Language Selection

English French German Italian Portuguese Spanish

Moz/FF

Mozilla: Rust, Socorro, and 'Healthier' Internet (Openwashing)

Filed under
Development
Moz/FF
Web
  • Another Rust-y OS: Theseus joins Redox in pursuit of safer, more resilient systems

    Rust, a modern system programming language focused on performance, safety and concurrency, seems an ideal choice for creating a new operating system, and several such projects already exist. Now there is a new one, Theseus, described by creator Kevin Boos as "an Experiment in Operating System Structure and State Management."

    The key thinking behind Theseus is to avoid what Boos and three other contributors from Rice and Yale universities call "state spill".

  • This Week In Rust: This Week in Rust 373
  • Socorro Engineering: Half in Review 2020 h2 and 2020 retrospective

    2020h1 was rough. 2020h2 was also rough: more layoffs, 2 re-orgs, Covid-19.

    I (and Socorro and Tecken) got re-orged into the Data Org. Data Org manages the Telemetry ingestion pipeline as well as all the things related to it. There's a lot of overlap between Socorro and Telemetry and being in the Data Org might help reduce that overlap and ease maintenance.

    [...]

    2020 sucked. At the end, I was feeling completely demoralized and deflated.

  • Reimagine Open: Building a Healthier Internet

    Does the “openness” that made the [Internet] so successful also inevitably lead to harms online? Is an open [Internet] inherently a haven for illegal speech, for eroding privacy and security, or for inequitable access? Is “open” still a useful concept as we chart a future path for the [Internet]?

    A new paper from Mozilla seeks to answer these questions. Reimagine Open: Building Better Internet Experiences explores the evolution of the open [Internet] and the challenges it faces today. The report catalogs findings from a year-long project of outreach led by Mozilla’s Chairwoman and CEO, Mitchell Baker. Its conclusion: We need not break faith with the values embedded in the open [Internet]. But we do need to return to the original conceptions of openness, now eroded online. And we do need to reimagine the open [Internet], to address today’s need for accountability and online health.

Mozilla: Firefox Nightly, Thunderbird, and VPN

Filed under
Moz/FF
  • Improving Cross-Browser Testing, Part 2: New Automation Features in Firefox Nightly - Mozilla Hacks - the Web developer blog

    In our previous blog post about the web testing ecosystem, we described the tradeoffs involved in automating the browser via the HTTP-based WebDriver standard versus DevTools protocols such as Chrome DevTools Protocol (CDP). Although there are benefits to WebDriver’s HTTP-based approach, we know there are many developers who find the additional functionality and ergonomics of CDP-based test tools compelling.

    It’s clear that WebDriver needs to grow to meet the capabilities of DevTools-based automation. However, that process will take time, and we want more developers to be able to run their automated tests in Firefox today.

    To that end, we have shipped an experimental implementation of parts of CDP in Firefox Nightly, specifically targeting the use cases of end-to-end testing using Google’s Puppeteer, and the CDP-based features of Selenium 4.

    For users looking to use CDP tooling with stable releases of Firefox, we are currently going through the process to enable the feature on release channels and we hope to make this available as soon as possible.

    The remainder of this post will look at the details of how to use Firefox with CDP-based tools.

  • New in Thunderbird 78.0

    I use Evolution for work mail, for psychological separation, but also for Exchange support, and I have to say: Thunderbird is just much easier to use, in that you can customize it into whatever you want from a client. I’m genuinely shocked people prefer web mail interfaces to something more robust, like Thunderbird.

  • Think you don’t need a VPN? Here are five times you just might.

    Have you ever connected to a hotspot called something like C0MCAST-WiFi-77th-St or Verizon3-Hotspot-Baltimore? Looks legit, right? Not so fast. In reality, anyone can set up a phony public WiFi with a legitimate sounding name to lure people to use it. Connecting to any unknown WiFi makes you an easy target for creeps and criminals who want to access your device to steal private information, install malware or worse. Mozilla VPN can boost your security any time you’re connected to a public WiFi by blocking unknown entities from seeing private data that travels from your phone or laptop. This goes for connecting to WiFi networks at coffee shops, stores, doctor’s offices and so on.

  • Mozilla VPN is Now Available to Mac & Linux Users - OMG! Ubuntu!

    Mozilla VPN now supports Mac and Linux. The subscription-based privacy service launched in 2020 but only for Windows, Android and iOS.

  • Mozilla brings its VPN to Mac and Linux

Firefox – we’re finally getting HW acceleration on Linux

Filed under
GNU
Linux
Moz/FF

Firefox 84.0 is a big milestone for Firefox Linux development as it comes with HW acceleration by default for some Linux users. Stock Mozilla Firefox 84.0 enables WebRender (HW accelerated backend) for Gnome/X.org and Gnome/Wayland will be supported in Firefox 85.0. Fedora is bit ahead and enables WebRender for Gnome/Wayland in Firefox 84.0 too.

WebRender by default is restricted to AMD/Linux graphics cards as NVIDIA is known for various issues – both proprietary and Noveau drivers.

And why it’s enabled in Gnome only for now? For instance KDE is also a popular desktop environment. I think it’s because Gnome utilizes HW acceleration so when Gnome works on your box there’s assumption that Firefox will work too. KDE provides choices how to disable/restrict HW acceleration setup (for instance it supports disabled screen compositing) and it’s more difficult to cover various scenarios.

Read more

Also: Mozilla No Longer Supports A Free Internet

Firefox 86 Will Support Next-Gen Image Format by Default

Filed under
Moz/FF

A bug report shows Mozilla devs plan to ship Firefox 86, due in February 2020, with AVIF image support by default. AVIF images used on websites and web services will load in-page just like other supported image formats.

But what is AVIF?

AVIF is a free, lightweight, and highly optimised image compression format based on the AV1 video codec. AVIF images are up to 50% smaller in size (so they load faster) but are visually comparable to JPEG and other image compression formats in most instances.

Read more

Mozilla Firefox Flips On AVIF Image Decoding By Default

Filed under
Moz/FF
Web

As noted before the holidays that Mozilla Firefox was ready to enable AVIF image decoding by default, now that the holidays have passed and developers back to their keyboards, Firefox today has re-enabled AVIF by default.

Since Google's Chrome 85 there has been AVIF support enabled by default while the Firefox support has been disabled by default for now. But as of today in their nightly code the functionality is there out-of-the-box.

Read more

Also: We need more than deplatforming

The first fully tested Fedora Firefox package

Filed under
Red Hat
Moz/FF

We hit a big milestone in Firefox deployment on Fedora with firefox-84.0.2 package. It’s the first fully tested Firefox package released to Fedora users. Let’s see what’s so exciting on it.

Mozilla has a large testsuite as a part of development and release process. When any new patch hits Firefox repository, it’s built and tested for functional and speed regressions. The testsuite is also a developers nightmare as it contains some old and outdated test environments and it may be difficult to pass patches through it.

Read more

Security Leftovers

Filed under
Moz/FF
Security
  • Mozilla Security Blog: Encrypted Client Hello: the future of ESNI in Firefox

    Two years ago, we announced experimental support for the privacy-protecting Encrypted Server Name Indication (ESNI) extension in Firefox Nightly. The Server Name Indication (SNI) TLS extension enables server and certificate selection by transmitting a cleartext copy of the server hostname in the TLS Client Hello message. This represents a privacy leak similar to that of DNS, and just as DNS-over-HTTPS prevents DNS queries from exposing the hostname to on-path observers, ESNI attempts to prevent hostname leaks from the TLS handshake itself.

    Since publication of the ESNI draft specification at the IETF, analysis has shown that encrypting only the SNI extension provides incomplete protection. As just one example: during session resumption, the Pre-Shared Key extension could, legally, contain a cleartext copy of exactly the same server name that is encrypted by ESNI. The ESNI approach would require an encrypted variant of every extension with potential privacy implications, and even that exposes the set of extensions advertised. Lastly, real-world use of ESNI has exposed interoperability and deployment challenges that prevented it from being enabled at a wider scale.

  • 33 hardware and firmware vulnerabilities: A guide to the threats | CSO Online

    Meltdown and Spectre raised the alarm over vulnerabilities that attackers can exploit in popular hardware and its firmware. Here's a roundup of the ones that present the most significant threats.

  • 6 Open Source Tools for Your Security Team

    Open source tools are a fact of life in application development. A growing number of open source security tools makes the noncommercial license a realistic option for more security teams.

    Traditionally, open source tools have been viewed as options for academic institutions and smaller companies. But current-generation open source tools, developed with an emphasis on scale and deployment flexibility, have been developed with larger enterprises in mind.

    Dark Reading looked at a range of tools and system across the open source landscape to find a half-dozen that enterprise security teams will want to know about. Several are at the beginning of their product lives; one is at the end, though it is still useful. In most cases, these tools compete against commercial offerings, though in every case the open source option provides qualities (aside from purchase price) that make them worthy of consideration for specific situations.

Mozilla: Security, HTML, Standardizing Principles and More

Filed under
Moz/FF
  • Why getting voting right is hard, Part III: Optical Scan

    This is the third post in my series on voting systems. For background see part I. As described in part II, hand-counted paper ballots have a number of attractive security and privacy properties but scale badly to large elections. Fortunately, we can count paper ballots efficiently using optical scanners (opscan). This will be familiar to anyone who has taken paper-based standardized tests: instead of just checking a box, next to each choice there is a region (typically an oval) to fill in, as shown in the examples below These ballots can then be machine read using an optical scanner which reports the result totals.

    [...]

    So far in this series I’ve talked about paper ballots as if they are cast at the polling place, but that doesn’t have to be the case. They can just as easily be sent to voters who return them by mail. Depending on the situation this is referred to as “vote by mail” (VBM) or “absentee ballots”. VBM brings some special challenges which I’ll be covering in my next post.

  • Martin Thompson: RFCs in HTML

    I spend a shocking amount of my time staring at IETF documents, both Internet-Drafts and RFCs. I have spend quite a bit of time looking at GitHub README files and W3C specifications.

    For reading prose, the format I routinely find to be the most accessible is the text versions. This is definitely not based on the quality of the writing, all of these formats produce unreadable documents. What I refer to here is not the substance, but the form. That is, how the text is laid out on my screen[1].

    There is clearly a degree of familiarization and bias involved in this. A little while ago, I worked out that there is just one thing that elevates that clunky text format above the others: line length.

  • Standardizing Principles

    There is a perennial question in standards development about the value of the different artefacts that the process kicks out.

    One subject that remains current is the relative value of specifications against things like compliance testing frameworks. Reasonable people tend to place different weight on tests, with a wide range of attitudes. In the past, more people were willing to reject attempts to invest in any shared test or compliance infrastructure.

    In recent years however, it has become very clear that a common test infrastructure is critical to developing a high quality standard. Developing tests in conjunction with the standardization effort has improved the quality of specifications and implementations a great deal.

    Recently, I encountered an example where a standards group deliberately chose not to document behaviour, relying exclusively on the common test framework. Understanding what is lost when this

  • Aaron Klotz at Mozilla: 2018 Roundup: Q2, Part 2

    One of the things I added to Firefox for Windows was a new process called the “launcher process.” “Bootstrap process” would be a better name, but we already used the term “bootstrap” for our XPCOM initialization code. Instead of overloading that term and adding potential confusion, I opted for using “launcher process” instead.

    The launcher process is intended to be the first process that runs when the user starts Firefox. Its sole purpose is to create the “real” browser process in a suspended state, set various attributes on the browser process, resume the browser process, and then self-terminate.

    In bug 1454745 I implemented an initial skeletal (and opt-in) implementation of the launcher process for starting.

    This seems like pretty straightforward code, right? Naïvely, one could just rip a CreateProcess sample off of MSDN and call it day. The code is a bit more complicated than that, for various reasons, which I will outline in the following sections.

Rust 1.49.0 Released and Related News

Filed under
Development
Moz/FF
  • Announcing Rust 1.49.0

    The Rust team is happy to announce a new version of Rust, 1.49.0. Rust is a programming language that is empowering everyone to build reliable and efficient software.

  • This Week In Rust: This Week in Rust 371
  • Niko Matsakis: The more things change… [Ed: Rust language is becoming GAFAM surveillance monopolies, hosted on Microsoft servers]

    That said, I’ve talked to a number of people in the Rust community who feel nervous about this change. After all, we’ve worked hard to build an open source organization that values curiosity, broad collaboration, and uplifting others. As more companies form Rust teams, there’s a chance that some of that could be lost, even if everyone has the best of intentions. While we all want to see more people paid to work on Rust, that can also result in “part time” contributors feeling edged out.

    [...]

    I want to zoom out a bit to the broader picture. As I said in the intro, we are entering a new phase for Rust, one where there are multiple active Rust teams at different companies, all working as part of the greater Rust community to build and support Rust. This is something to celebrate. I think it will go a long way towards making Rust development more sustainable for everyone.

    Even as we celebrate, it’s worth recognizing that in many ways this exciting future is already here. Supporting Rust doesn’t require forming a full-time Rust team. The Google Fuchsia team, for example, has always made a point of not only using Rust but actively contributing to the community. Ferrous Microsystems has a number of folks who work within the Rust compiler and embedded teams. In truth, there are a lot of employers who give their employees time to work on Rust – way too many to list, even if I knew all their names. Then we have companies like Embark and others that actively fund work on their dependencies (shout-out to cargo-fund, an awesome tool developed by the equally awesome azfoltzer, who – as it happens – works at Fastly, another company that has been an active supporter of Rust).

Mozilla Leftovers

Filed under
Moz/FF
Web
  • Scammers use Chrome, Firefox extensions in widespread ad fraud campaign

    The scammers are using malicious browser extensions— a tried and tested fraud tactic — to inject bogus advertisements into the results displayed on a search engine page. The more users who visit the fraudulent ad pages, the more money the perpetrators earn via a traffic-driven advertising program. Microsoft did not identify who was responsible for the attacks, or how much money they had netted.

  • Firefox Browser updated to 84.0.1 [in] PCLinuxOS

    The Mozilla Firefox browser has been updated to 84.0.1 and is a minor bug fix update. This update will appear in your Synaptic Package Manager if you are using Firefox.

  • David Humphrey: SnowyOwls.ca

    But as the snow begins to fall each December, my attention turns to another owl: the Snowy Owl. Normally at this time of year I'm seeing Snowy Owls on my long commutes to and from work. With COVID, I'm not out driving anymore, and as such, I'm not having as easy a time finding them.

    I decided that this year's marking-side-project would be a tool to help people find Snowy Owls near where they live. I've long wanted to play with eBird and the eBird API, and hoped that I could get recent sighting data this way. To use the eBird API, you have to create an account and then request an API key. After that you can do all sorts of interesting queries to get current or historical data about sightings by species, region, or location.

    [...]

    As we enter our tenth month of the pandemic, I wanted to make something for the current moment. Christmas won't be the same this year: we won't be able to celebrate or visit our parents, siblings, or their families; I can't get together with any friends for a meal; and many of the usual traditions our family has are off the table. I'm sad at all of it.

    I can't fix any of this, but I wanted to do something to give some small bit of joy over the holidays. While the pandemic forces us to avoid each other, we're still allowed to go outside, to drive in the country, to walk in the park or along the shoreline, and to look for Snowy Owls.

    As I was finishing up the app's code, I noticed that a new owl had been spotted 15 minutes from our house. My wife and I drove off into the falling snow in search of it, creeping along an old fence line stretched across a farmer's field. It was really beautiful to be out, to be hopeful, and to be focused on what is yet to come.

Syndicate content

More in Tux Machines

today's leftovers

  • Meetup Will Discuss Survey Results, Project Improvements

    The openSUSE Project welcomes our followers to participate in two planned meetups to discuss results from the End of the Year Community Survey on Jan. 23 and Jan. 30. Both sessions will start at 13:00 UTC on openSUSE’s Jitsi instance and go for 1:30 hours. Members of the “let’s improve the openSUSE learning experience” initiative will share results and analysis from the survey.

  • LF‌ ‌Edge‌ ‌Adds‌ ‌New‌ ‌Members‌

    LF Edge has announced the addition of four new general members (FII, HCL, OpenNebula, and Robin.io) and one new Associate member (Shanghai Open Source Information Technology Association). Additionally, Home Edge has released its third platform update with new Data Storage and Mult-NAT Edge Device Communications (MNDEC) features.

  • Text Encoding Menu in 2021

    In mid-January 2021, the Text Encoding menu in Firefox looks like this: Automatic Unicode Western Arabic (Windows) Arabic (ISO) Baltic (Windows) Baltic (ISO) Central European (Windows) Central European (ISO) Chinese, Simplified Chinese, Traditional Cyrillic (Windows) Cyrillic (KOI8-U) Cyrillic (KOI8-R) Cyrillic (ISO) Cyrillic (DOS) Greek (Windows) Greek (ISO) Hebrew, Visual Hebrew Japanese Korean Thai Turkish Vietnamese [...] For users who have telemetry enabled, we collect data about whether the item “Automatic” was used at least once in given Firefox subsession, whether an item other than “Automatic” was used at least once in a given Firefox subsession, and a characterization of how the encoding that is being overridden was determined (from HTTP, from meta, from chardetng running without the user triggering it, from chardetng as triggered by the user by having chosen “Automatic” previously, etc.). If things go well, the telemetry can be analyzed when Firefox 87 is released (i.e. when 86 has spent its time on the release channel). The current expectation for this is 2021-03-23.

  • Wikipedia is twenty. It’s time to start covering it better. - Columbia Journalism Review
  • Jimmy Wales: “Wikipedia is from a different era”

    As the online encyclopedia turns 20-years-old, its founder reflects on the internet’s halcyon days.

  • Fact check: As Wikipedia turns 20, how credible is it?

    Wikipedia, which has been referred to as a world treasure, turns 20 on Friday. According to research conducted over the years — including a scientific study published by the journal Nature in 2005 and a report commissioned by the site's Wikimedia Foundation in 2012 — Wikipedia's entries are comparable in quality to those in prestigious encyclopedias such as Britannica. However, it is difficult to measure the consistency of information that can be altered at any time.

  • Odin is finally pleased so the open-world survival game Valheim releases on February 2 | GamingOnLinux

    Odin has finally had enough sacrifices and shall be releasing Valheim from Iron Gate AB will enter Early Access with Linux and Windows support on February 2. What is it? A brutal multiplayer exploration and survival game set in a procedurally-generated purgatory inspired by viking culture. Battle, build, and conquer your way to a saga worthy of Odin’s patronage! With low-poly artwork and a very flexible building system it looks absolutely brilliant. The early builds they had available were seriously promising back in 2018 so I'm personally excited to see how far they've progress with it in that time.

Programming Leftovers

  • Ravgeet Dhillon: Offline Toast notification in Nuxt/Vue app

    We have often seen apps telling us that “You are offline. Check your network status.”. It is not only convenient to do so but adds to a great UX. In this blog, we will look at how can we display a toast notification in a Nuxt/Vue app whenever the user goes offline or online. This will also help us to understand how to use computed and watch properties together. [...] Hurray! Our toast notifications are working perfectly fine. So using the combined magic of computed and watch properties, we can create outstanding workflows and take our Nuxt/Vue app to next level. If you any doubts or appreciation for our team, let us know in the comments below. We would be happy to assist you.

  • Stephen Michael Kellat: Leveraging LaTeX In This Time

    From time to time I like to bring up fun adventures in LaTeX. In these stranges times in the United States it is important to look at somewhat practical applications beyond the normal reports and formal papers most people think of. With a Minimum Working Example we can mostly look at an idea. The Comprehensive TeX Archive Network has a package known as newspaper which is effectively subject to nominative determinism. You can make things with it that look like newspapers out of the 1940s-1960s in terms of layout. The page on CTAN shows nice examples of its use and provides a nice story as to why the package was created. The example source file on CTAN has a bug in it, though. We're going to make a new one based on it. I am also going to add but not yet utilize the markdown package to the example.

  • 2021.03 Course Topped – Rakudo Weekly News

    The course of the Raku Programming Language by Andrew Shitov made it to the top 20 of Hacker News and spurred quite a few comments. The first associated Grant Report was also published.

  • GCC 11 Is On The Final Stage Of Development With 60+ High Priority Regressions - Phoronix

    GCC 11 entered its final stage of development today as it works towards releasing around the end of Q1 / early Q2 if their past cadence holds up. Before GCC 11.1 can debut as the first stable version, there are some 60+ "P1" high priority regressions that need to be resolved or otherwise demoted to lesser priority regressions. GCC 11 release manager Richard Biener this morning announced GCC 11 is now in stage four development meaning only regression fixes and documentation fixes are allowed. As of this morning the code-base is at 62 P1 regressions, another 334 P2 regressions, 35 P3 regressions, and more than 200 regressions of the lower P4/P5 status.

Devices: Xtra-PC, Arduino and Inventor Coding Kit

  • Xtra-PC Reviews – Best Linux USB-Stick? - Product Review by Rick Finn

    The Xtra-PC Linux USB-Stick might be your solution if you have problems with your old and slow PC. It's a small flash drive stick and it's using Linux OS to boost you PC's operations. Check out now.

  • Arduino Blog » Old keyboard turned into a new children’s learning toy

    Peter Turczak’s toddler son loves “technical stuff,” especially things like keyboards and computers that adults use. After discussing this with other likeminded technical parents, the idea of giving new life to an old (PS/2 or AT) keyboard as a teaching tool was hatched.

  • SiFive Helping To Teach Kids Programming With RISC-V HiFive Inventor Coding Kit

    SiFive in cooperation with Tynker and BBC Learning have launched a Doctor Who themed HiFive Inventor Coding Kit. This Initial HiFive Inventor Coding Kit is intended to help kids as young as seven years of age get involved with computer programming through a variety of fun exercises and challenges involving the RISC-V powered mini computer and related peripherals like LED lighting and speaker control. [...] So for those looking to get their kids involved with computer programming and looking for an IoT-type device with some fun sensors and various themed exercises to get them experimenting, the HiFive Inventor Coding Kit is worth looking into further. More details on the programming platform can be found via Tynker.com and on the hardware at HiFiveInventor.com. The HiFive Inventor Kit is available from Amazon.com and other Internet retailers for $75 USD.

Security Leftovers

  • Security updates for Monday

    Security updates have been issued by Arch Linux (atftp, coturn, gitlab, mdbook, mediawiki, nodejs, nodejs-lts-dubnium, nodejs-lts-erbium, nodejs-lts-fermium, nvidia-utils, opensmtpd, php, python-cairosvg, python-pillow, thunderbird, vivaldi, and wavpack), CentOS (firefox and thunderbird), Debian (chromium and snapd), Fedora (chromium, flatpak, glibc, kernel, kernel-headers, nodejs, php, and python-cairosvg), Mageia (bind, caribou, chromium-browser-stable, dom4j, edk2, opensc, p11-kit, policycoreutils, python-lxml, resteasy, sudo, synergy, and unzip), openSUSE (ceph, crmsh, dovecot23, hawk2, kernel, nodejs10, open-iscsi, openldap2, php7, python-jupyter_notebook, slurm_18_08, tcmu-runner, thunderbird, tomcat, viewvc, and vlc), Oracle (dotnet3.1 and thunderbird), Red Hat (postgresql:10, postgresql:12, postgresql:9.6, and xstream), SUSE (ImageMagick, openldap2, slurm, and tcmu-runner), and Ubuntu (icoutils).

  • About CVE-2020-27348

    Well this is a doozey. Made public a while back was a security vulnerability in many Snap Packages and the Snapcraft tool used to create them. Specifically, this is the vulnerability identified as CVE-2020-27348. It unfortunately affects many many snap packages… [...] The problem arises when the LD_LIBRARY_PATH includes an empty element in its list. When the Dynamic Linker sees an empty element it will look in the current working directory of the process. So if we construct our search paths with an accidental empty element the application inside our Snap Package could be caused to load a shared library from outside the Snap Package’s shipped files. This can lead to an arbitrary code execution. It has been common to put a definition of the LD_LIBRARY_PATH variable into a Snap Package’s snapcraft.yaml that references a predefined $LD_LIBRARY_PATH as if to extend it. Unfortunately, despite this being common, it was poorly understood that SnapD ensures that the $LD_LIBRARY_PATH is unset when starting a Snap Package’s applications. What that means is that where the author tried to extend the variable they have inadvertantly inserted the bad empty element. The empty element appears because $LD_LIBRARY_PATH is unset so the shell will expand it to an empty string.

  • Wait, What? Kids Found A Security Flaw in Linux Mint By Mashing Keys!

    Security flaws can be incredibly stupid and dangerous. Of course, I’m not judging anyone, we are humans after all. But this little incident is quite funny.