Language Selection

English French German Italian Portuguese Spanish

Mozilla: Firefox 71 Is Now Available, TenFourFox FPR17 Also Available, Firefox Turns 15 and More

Filed under
Moz/FF
  • Mozilla Firefox 71 Is Now Available to Download for Linux, Windows, and macOS

    The upcoming Firefox 71 web browser is now available to download for all supported platforms, including Linux, Windows, and macOS, ahead of tomorrow's official launch.
    Firefox 71 has entered development in late October and it promises to introduce a new "--kiosk" command-line parameter that opens the web browser in full-screen mode (a.k.a. kiosk mode), a redesigned about:config internal configuration page, as well as Picture-in-Picture (PiP) support on Windows.

    "Windows users now have the ability to pop out videos on the web into an always-on-top video player using the Picture-in-Picture feature! For most videos, this can be accomplished by hovering the video with the mouse, and clicking on the Picture-in-Picture toggle," explained Mozilla in the preliminary release notes.

  • TenFourFox FPR17 available

    TenFourFox Feature Parity Release 17 final is now available for testing (downloads, hashes, release notes). Apologies for the delay, but I was visiting family and didn't return until a few hours ago so I could validate and perform the confidence testing on the builds. There are no other changes in this release other than a minor tweak to the ATSUI font blacklist and outstanding security patches. Assuming all is well, it will go live tomorrow evening Pacific time.

    The FPR18 cycle is the first of the 4-week Mozilla development cycles. It isn't feasible for me to run multiple branches, so we'll see how much time this actually gives me for new work. As previously mentioned, FPR18 will be primarily about parity updates to Reader mode, which helps to shore up the browser's layout deficiencies and is faster to render as well. There will also be some other minor miscellaneous fixes.

  • [Older] Firefox at 15: its rise, fall, and privacy-first renaissance

    There’s a good chance you are reading this in Google’s Chrome web browser, which commands 65% of the global market (and about 50% in the U.S.), according to Statcounter. Only about 4% to 5% of web surfers now go online through Firefox, the open-source browser from the California-based Mozilla foundation. But the web was much different when Firefox launched 15 years ago on November 9, 2004, and the browser began a fast rise to prominence.

    When Firefox hit the scene, Internet Explorer had more than 90% market share, having felled Netscape Navigator. Given that it was the default browser on Windows, which commanded a similar share of the operating system market, its monopoly seemed like it could be permanent. But Firefox quickly caught on, and eventually grew to command about a third of the market at its height in 2009. While it’s unlikely to recapture such former glory, Firefox has been experiencing something of a renaissance, not just by improving speed and features, but by putting user control over privacy front and center.

    Fifteen years on, it’s hard to imagine how radical Firefox was at the time of its debut. Instead of coming from a megacorporation like Microsoft (or today, Google), Firefox was built by volunteers around the world who gave their code away for free. “Open source was well known for developers,” says Mitchell Baker, who cofounded the Mozilla Project back in 1998 and is today the chairwoman of the Mozilla Corporation and Mozilla Foundation. “But the common wisdom of the time was that open source was only for the geeks. You could build [tools] for developers but not consumer products out of it.”

  • Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs

    I recently gave a talk at OWASP Global AppSec in Amsterdam and summarized the presentation in a blog post about how to achieve “critical”-rated code execution vulnerabilities in Firefox with user-interface XSS. The end of that blog posts encourages the reader to participate the bug bounty program, but did not come with proper instructions. This blog post will describe the mitigations Firefox has in place to protect against XSS bugs and how to test them.

    Our about: pages are privileged pages that control the browser (e.g., about:preferences, which contains Firefox settings). A successful XSS exploit has to bypass the Content Security Policy (CSP), which we have recently added but also our built-in XSS sanitizer to gain arbitrary code execution. A bypass of the sanitizer without a CSP bypass is in itself a severe-enough security bug and warrants a bounty, subject to the discretion of the Bounty Committee. See the bounty pages for more information, including how to submit findings.

  • Botond Ballo: Developing Mozilla C++ code with clangd and VSCode

    I’ve long been a fan of smart editors which have a semantic understanding of the code you’re editing, and leverage it to provide semantics-aware features such as accurate code completion (only offering completions for names that are actually in scope), go-to-definition, find references, semantic highlighting, and others.

    When I joined Mozilla six years ago, my choice of editor for C++ code was Eclipse CDT, because based on experience and research, this was the most fully-featured option that was cross-platform and open-source. (Depending on who you ask, Visual Studio, XCode, and CLion have, at various times, been described as matching or exceeding Eclipse CDT in terms of editor capabilities, but the first two of these are single-platform tools, and are three all proprietary.)

    This assessment was probably accurate at that time, and probably even for much of the intervening time, but in recent years Eclipse CDT has not aged well. The main reason for this is that Eclipse CDT has its own C++ parser. (For brevity, I’m using “parsing” here as an umbrella term for lexing, preprocessing, parsing, semantic analysis, and all other tasks that need to be performed to build a semantic model of code from source.) C++ is a very complex language to parse, and thus a C++ parser requires a lot of effort to write and maintain. In the early days of CDT, there was a lot of investment, mostly from commercial vendors that packaged CDT-based IDEs, in building and maintaining CDT’s parser, but over time, the level of investment has faded. Meanwhile, the C++ language has been gaining new features at an increasing rate (and the Mozilla codebase adopting them — we’re on the verge of switching to C++17), and CDT’s parser just hasn’t been able to keep up.

Now official, and Avast extensions banned

  • 71.0 Firefox Release

    Version 71.0, first offered to Release channel users on December 3, 2019

  • Firefox 71 Available With New Kiosk Mode, New Certificate Viewer

    Today marks the last Mozilla Firefox feature update of 2019 with the release of Firefox 71.0.

    Firefox 71.0 introduces a --kiosk CLI switch for launching Firefox in a full-screen kiosk mode, a redesigned about:config area, a new certificate viewer, new server timing information is exposed via Firefox's Developer Tools, partial support for the Media Session API, native MP3 encoding is enabled for all desktop platforms, and various other developer enhancements.

  • Mozilla and Google remove Avast extensions from add-on stores

    A month ago I wrote about Avast browser extensions being essentially spyware. While this article only names Avast Online Security and AVG Online Security extensions, the browser extensions Avast SafePrice and AVG SafePrice show the same behavior: they upload detailed browsing profiles of their users to uib.ff.avast.com. The amount of data collected here exceeds by far what would be considered necessary or appropriate even for the security extensions, for the shopping helpers this functionality isn’t justifiable at all.

    [...]

    Spying on your users is clearly a violation of the terms that both Google and Mozilla make extension developers sign. So yesterday I reported these four extensions to Mozilla and Google. Quite surprisingly, as of today all of these extensions are no longer listed on either Mozilla Add-ons website or Chrome Web Store. That was a rather swift action!

    It remains to be seen how this will affect millions of existing extension users. At least Mozilla didn’t add Avast extensions to the blocklist yet, stating that they are still talking to Avast. So the extensions will remain active and keep spying on the users for now. As to Google, I don’t really know where I can see their blocklist, any hints?

Multilingual Gecko Status Update 2019

  • Multilingual Gecko Status Update 2019

    Welcome to the fourth edition of Multilingual Gecko Status Update!

    In the previous update we covered the work which landed in Firefox 61-64.

    At the time, we were landing Fluent DOM Localization APIs, still adding mozIntl features, and we had close to 800 strings migrated to Fluent.

    I indicated that 2019 should be quieter, and in result I reduced the update frequency to just one this year.

Coverage by Thomas Claburn in San Francisco

  • Newly born Firefox 71 emerges from its den – with its own VPN and some privacy tricks

    Patting itself on the back for blocking more than one trillion web tracking requests through its Enhanced Tracking Protection tech, Mozilla on Tuesday continued its privacy push with a further test of its Firefox Private Network service, an update to Firefox Preview Beta for Android, and the debut of its latest desktop browser, Firefox 71.

    Back in September, Mozilla began testing its Firefox Private Network (FPN), a virtual private network (VPN) service for browser traffic, enabled through a Firefox extension (add-on), and soon for protecting all applications on devices at the operating system level.

    That FPN beta test has now reached its next stage. Mozilla is inviting US users of the Firefox desktop browser with Firefox Accounts to try FPN out, for free, for up to 12 hours per month.

    "With the holidays around the corner, the FPN couldn’t come at a more convenient time," said Marissa Wood, VP of product at Mozilla, in a blog post. "We know people are traveling and might have to rely on an unsecured public Wi-Fi network, like the one at the airport, at your local coffee shop, or even at your doctor’s office."

    FPN creates a secure tunnel from the user's browser or device to the internet, protecting any data passing through a Wi-Fi hotspot – if you must log into a public WiFi hotspot, you should use a VPN. Instead of providing the user's IP address, it presents its own IP address, which makes tracking more difficult.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

GNU: GDB (Debugger), Project's History, and GCC (Compiler)

  • GDB Debugger Adds Support For Debuginfod Web Server

    Debuginfod is the Red Hat led debug information HTTP web server distributed as part of elfutils and able to supply on-demand source code and ELF/DWARF debug files to debuggers / IDEs / other compiler tooling. The GDB debugger can now tap debuginfod for on-demand source files and debug information that isn't present on the local system. The motivation with debuginfod is to carry less developer "baggage" on local systems when it comes to debug files and potentially even source files. Particularly for organizations or cases like Linux distributions, a centralized debuginfod server could in turn supply the needed files to clients based upon the requested build ID. Red Hat has been working to expand the debuginfod support both for the GNU toolchain and also LLVM, among other possible users.

  • When is GOTS not in the national interest?

    The modern open-source software (OSS) movement can be traced back to the early 1980s with the birth of Richard Stallman’s GNU Project and the Free Software Foundation. [...] However, cost is a red herring for the real challenge presented by GOTS software solutions. On the surface, GOTS seems very similar to OSS which implies that it has the larger structural advantages of OSS. If handled cautiously, it can have those advantages, but care needs to be taken about what sort of existing software is being commoditized. The U.S. has a national interest in maintaining a strong software development capability. We are fortunate to be the dominant software-building country in the world. According to the Forbes 2000 list, the total market capitalization of U.S. internet, software, and computer services companies is close to $4.7 trillion — more than twice the rest of the world combined. Software tech is an enormous comparative advantage for the U.S. As a result, it is clearly in the national interest to have the government avoid directly competing against and potentially weakening the U.S. private sector.

  • New compiler added to popular studio for ARM and Cortex-M IDE

    The studio for ARM/Cortex-M is now supplied with three different compilers: GCC, Clang and the company's own compiler. The new compiler outperforms GCC and regular Clang on most benchmarks, decreasing both size of generated code as well as its execution speed.

Kernel: LWN and Phoronix Articles About Latest Discussions and Linux Developments

  • Filesystem UID mapping for user namespaces: yet another shiftfs

    The idea of an ID-shifting virtual filesystem that would remap user and group IDs before passing requests through to an underlying real filesystem has been around for a few years but has never made it into the mainline. Implementations have taken the form of shiftfs and shifting bind mounts. Now there is yet another approach to the problem under consideration; this one involves a theoretically simpler approach that makes almost no changes to the kernel's filesystem layer at all. ID-shifting filesystems are meant to be used with user namespaces, which have a number of interesting characteristics; one of those is that there is a mapping between user IDs within the namespace and those outside of it. Normally this mapping is set up so that processes can run as root within the namespace without giving them root access on the system as a whole. A user namespace could be configured so that ID zero inside maps to ID 10000 outside, for example; ranges of IDs can be set up in this way, so that ID 20 inside would be 10020 outside. User namespaces thus perform a type of ID shifting now. In systems where user namespaces are in use, it is common to set them up to use non-overlapping ranges of IDs as a way of providing isolation between containers. But often complete isolation is not desired. James Bottomley's motivation for creating shiftfs was to allow processes within a user namespace to have root access to a specific filesystem. With the current patch set, instead, author Christian Brauner describes a use case where multiple containers have access to a shared filesystem and need to be able to access that filesystem with the same user and group IDs. Either way, the point is to be able to set up a mapping for user and group IDs that differs from the mapping established in the namespace itself.

  • Keeping secrets in memfd areas

    Back in November 2019, Mike Rapoport made the case that there is too much address-space sharing in Linux systems. This sharing can be convenient and good for performance, but in an era of advanced attacks and hardware vulnerabilities it also facilitates security problems. At that time, he proposed a number of possible changes in general terms; he has now come back with a patch implementing a couple of address-space isolation options for the memfd mechanism. This work demonstrates the sort of features we may be seeing, but some of the hard work has been left for the future. Sharing of address spaces comes about in a number of ways. Linux has traditionally mapped the kernel's address space into every user-space process; doing so improves performance in a number of ways. This sharing was thought to be secure for years, since the mapping doesn't allow user space to actually access that memory. The Meltdown and Spectre hardware bugs, though, rendered this sharing insecure; thus kernel page-table isolation was merged to break that sharing. Another form of sharing takes place in the processor's memory caches; once again, hardware vulnerabilities can expose data cached in this shared area. Then there is the matter of the kernel's direct map: a large mapping (in kernel space) that contains all of physical memory. This mapping makes life easy for the kernel, but it also means that all user-space memory is shared with the kernel. In other words, an attacker with even a limited ability to run code in the kernel context may have easy access to all memory in the system. Once again, in an era of speculative-execution bugs, that is not necessarily a good thing.

  • Revisiting stable-kernel regressions

    Stable-kernel updates are, unsurprisingly, supposed to be stable; that is why the first of the rules for stable-kernel patches requires them to be "obviously correct and tested". Even so, for nearly as long as the kernel community has been producing stable update releases, said community has also been complaining about regressions that make their way into those releases. Back in 2016, LWN did some analysis that showed the presence of regressions in stable releases, though at a rate that many saw as being low enough. Since then, the volume of patches showing up in stable releases has grown considerably, so perhaps the time has come to see what the situation with regressions is with current stable kernels. As an example of the number of patches going into the stable kernel updates, consider that, as of 4.9.213, 15,648 patches have been added to the original 4.9 release — that is an entire development cycle worth of patches added to a "stable" kernel. Reviewing all of those to see whether each contains a regression is not practical, even for the maintainers of the stable updates. But there is an automated way to get a sense for how many of those stable-update patches bring regressions with them. The convention in the kernel community is to add a Fixes tag to any patch fixing a bug introduced by another patch; that tag includes the commit ID for the original, buggy patch. Since stable kernel releases are supposed to be limited to fixes, one would expect that almost every patch would carry such a tag. In the real world, about 40-60% of the commits to a stable series carry Fixes tags; the proportion appears to be increasing over time as the discipline of adding those tags improves.

  • Finer-grained kernel address-space layout randomization

    The idea behind kernel address-space layout randomization (KASLR) is to make it harder for attackers to find code and data of interest to use in their attacks by loading the kernel at a random location. But a single random offset is used for the placement of the kernel text, which presents a weakness: if the offset can be determined for anything within the kernel, the addresses of other parts of the kernel are readily calculable. A new "finer-grained" KASLR patch set seeks to remedy that weakness for the text section of the kernel by randomly reordering the functions within the kernel code at boot time.

  • Debian discusses how to handle 2038

    At this point, most of the kernel work to avoid the year-2038 apocalypse has been completed. Said apocalypse could occur when time counted in seconds since 1970 overflows a 32-bit signed value (i.e. time_t). Work in the GNU C Library (glibc) and other C libraries is well underway as well. But the "fun" is just beginning for distributions, especially those that support 32-bit architectures, as a recent Debian discussion reveals. One of the questions is: how much effort should be made to support 32-bit architectures as they fade from use and 2038 draws nearer? Steve McIntyre started the conversation with a post to the debian-devel mailing list. In it, he noted that Arnd Bergmann, who was copied on the email, had been doing a lot of the work on the kernel side of the problem, but that it is mostly a solved problem for the kernel at this point. McIntyre and Bergmann (not to mention Debian as a whole) are now interested in what is needed to update a complete Linux system, such as Debian, to work with a 64-bit time_t. McIntyre said that glibc has been working on an approach that splits the problem up based on the architecture targeted. Those that already have a 64-bit time_t will simply have a glibc that works with that ABI. Others that are transitioning from a 32-bit time_t to the new ABI will continue to use the 32-bit version by default in glibc. Applications on the latter architectures can request the 64-bit time_t support from glibc, but then they (and any other libraries they use) will only get the 64-bit versions of the ABI. One thing that glibc will not be doing is bumping its SONAME (major version, essentially); doing so would make it easier to distinguish versions with and without the 64-bit support for 32-bit architectures. The glibc developers do not consider the change to be an ABI break, because applications have to opt into the change. It would be difficult and messy for Debian to change the SONAME for glibc on its own.

  • UEFI Boot Support Published For RISC-V On Linux

    As we've been expecting to happen with the Linux EFI code being cleaned up before the introduction of a new architecture, the RISC-V patches have been posted for bringing up UEFI boot support. Western Digital's Atish Patra sent out the patch series on Tuesday for adding UEFI support for the RISC-V architecture. This initial UEFI Linux bring-up is for supporting boot time services while the UEFI runtime service support is still being worked on. This RISC-V UEFI support can work in conjunction with the U-Boot bootloader and depends upon other recent Linux kernel work around RISC-V's Supervisor Binary Interface (SBI).

  • Linux Kernel Seeing Patches For NVIDIA's Proprietary Tegra Partition Table

    As an obstacle for upstreaming some particularly older NVIDIA Tegra devices (namely those running Android) is that they have GPT entry at the wrong location or lacking at all for boot support. That missing or botched GPT support is because those older devices make use of a NVIDIA proprietary/closed-source table format. As such, support for this proprietary NVIDIA Tegra Partition Table is being worked on for the Linux kernel to provide better upstream kernel support on these consumer devices. NVIDIA Tegra devices primarily rely on a special partition table format for their internal storage while some also support traditional GPT partitions. Those devices with non-flakey GPT support can boot fine but TegraPT support is being worked on for handling the upstream Linux kernel with the other devices lacking GPT support or where it's at the wrong sector. This issue primarily plagues Tegra 2 and Tegra 3 era hardware like some Google Nexus products (e.g. Nexus 7) while fortunately newer Tegra devices properly support GPT.

  • Intel Continues Bring-Up Of New Gateway SoC Architecture On Linux, ComboPHY Driver

    Besides all the usual hardware enablement activities with the usual names by Intel's massive open-source team working on the Linux kernel, one of the more peculiar bring-ups recently has been around the "Intel Gateway SoC" with more work abound for Linux 5.7. The Intel Gateway SoC is a seemingly yet-to-be-released product for high-speed network packet processing. The Gateway SoC supports the Intel Gateway Datapath Architecture (GWDPA) and is designed for very fast and efficient network processing. Outside of Linux kernel patches we haven't seen many Intel "Gateway" references to date. Gateway appears to be (or based on) the Intel "Lightning Mountain" SoC we were first to notice and bring attention to last summer when patches began appearing for that previously unknown codename.

Security: Updates, DNS Features in IPFire, Shodan and Canonical's Role in Robot Operating System (ROS 2)

  • Security updates for Wednesday

    Security updates have been issued by Debian (python-pysaml2), Mageia (clamav, graphicsmagick, opencontainers-runc, squid, and xmlsec1), Oracle (kernel, ksh, python-pillow, systemd, and thunderbird), Red Hat (rh-nodejs12-nodejs), Scientific Linux (ksh, python-pillow, and thunderbird), and SUSE (nodejs6, openssl, ppp, and squid).

  • What you can do with the new DNS features in IPFire

    Every time you try to access a website - for example ipfire.org - you will ask a DNS server for the IP address to connect to. They won't see anything past "the slash" in the URL, but that is not necessary to know what you probably have in mind to do. That DNS server now knows which bank you are with, where you work, where you do your online shopping, who is hosting your emails and many things more... Although this data is not too interesting about one individual, it becomes very relevant when you are looking at many profiles. People who shop at a certain place or are with a certain bank might be high earners. People who shop at another place might have trouble to stay afloat financially. Now I know what advertisements I need to show to which group so that they will become my customers. In short, your whole browser history tells a lot about you and you might be giving it away for free to the advertising industry or other parties who will use your data against you.

  • How Shodan Has Been Improved to Help Protect Energy Utilities

    Shodan is a well-known security hacking tool that has even been showcased on the popular Mr. Robot TV show. While Shodan can potentially be used by hackers, it can also be used for good to help protect critical infrastructure, including energy utilities. At the RSA Conference in San Francisco, Michael Mylrea, Director of Cybersecurity R&D (ICS, IoT, IIoT) at GE Global Research, led a session titled "Shodan 2.0: The World’s Most Dangerous Search Engine Goes on the Defensive," where he outlined how Shodan has been enabled to help utilities identify risks in critical energy infrastructure. Shodan, to the uninitiated, is a publicly available search engine tool that crawls the internet looking for publicly exposed devices. Mylrea explained that utilities are often resource constrained when it comes to cybersecurity and are typically unaware of their risk. In recent years, there have been a number of publicly disclosed incidents involving utilities. To help solve that challenge, Mylrea proposed a project to the US Department of Energy (DoE) to enhance Shodan for utilities so they could use the tool to find risks quickly.

  • Canonical takes leadership role in security for ROS

    Canonical is committed to the future of robotics, as proven a short time ago when we joined the Technical Steering Committee of the second version of the Robot Operating System (ROS 2). We’re also dedicated to building a foundation of enterprise-grade, industry leading security practices within Ubuntu, so we’re excited to join both of these strengths with our own Joe McManus taking the helm of the ROS 2 Security Working Group. We believe robots based on Linux are cheaper to develop, more flexible, faster to market, easier to manage, and more secure. While ROS began as an academic project over a decade ago, it has grown to become the most popular middleware for creating Linux-powered robots. It has harnessed the power of open source, allowing for many of the complex problems faced by robotics to be solved through collaboration. The ROS developer community has continued to grow, and ROS now enjoys an increasing amount of commercial use and supported robots. In response, the ROS community has completely overhauled the ROS codebase and started distributing ROS 2.

Audiocasts/Shows/Screencasts: The Linux Link Tech Show, FLOSS Weekly, Linux Headlines and Arch/Manjaro

  • The Linux Link Tech Show Episode 846

    nodejs 12, raspberry pi, 3d printing, air frying

  • FLOSS Weekly 567: DeepCode

    DeepCode alerts you about critical vulnerabilities you need to solve in your code. DeepCode finds critical vulnerabilities that other automated code reviews don't, such as Cross-Site Scripting, Path Traversal or SQL injection. DeepCode finds critical vulnerabilities that other automated code reviews don't, such as Cross-Site Scripting, Path Traversal or SQL injection with 90% precision.

  • 2020-02-26 | Linux Headlines

    Brave joins forces with the Wayback Machine, the Linux Foundation teams up with IBM to fight climate change, and The Document Foundation puts out a call to the community.

  • Linux Apps I Use At Work

    Linux Apps I Use At Work This video will go over all the applications I use on my Work PC. I go over my email, file browser, and many other features. As a life long Windows user, I was able to optimize my workflow once I moved to Linux and pick up a lot of productivity.

  • Manjaro 19.0 KDE Plasma Edition overview | #FREE OPERATING SYSTEM.

    In this video, I am going to show an overview of Manjaro Linux 19.0 KDE Plasma Edition and some of the applications pre-installed.

  • Manjaro 19.0 XFCE Run Through

    In this video, we are looking at Manjaro 19.0 XFCE.