Python Community Interview With Brian Peterson

To date, I’ve interviewed people you’ve likely heard of before from the Python community. But this column isn’t just about interviewing the rock stars and core devs. It’s also a means to shine light on the huge contributions to the community that can often go unthanked and overlooked. As such, I present to you Brian Peterson.

Brian is a project manager by day, and by night he’s one of the moderators of the Pythonista Café, a peer-to-peer learning community for Pythonistas. In our interview, we talk about how Python helps him in his role as a project manager, and how moderating a large forum for Python enthusiasts has impacted his coding chops. Let’s dig in!

Building a GraphQL API with Django

Create the pause scene for the game

PyDev of the Week: Steve Dower

How to Fix your Python Code's Style

If your bug bounty program is private, why do you have it?

The big bug bounty platforms are structured like icebergs: the public bug bounty programs that you can see are only a tiny portion of everything that is going on there. As you earn your reputation on these platforms, they will be inviting you to private bug bounty programs. The catch: you generally aren’t allowed to discuss issues reported via private bug bounty programs. In fact, you are not even allowed to discuss the very existence of that bug bounty program.

I’ve been playing along for a while on Bugcrowd and Hackerone and submitted a number of vulnerability reports to private bug bounty programs. As a result, I became convinced that these private bug bounty programs are good for the bottom line of the bug bounty platforms, but otherwise their impact is harmful. I’ll try to explain here.

BBN challenge resolution: Exploiting the Screenshotter.PRO browser extension

The time has come to reveal the answer to my next BugBountyNotes challenge called Try out my Screenshotter.PRO browser extension. This challenge is a browser extension supposedly written by a naive developer for the purpose of taking webpage screenshots. While the extension is functional, the developer discovered that some websites are able to take a peek into their Gmail account. How does that work?

If you haven’t looked at this challenge yet, feel free to stop reading at this point and go try it out. Mind you, this one is hard and only two people managed to solve it so far. Note also that I won’t look at any answers submitted at this point any more. Of course, you can also participate in any of the ongoing challenges as well.

Silently deletes lines containing a specific string in a bunch of files

The Beginner’s Guide to Using Cron to Schedule Tasks in Linux

Deploying an Active/Active NFS Cluster over CephFS

How to install League of Legends on Linux Mint 19.1 with Lutris

A new browser for Magic Leap [Ed: Mozilla VR Blog's Andre Vrignaud published "A new browser for Magic Leap". Then it was removed. Prematurely and accidentally announced?]

Today, we’re making available an early developer preview of a browser for the Magic Leap One device. This browser is built on top of our Servo engine technology and shows off high quality 2D graphics and font rendering through our WebRender web rendering library. And will soon add more features.

While we only support basic 2D pages today and have not yet built the full Firefox Reality browser experience and published this into the Magic Leap store, we look forward to working alongside our partners and community to do that early in 2019! Please try out the builds, provide feedback, and get involved if you’re interested in the future of mixed reality on the web in a cutting-edge standalone headset. And for those looking at Magic Leap for the first time, we also have an article on how the work was done.

encoding_rs: a Web-Compatible Character Encoding Library in Rust

encoding_rs is a high-decode-performance, low-legacy-encode-footprint and high-correctness implementation of the WHATWG Encoding Standard written in Rust. In Firefox 56, encoding_rs replaced uconv as the character encoding library used in Firefox. This wasn’t an addition of a component but an actual replacement: uconv was removed when encoding_rs landed. This writeup covers the motivation and design of encoding_rs, as well as some benchmark results.

Additionally, encoding_rs contains a submodule called encoding_rs::mem that’s meant for efficient encoding-related operations on UTF-16, UTF-8, and Latin1 in-memory strings—i.e., the kind of strings that are used in Gecko C++ code. This module is discussed separately after describing encoding_rs proper.

The C++ integration of encoding_rs is not covered here and is covered in another write-up instead.

wasm-bindgen — how does it work?!

A month or so ago I gave a presentation on the inner workings of wasm-bindgen to the WebAssembly Community Group. A particular focus was the way that wasm-bindgen is forward-compatible with, and acts as a sort of polyfill for, the host bindings proposal. A lot of this material was originally supposed to appear in my SFHTML5 presentation, but time constraints forced me to cut it out.

Unfortunately, the presentation was not recorded, but you can view the slide deck below, or open it in a new window. Navigate between slides with arrow keys or space bar.

More on RLS version numbering

In a few days the 2018 edition is going to roll out, and that will include some new framing around Rust's tooling. We've got a core set of developer tools which are stable and ready for widespread use. We're going to have a blog post all about that, but for now I wanted to address the status of the RLS, since when I last blogged about a 1.0 pre-release there was a significant sentiment that it was not ready (and given the expectations that a lot of people have, we agree).

Using cargo-fuzz to Transfer Code Review of Simple Safe Code to Complex Code that Uses unsafe

encoding_rs::mem is a Rust module for performing conversions between different in-RAM text representations that are relevant to Gecko. Specifically, it converts between potentially invalid UTF-16, Latin1 (in the sense that unsigned byte value equals the Unicode scalar value), potentially invalid UTF-8, and guaranteed-valid UTF-8, and provides some operations on buffers in these encodings, such as checking if a UTF-16 or UTF-8 buffer only has code points in the ASCII range or only has code points in the Latin1 range. (You can read more about encoding_rs::mem in a write-up about encoding_rs as a whole.)

How I Wrote a Modern C++ Library in Rust

Since version 56, Firefox has had a new character encoding conversion library called encoding_rs. It is written in Rust and replaced the old C++ character encoding conversion library called uconv that dated from early 1999. Initially, all the callers of the character encoding conversion library were C++ code, so the new library, despite being written in Rust, needed to feel usable when used from C++ code. In fact, the library appears to C++ callers as a modern C++ library. Here are the patterns that I used to accomplish that.

Firefox & cookies corruption problem

A strange problem befell one of my computers running Windows, with Firefox being the default browser, utilizing a profile that goes back a good decade or more. One blue Monday, I opened the browser, went to one of the sites I frequently visit and use, and noticed that I'd been logged out. Another site, same thing. It would appear all my login sessions were gone.

Since I keep multiple backups of everything, I restored the Firefox cookies database - cookies.sqlite file into the Firefox profile, and I was back to normal. Several days later, the issue happened again. Intrigued, I started exploring this somewhat obscure and not-well-documented problem. I believe I know why, and I have a solution.

Maximizing password manager attack surface: Learning from Kaspersky

I looked at a number of password manager browser extensions already, and most of them have some obvious issues. Kaspersky Password Manager manages to stand out in the crowd however, the approach taken here is rather unique. You know how browser extensions are rather tough to exploit, with all that sandboxed JavaScript and restrictive default content security policy? Clearly, all that is meant for weaklings who don’t know how to write secure code, not the pros working at Kaspersky.

Kaspersky developers don’t like JavaScript, so they hand over control to their beloved C++ code as soon as possible. No stupid sandboxing, code is running with the privileges of the logged in user. No memory safety, dealing with buffer overflows is up to the developers. How they managed to do it? Browser extensions have that escape hatch called native messaging which allows connecting to an executable running on the user’s system. And that executable is what contains most of the logic in case of the Kaspersky Password Manager, with the browser extension being merely a dumb shell.

The Patch that converts a Firefox to a Tor Browser

Have you ever wondered was makes the Tor Browser the Tor Browser? That is, what patch you would have to apply to Firefox in order to end up with a Tor Browser.

Mozilla Addons Blog: December’s Featured Extensions

Mozilla B-Team: happy bmo push day!

WebRender newsletter #32

OMTP, for off-main-thread painting, is a project completely separate from WebRender that was implemented by Ryan. Without WebRender, painting used to happen on the main thread (the thread that runs the JS event loop). Since this thread is often the busiest, moving things out of it, for example painting, is a nice win for multi core processors since the main thread gets to go back to working on JS more quickly while painting is carried out in parallel. This work is pretty much done now and Ryan is working on project Fission.

What about WebRender? WebRender moved all of painting off of the main thread by default. The main thread translates Gecko’s displaylist into a WebRender displaylist which is sent to the GPU process and the latter renders everything. So WebRender and OMTP, while independent projects both fulfill the goal of OMTP which was to remove work from the main thread. OMTP can be seen as a very nice performance win while waiting for WebRender.

Mozilla Open Innovation Team: Prototyping with Intention

At the start of any project our Open Innovation team concepts with the intention that things will change. Whether it be wireframe prototypes or coded experiments, iteration is inevitable. First ideas are often far from perfect… it’s with help from new or returning contributors and collaborating project teams that we’re able to refine initial ideas more readily and efficiently. How? Through feedback loops designed with tools such as Discourse, GitHub, contact forms, on-site surveys and remote testing. Our overall goal being: Release assumptions early and learn from those engaging with the concept. In this way we set our experiences up for incremental, data influenced iteration.

A new look for rust-lang.org

We want Mario to use Rust, the fireflower, and turn into the ever-awesome Fire Mario. But there’s a corollary here: it’s better to say “we will make you into Fire Mario” than it is “we sell fire flowers.”