Mozilla, getting reliable data from our products is critical to inform our decision making. Glean is a new product analytics and telemetry solution that provides a consistent experience and behavior across all of our products. Mark and I agreed that it would be fantastic if we had automated end-to-end tests to complement existing test suites and alert us of potential issues with the system as quickly as possible.

  • Data@Mozilla: Experimental integration Glean with Unity applications [Ed: Mozilla fusing together its Microsoft-hosted surveillance project with Microsoft Mono]

    As we know, Glean SDK has provided language bindings for different programming language requirements that include Kotlin, Swift, and Python. However, when we are talking about supporting applications that use Unity as their development toolkit, there are no existing bindings available to help us achieve it. Unity allows users using a Python interpreter to embed Python scripts in a Unity project; however, due to Unity’s technology being based on the Mono framework, that is not the same as our familiar Python runtime for running Python scripts. So, the alternative way we need to find out is how to run Python on .Net Framework or exactly on Mono framework. If we are discussing possible approaches to run Python script in the main process, using IronPython is the only solution. However, it is only available for Python 2.7, and the Glean SDK Python language binding needs Python 3.6. Hence, we start our plans to develop a new Glean binding for C#.

  • Google, nobody asked for a new Blogger interface

    I'm writing this post in what Google is euphemistically referring to as an improvement. I don't understand this. I managed to ignore New Blogger for a few weeks but Google's ability to fark stuff up has the same air of inevitability as rotting corpses. Perhaps on mobile devices it's better, and even that is a matter of preference, but it's space-inefficient on desktop due to larger buttons and fonts, it's noticeably slower, it's buggy, and very soon it's going to be your only choice.

    My biggest objection, however, is what they've done to the HTML editor. I'm probably the last person on earth to do so, but I write my posts in raw HTML. This was fine in the old Blogger interface which was basically a big freeform textbox you typed tags into manually. There was some means to intercept tags you didn't close, which was handy, and when you added elements from the toolbar you saw the HTML as it went in. Otherwise, WYTIWYG (what you typed is what you got). Since I personally use fairly limited markup and rely on the stylesheet for most everything, this worked well.

More in Tux Machines

Compute module and dev kit aim Snapdragon 865 at AR/VR

Lantronix has launched 50 x 29mm “Open-Q 865XR SOM” and $995 dev kit that runs Android 10 on a 15-TOPS NPU equipped Snapdragon 865 with 6GB LPDDR5, 802.11ax, and triple MIPI-CSI interfaces. Intrinsyc, a subsidiary of Lantronix, has introduced an IoT-oriented compute module and development kit based on Qualcomm’s Snapdragon 865 (SXR2130P) SoC. The $445 Open-Q 865XR SOM and $995 Open-Q 865XR SOM Development Kit follow Intrinsyc’s more smartphone-oriented Snapdragon 865 Mobile HDK. The Open-Q 865XR targets imaging intensive embedded applications including Augmented Reality/Virtual Reality (AR/VR) applications in AI machine learning, medical, gaming, logistics and retail sectors. Read more

Programming: Git and Qt

  • Understand the new GitLab Kubernetes Agent

    GitLab's current Kubernetes integrations were introduced more than three years ago. Their primary goal was to allow a simple setup of clusters and provide a smooth deployment experience to our users. These integrations served us well in the past years but at the same time its weaknesses were limiting for some important and crucial use cases.

  • GitLab Introduces the GitLab Kubernetes Agent

    The GitLab Kubernetes Agent (GKA), released in GitLab 13.4, provides a permanent communication channel between GitLab and the cluster. According to the GitLab blog, it is designed to provide a secure solution that allows cluster operators to restrict GitLab's rights in the cluster and does not require opening up the cluster to the Internet.

  • Git Protocol v2 Available at Launchpad

    After a few weeks of development and testing, we are proud to finally announce that Git protocol v2 is available at Launchpad! But what are the improvements in the protocol itself, and how can you benefit from that? The git v2 protocol was released a while ago, in May 2018, with the intent of simplifying git over HTTP transfer protocol, allowing extensibility of git capabilities, and reducing the network usage in some operations. For the end user, the main clear benefit is the bandwidth reduction: in the previous version of the protocol, when one does a “git pull origin master”, for example, even if you have no new commits to fetch from the remote origin, git server would first “advertise” to the client all refs (branches and tags) available. In big repositories with hundreds or thousands of refs, this simple handshake operation could consume a lot of bandwidth and time to communicate a bunch of data that would potentially be discarded by the client after. In the v2 protocol, this waste is no longer present: the client now has the ability to filter which refs it wants to know about before the server starts advertising it.

  • Qt Desktop Days 7-11 September

    We are happy to let you know that the very first edition of Qt Desktop Days 2020 was a great success! Having pulled together the event at very short notice, we were delighted at the enthusiastic response from contributors and attendees alike.

  • Full Stack Tracing Part 1

    Full stack tracing is a tool that should be part of every software engineer’s toolkit. It’s the best way to investigate and solve certain classes of hard problems in optimization and debugging. Because of the power and capability it gives the developer, we’ll be writing a series of blogs about it: when to use it, how to get it set up, how to create traces, and how to interpret results. Our goal is to get you capable enough to use full stack tracing to solve your tough problems too. Firstly, what is it? Full stack tracing is tracing on the full software stack, from the operating system to the application. By collecting profiling information (timing, process, caller, API, and other info) from the kernel, drivers, software frameworks, application, and JavaScript environments, you’re able to see exactly how the individual components of a system are interacting. That opens up areas of investigation that are impossible to achieve with standard application profilers, kernel debug messages, or even strategically inserted printf() commands. One way to think of full stack tracing is like a developer’s MRI machine that allows you to look into a running system without disturbing it to determine what is happening inside. (And unlike other low-level traces that we’ve written about before, full stack tracing provides a simpler way to view activity up and down the entire software stack.)

Dell XPS 13 Developer Edition Gets 11th-Gen Intel Refresh, Ubuntu 20.04 LTS

The revised model doesn’t buck any conventions. It’s a refreshed version of the XPS 13 model released earlier this year, albeit offering the latest 11th generation Intel processors, Intel Iris Xe graphics, Thunderbolt 4 ports, and up to 32GB 4267MHz LPDDR4x RAM. These are also the first Dell portables to carry Intel “Evo” certification. What’s Intel Evo? Think of it as an assurance. Evo certified notebooks have 11th gen Intel chips, can wake from sleep in under 1s, offer at least 9 hours battery life (with a Full HD screen), and support fast charging (with up to 4 hours from a single 30 min charge) — if they can’t meet any of those criteria they don’t get certified. Read more

Vulkan 1.2.155 Released and AMDVLK 2020.Q3.6 Vulkan Driver Brings Several Fixes

  • Vulkan 1.2.155 Released With EXT_shader_image_atomic_int64

    Vulkan 1.2.155 is out this morning as a small weekly update over last week's spec revision that brought the Vulkan Portability Extension 1.0 for easing software-based Vulkan implementations running atop other graphics APIs. Vulkan 1.2.155 is quite a tiny release after that big release last week, but there aren't even any documentation corrections/clarifications and just a sole new extension.

  • AMDVLK 2020.Q3.6 Vulkan Driver Brings Several Fixes

    AMD driver developers today released AMDVLK 2020.Q3.6 as their latest open-source snapshot of their official Vulkan graphics driver. The primary new feature of this AMDVLK driver update is VK_EXT_robustness2, which mandates stricter requirements around dealing with out-of-bounds reads/writes. Robustness2 requires greater bounds checking, discarding out-of-bounds writes, and out-of-bounds reads must return zero. This extension debuted back in April as part of Vulkan 1.2.139.