Subscribe: Planet Mozilla
Added By: Feedage Forager Feedage Grade B rated
Language: English
add  blog  browser  code  content  css  data  firefox  grid  make  mozilla  new  support  test  time  web  work   
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Planet Mozilla

Planet Mozilla

Planet Mozilla -


Joel Maher: Stockwell: flowchart for triage

Mon, 23 Oct 2017 19:50:29 +0000

I gave an update 2 weeks ago on the current state of Stockwell (intermittent failures).  I mentioned additional posts were coming and this is a second post in the series.

First off the tree sheriffs who maintain merges between branches, tree closures, backouts, hot fixes, and a many other actions that keep us releasing code do one important task, and that is star failures to a corresponding bug.


These annotations are saved in Treeherder and Orange Factor.  Inside of Orange Factor, we have a robot that comments on bugs– this has been changing a bit more frequently this year to help meet our new triage needs.

Once we get bugs annotated, now we work on triaging them.  Our primarily tool is Neglected Oranges which gives us a view of all failures that meet our threshold and don’t have a human comment in the last 7 days.  Here is the next stage of the process:


As you can see this is very simple, and it should be simple.  The ideal state is adding more information to the bug which helps make it easier for the person we NI? to prioritize the bug and make a decision:


While there is a lot more we can do, and much more that we have done, this seems to be the most effective use when looking across 1000+ bugs that we have triaged so far this year.

In some cases a bug fails very frequently and there are no development resources to spend fixing the bug- these will sometimes cross our 200 failures in 30 days policy and will get a [stockwell disabled-recommended] whiteboard tag, we monitor this and work to disable bugs on a regular basis:


This isn’t as cut and dry as disable every bug, but we do disable as quickly as possible and push hard on the bugs that are not as trivial to disable.

There are many new people working on Intermittent Triage and having a clear understanding of what they are doing will help you know how a random bug ended up with a ni? to you!

(image) (image)

Hacks.Mozilla.Org: Add Progressive Web Apps to your Home screen in Firefox for Android

Mon, 23 Oct 2017 18:56:31 +0000

In 2010, the concept of “responsive web design” (RWD) started resonating in web development circles. Over time, it became a recommended best practice, which was strengthened by the emergence of a number of RWD-enhancing web technologies, such as responsive images, @supports, flexbox, grid, and so much more. Today, practically all websites are built with RWD principles at their core: truly a dramatic improvement over yesteryear’s desktop-focused web. Over the last two years, a similar and complementary evolution has been happening: Progressive Web Apps (PWA), an umbrella term for a new set of standardized browser technologies that combine the low-friction nature of the web with the reliability and capabilities we typically associate with native apps, are gaining ground, with more and more top online services sharing their success stories, and with browser support increasing. While the Chrome team has been spearheading the PWA effort, other browsers have been landing supporting implementations, and Mozilla has been heavily involved as well: Service Workers and Push, two of the technologies powering PWAs shipped last year in Firefox 44, and Mozillian Marcos Caceres has been heading up the Web App Manifest spec work. So, continuing our commitment to making PWAs a top experience on mobile, we’re pleased to announce that Firefox 58 for Android will ship with Web App Manifest support, in the form of “Add to Home screen” functionality. When a Firefox 58 user arrives on a website that is served over HTTPS and has a valid manifest, a subtle badge will appear in the address bar: when tapped, an “Add to Home screen” confirmation dialog will slide in, through which the web app can be added to the Android home screen. When launched from there, the web app will be shown in the configured view mode and orientation, and it will appear as a separate entry in the app switcher. Note that at present, beforeinstallprompt is not supported, but it might yet be added in a future release: we’re investigating how to proceed. It’s also worth pointing out that there is now also a new “Add Page Shortcut” option in the Page section of the three-dot overflow menu, which allows users to place a simple shortcut to any URL on their home screen — super handy when you want to keep a quick link to a bus schedule, sports section, or other specific page right at your fingertips. When the shortcut icon is tapped, the web page in question is opened in the full browser UI, just like a bookmark. Another neat feature is how external links are handled: when a user is browsing an installed progressive web app and taps an external link, the page in question is opened in a Custom Tab. This keeps the user secure as the URL and safety information are visible, speeds up page load time (a Custom Tab loads faster than the full browser), preserves the progressive web app’s color branding, and is in line with native app behavior. In upcoming releases, we plan to add more support for other PWA-related APIs: our Background Sync implementation is well underway (currently targeting Firefox 59), and we’re quite excited about the Payment Request and Web Share APIs as well. So, try out the “Add to Home screen” implementation in Firefox Nightly for Android. (Note: for the time being, you need to enable PWA support under Settings > Advanced > Experimental features.) Stay tuned for more goodies to come in future releases![...]

Air Mozilla: Mozilla Weekly Project Meeting, 23 Oct 2017

Mon, 23 Oct 2017 18:00:00 +0000

(image) The Monday Project Meeting

Mozilla Open Policy & Advocacy Blog: Mozilla’s comments to the UK Algorithms Inquiry

Mon, 23 Oct 2017 17:25:03 +0000

Algorithms, machine learning, artificial intelligence, and other code-driven decisionmaking are increasingly hot topics for policymakers across the globe. The latest request for information came from the House of Commons Science and Technology Select Committee of the UK Parliament – a cross party body holding an inquiry into the use of algorithms in public and business decision making. Last week, Mozilla submitted comments on how we think about the intersection of algorithms and policy.

Our submission to the inquiry has a few main points:

  • This is a new and evolving area in which even the terms we use to discuss the topic are not fixed. The committee should spend time working out how to frame good questions, as well as looking for answers.
  • “Algorithm” is too general a concept to reason about. As well as having different uses, algorithms can be of several different types (outlined in our submission), and operated by either government or private sector organizations; those factors should have a significant effect on how we view them. Furthermore, the context of the decision-making is, in many cases, at least as important than the algorithm itself.
  • Algorithms and data are inherently intertwined when there is machine learning; the data shapes the decision-making process. Just talking about one without the other will give an incomplete picture, and yet ideas of “data transparency” and “algorithm transparency” have very different issues and challenges.
  • We believe that “accountability” rather than “transparency” is the best frame in which to consider algorithmic decision-making. While asking to “show me how it’s done” is an appealing idea in principle, in practice it is often very difficult, and ultimately not as helpful as may seem in understanding and addressing problems that arise.

Going forward, we’ll keep iterating on these points. There’s a broad set of policy questions that no one really has answers for yet – from the responsibility of a company to the changing cultural norms, what fairness means, and around delegating decisions to automation. A growing community of academics, policymakers, and technologists are thinking about how to make algorithmic decisionmaking better – and we’re going to be a part of that discussion.

The post Mozilla’s comments to the UK Algorithms Inquiry appeared first on Open Policy & Advocacy.

QMO: Firefox Developer Edition 57 Beta 12, October 27th

Mon, 23 Oct 2017 13:02:49 +0000

Hello Mozillians!

We are happy to let you know that Friday, October 27th, we are organizing Firefox Developer Edition 57 Beta 12 Testday. We’ll be focusing our testing on the following new features: Photon Onboarding Tour Notifications & Tour, Photon Structure and Date Time Input Types. 

Check out the detailed instructions via this etherpad.

No previous testing experience is required, so feel free to join us on #qa IRC channel where our moderators will offer you guidance and answer your questions.

Join us and help us make Firefox better!

See you on Friday!

Cameron Kaiser: TenFourFox FPR4b1 available

Mon, 23 Oct 2017 05:09:09 +0000

TenFourFox Feature Parity Release 4 beta 1 is now available (downloads, hashes, release notes). I didn't get everything into this release that I was hoping to; CSS Grid and some additional DOM features are going to have to wait until FPR5. Still, there's quite a bit in FPR4, including more AltiVec conversions (this time the library function we're making over is strchr()), layout speed enhancements and hopefully a final fix for issue 72. That was a particularly interesting fix because it turns out there are actually two OS bugs in 10.5 that not only caused the issue but made it a little more involved to mitigate; read the issue if you're interested in the gory technical details, but basically we can overwhelm Leopard with our popup window events, and on top of that we can't even detect the misplaced clicks that result because the NSEvent's underlying CGEvent has incorrectly displaced coordinates. Since it does much the same work to patch around the OS as the fix for issue 248 (which also affects 10.4), even though the two issues have completely different root causes, I mostly combined the code for the two fixes to simplify the situation. It's not well tested, however, so I haven't uploaded it to the tree yet in case I have to back it out like I did the last time. Once we've determined it fixes the problem and it doesn't regress anything, I'll commit and push it. The two major user-facing changes relate to fonts and HTML5 video. On the font side, we now have the same versions of the Brotli, OTS, WOFF2 and Harfbuzz libraries as Firefox 57, meaning we now support the latest iteration of WOFF2 webfonts as well and pick up all the rendering and performance improvements along the way. (This also upgrades Brotli decompression for the websites that support it, and I added some PowerPC-specific enhancements to the in-tree Brotli to use our native assembly byteswapping instructions for endian conversion. I should try to push this upstream when I get a round tuit.) This version of TenFourFox also fixes a longstanding issue where we couldn't display Graphite fonts for minority writing systems; they just wouldn't load due to a compiler issue where one of the key structs was computed with the wrong size, causing the browser to bail out. Before you upgrade, look at that link in FPR3 and note that because of this fallback the Burmese Padauk font has the wrong washwes and the Nastaʿlīq font at the bottom is missing all the ligatures and glyph substitutions shown in the comparison screenshot. In FPR4, this is all corrected and everything appears perfectly. As a formally trained linguist (BA, University of California) and a Christian, I find the work SIL International is doing with writing systems to be fascinating and hopefully this will make TenFourFox more useful to our users in foreign climes. On the video side, the YouTube redesign has been an unmitigated dumpster fire for performance on older machines. Not only does it require a lot more system resources, it also ruined a lot of older addons to download videos that depended on the prior layout (on purpose?). It's not entirely misguided, though: while the lazy loader they appear to be using makes it very hard to deterministically reason about what loads when, after the first video finally grinds through subsequent ones do require much less work. (This is part of Google's attempt to get you to just "leave YouTube on" like your TV, I suspect.) I tried to retune the media decoder state machine to deal with these changes, and the baseline I hit on makes the browser pre-render a lot more frames (not just buffer, but actually pre-decode prior to playback) and pushes much smaller sets to the compositor instead of drowning it in frames that arrive too late and then have to be taken back out. With this change my Quad G5 is able to play most videos in Reduced mode nearly as well as before -- it does not completely erase the loss in performance, but it does im[...]

Frédéric Wang: Recent Browser Events

Sun, 22 Oct 2017 22:00:00 +0000

TL;DR At Igalia, we attend many browser events. This is a quick summary of some recents conferences I participated to… or that gave me the opportunity to meet Igalians in Paris 😉. Week 31: Paris - CSS WG F2F - W3C My teammate Sergio attended the CSS WG F2F meeting as an observer. On Tuesday morning, I also made an appearance (but it was so brief that ceux que j’ai rencontrés ne m’ont peut-être pas vu). Together with other browser vendors and WG members, Sergio gave an interview regarding the successful story of CSS Grid Layout. By the way, given our implementation work in WebKit and Blink, Igalia finally decided to join the CSS Working Group 😊. Of course, during that week I had dinner with Sergio and it was nice to chat with my colleague in a French restaurant of Montmartre. Week 38: Tokyo - BlinkOn 8 - Google Jacobo, Gyuyoung and I attended BlinkOn 8. I had nice discussions and listened to interesting talks about a wide range of topics (Layout NG, Accessibility, CSS, Fonts, Web Predictability & Standards, etc). It was a pleasure to finally meet in persons some developers I had been in touch with during my projects on Ozone/Wayland and WebKit/iOS. For the lightning talks, we presented our activities on embedded linux platforms and the Web Platform. Incidentally, it was great to see Igalia’s work mentioned during the Next Generation Rendering Engine session. Obviously, I had the opportunity to visit places and taste Japanese food in Asakusa, Ueno and Roppongi 😋. Week 40: A Coruña - Web Engines Hackfest - Igalia I attended one of my favorite events, that gathers the whole browser community during three days for technical presentations, breakout sessions, hacking and galician food. This year, we had many sponsors and attendees. It is good to see that the event is becoming more and more popular! It was long overdue, but I was finally able to make Brotli and WOFF2 installable as system libraries on Linux and usable by WebKitGTK+ 😊. I opened similar bugs in Gecko and the same could be done in Chromium. Among the things I enjoyed, I met Jonathan Kew in person and heard more about Antonio and Maksim’s progress on Ozone/Wayland. As usual, it was nice to share time with colleagues, attend the assembly meeting, play football matches, have meals, visit Asturias… and tell one’s story 😉. Week 41: San Jose - WebKit Contributors Meeting - Apple In the past months, I have mostly been working on WebKit at Igalia and I would have been happy to see my fellow WebKit developers. However, given the events in Japan and Spain, I was not willing to make another trip to the USA just after. Hence I had to miss the WebKit Contributors Meeting again this year 😞. Fortunately, my colleagues Alex, Michael and Žan were present. Igalia is an important contributor to WebKit and we will continue to send people and propose some talks next year. Week 42: Paris - Monthly Speaker Series - Mozilla This Wednesday, I attended a conference on Privacy as a Competitive Advantage in Mozilla’s office. It was nice to hear about the increasing interest on privacy and to see the regulation made by the European Union in that direction. My colleague Philippe was visiting the office to work with some Mozilla developers on one of our project, so I was also able to meet him in the conference room. Actually, Mozilla employees were kind enough to let me stay at the office after the conference… Hence I was able to work on Apple’s Web Engine on a project sponsored by Google at the Mozilla office… probably something you can only do at Igalia 😉. Last but not least, Guillaume was also in holidays in Paris this week, so I let you imagine what happens when three French guys meet (hint: it involves food 😋).[...]

Niko Matsakis: Chalk meets SLG

Sat, 21 Oct 2017 04:00:00 +0000

For the last month or so, I’ve gotten kind of obsessed with exploring a new evaluation model for Chalk. Specifically, I’ve been looking at adapting the SLG algorithm, which is used in the XSB Prolog engine. I recently opened a PR that adds this SLG-based solver as an alternative, and this blog post is an effort to describe how that PR works, and explore some of the advantages and disadvantages I see in this approach relative to the current solver that I described in my previous post. TL;DR For those who don’t want to read all the details, let me highlight the things that excite me most about the new solver: There is a very strong caching story based on tabling. It handles negative reasoning very well, which is important for coherence. It guarantees termination without relying on overflow, but rather a notion of maximum size. There is a lot of work on how to execute SLG-based designs very efficiently (including virtual machine designs). However, I also have some concerns. For one thing, we have to figure out how to include coinductive reasoning for auto traits and a few other extensions. Secondly, the solver as designed always enumerates all possible answers up to a maximum size, and I am concerned that in practice this will be very wasteful. I suspect both of these problems can be solved with some tweaks. What is this SLG algorithm anyway? There is a lot of excellent work exploring the SLG algorithm and extensions to it. In this blog post I will just focus on the particular variant that I implemented for Chalk, which was heavily based on this paper “Efficient Top-Down Computation of Queries Under the Well-formed Semantics” by Chen, Swift, and Warren (JLP ‘95), though with some extensions from other work (and some of my own). Like a traditional Prolog solver, this new solver explores all possibilities in a depth-first, tuple-at-a-time fashion, though with some extensions to guarantee termination1. Unlike a traditional Prolog solver, however, it natively incorporates tabling and has a strong story for negative reasoning. In the rest of the post, I will go into each of those bolded terms in more detail (or you can click on one of them to jump directly to the corresponding section). All possibilities, depth-first, tuple-at-a-time One important property of the new SLG-based solver is that it, like traditional Prolog solvers, is complete, meaning that it will find all possible answers to any query2. Moreover, like Prolog solvers, it searches for those answers in a so-called depth-first, tuple-at-a-time fashion. What this means is that, when we have two subgoals to solve, we will fully explore the implications of one answer through multiple subgoals before we turn to the next answer. This stands in contrast to our current solver, which rather breaks down goals into subgoals and processes each of them entirely before turning to the next. As I’ll show you now, our current solver can sometimes fail to find solutions as a result (but, as I’ll also discuss, our current solver’s approach has advantages too). Let me give you an example to make it more concrete. Imagine this program: // sour-sweet.chalk trait Sour { } trait Sweet { } struct Vinegar { } struct Lemon { } struct Sugar { } impl Sour for Vinegar { } impl Sour for Lemon { } impl Sweet for Lemon { } impl Sweet for Sugar { } Now imagine that we had a query like: exists { T: Sweet, T: Sour } That is, find me some type T that is both sweet and sour. If we plug this into Chalk’s current solver, it gives back an “ambiguous” result (this is running on my PR): > cargo run -- --program=sour-sweet.chalk ?- exists { T: Sour, T: Sweet } Ambiguous; no inference guidance This is because of the way that our solver handles such compound queries; specifially, the way it breaks them down into individual queries and performs e[...]

William Lachance: Mission Control: Ready for contributions

Fri, 20 Oct 2017 18:33:19 +0000

One of the great design decisions that was made for Treeherder was a strict seperation of the client and server portions of the codebase. While its backend was moderately complicated to get up and running (especially into a state that looked at all like what we were running in production), you could get its web frontend running (pointed against the production data) just by starting up a simple node server. This dramatically lowered the barrier to entry, for Mozilla employees and casual contributors alike.

I knew right from the beginning that I wanted to take the same approach with Mission Control. While the full source of the project is available, unfortunately it isn’t presently possible to bring up the full stack with real data, as that requires privileged access to the athena/parquet error aggregates table. But since the UI is self-contained, it’s quite easy to bring up a development environment that allows you to freely browse the cached data which is stored server-side (essentially: git clone && yarn install && yarn start).

In my experience, the most interesting problems when it comes to projects like these center around the question of how to present extremely complex data in a way that is intuitive but not misleading. Probably 90% of that work happens in the frontend. In the past, I’ve had pretty good luck finding contributors for my projects (especially Perfherder) by doing call-outs on this blog. So let it be known: If Mission Control sounds like an interesting project and you know React/Redux/D3/MetricsGraphics (or want to learn), let’s work together!

I’ve created some good first bugs to tackle in the github issue tracker. From there, I have a galaxy of other work in mind to improve and enhance the usefulness of this project. Please get in touch with me (wlach) on #missioncontrol if you want to discuss further.

The Mozilla Blog: Bringing Mixed Reality to the Web

Fri, 20 Oct 2017 17:25:44 +0000

Today, Mozilla is announcing a new development program for Mixed Reality that will significantly expand its work in Virtual Reality (VR) and Augmented Reality (AR) for the web. Our initial focus will be on how to get devices, headsets, frameworks and toolsets to work together, so web developers can choose from a variety of tools and publishing methods to bring new immersive experiences online – and have them work together in a fully functional way. In 2017, we saw an explosion of ways to create and experience Virtual Reality (VR) content on the web. Notable events included: Mozilla shipped the WebVR API in Firefox Oculus browser and Samsung Internet shipped WebVR for Gear VR Microsoft is shipping WebVR in Edge VR frameworks A-Frame and ReactVR gained massive popularity A wide variety of tools such as PlayCanvas, Vizor, WebVR Studio, and Sketchfab launched to address the growing AR/VR development community So the VR space is coalescing nicely, bringing VR models, games, and experiences online for anyone to enjoy and reuse. Unfortunately, the same is not yet true for AR. For instance, there is no way today to create a single web page that can be viewed by all these device types: VR devices Desktop AR devices like the Meta 2 Mobile devices that use iOS ARKit or Android ARCore Standalone AR headsets like Microsoft Hololens and ODG R9 smartglasses The Mixed Reality program aims to change that. We plan to work on the full continuum of specifications, browser implementations, and services required to create open VR and AR web experiences. Proposing a WebXR API We have created a draft WebXR API proposal for providing access to both augmented and virtual reality devices. The WebXR API formalizes the different ways these technologies expose views of reality around the user, and it exposes concepts common in AR platforms such as the Anchors found in Hololens, ARKit, and ARCore. You can take a look at an early implementation of this proposal, complete with examples that run on a range of AR- and VR-capable browsers. WebXR is designed to make it easy for web developers to create web applications that adapt to the capabilities of each platform. These examples run in WebVR- and AR-enabled browsers, including desktop Firefox and experimental browsers such as one supporting ARCore on Android (although each small example is targeted at AR or VR for simplicity). We have developed an open-source WebXR Viewer iOS application that uses ARKit to implement AR support for these WebXR examples; it will be available in iTunes soon, but you can compile it yourself now if you have an iOS Developer account. We will be offering support for more browsers in the future, and welcome others to contribute to this effort and provide feedback on the proposal on GitHub. Growing support for 3D Browsers We are also expanding our browser support for Mixed Reality on the web. On desktop, we continue to evolve Firefox with broader 3D support, including recently announcing see-through AR support for Meta’s AR headset. We are also developing a 3D mobile browser platform, based on our Servo project, that enables a new class of Mixed Reality headworn displays, expected to come to market in the near term. We will share more on this work soon, but some early teases include Servo DOM-to-Texture support and integrated support for Qualcomm’s Snapdragon 835 standalone VR hardware. Ways to Contribute We look forward to your feedback on WebXR, as well as engaging with hardware and software developers who might wish to collaborate with us in this space or Servo. Stay tuned for upcoming updates from us on more ways to produce WebVR content from popular authoring tools, experimental browser features for better access to the GPU, in-headset content discovery, and open, cross-platform social services. We welcome Mixed Reality har[...]

Chris H-C: An Unofficial Guide to Unofficial Swag: Stickers

Fri, 20 Oct 2017 14:04:57 +0000

Mozillians like stickers. However! Mozilla doesn’t print as many stickers as you might think it does. Firefox iconography, moz://a wordmarks, All Hands-specific rounds, and Mozilla office designs are the limit of official stickers I’ve seen come from official sources. The vast majority of sticker designs are unofficial, made by humans like you! This guide contains tips that should help you create and share your own unofficial stickers.
(original poster by Tom Jung, modifications by :Yoric and myself. Use under CC-BY-SA 3.0)
Design I’m not a designer. Luckily for my most recent printing project I was simply updating the existing design you see above. If you are adapting someone else’s design, ensure you either have permission or are staying within the terms of the design’s license. Basic Firefox product identity assets are released under generous terms for remixing, for instance. Size The bigger they are, the harder they are to fit in a pocket or on the back of a laptop screen. Or in carry-on. The most successful stickers I’ve encountered have been at most 7cm on the longest side (or in diameter, for rounds), and many have been much smaller. With regards to size, less may in fact be more, but you have to balance this with any included text which must be legible. The design I used wouldn’t work much smaller than 7cm in height, and the text is already a little hard to read. Distribution How will you distribute these? If your design is team-specific, a work week is a good chance to hand them out individually. If the design is for a location, then pick a good gathering point in that location (lunchrooms are a traditional and effective choice), fan out some dozen or two stickers, and distribution should take care of itself. All Hands are another excellent opportunity for individual and bulk distribution. If the timing doesn’t work out well to align with a work week or an All Hands, you may have to resort to mailing them over the globe yourself. In this case, foster contacts in Mozilla spaces around the world to help your stickers make it the last mile into the hands and onto the laptops of your appreciative audience. Volume 50 is a bare minimum both in what you’ll be permitted to purchase by the printer and in how many you’ll want to have on hand to give away. If your design is timeless (i.e. doesn’t have a year on it, doesn’t refer to a current event), consider making enough leftovers for the future. If your design is generic enough that there will be interest outside of your team, consider increasing supply for this demand. Generally the second 50 stickers cost a pittance compared to the first 50, so don’t be afraid to go for a few extra. Funding You’ll be paying for this yourself. If your design is team-specific and you have an amenable expense approver you might be able to gain reimbursement under team-building expenses… But don’t depend on this. Don’t spend any money you can’t afford. You’re looking at between 50 to 100 USD for just about any number of any kind of sticker, at current prices. Location I’m in Canada. The sticker printer I chose most recently (stickermule) was in the US. Unsurprisingly, it was cheaper and faster to deliver the stickers to the US. Luckily, :kparlante was willing to mule the result to me at the San Francisco All Hands, so I was able to save both time and money. Consider these logistical challenges when planning your swag. Timing Two weeks before an All Hands is probably too late to start the process of generating stickers. I’ve made it happen, but I was lucky. Be more prepared than I was and start at least a month ahead. (As of publication time you ought to have time to take care of it all before Austin). Printing After pu[...]

Daniel Stenberg: My night at the museum

Fri, 20 Oct 2017 11:30:38 +0000

Thursday October 19, 2017, I arrived at the Technical Museum in Stockholm together with my two kids just a short while before 17:30. A fresh, cool and clear autumn evening. For this occasion I had purchased myself a brand new suit as I hadn’t gotten one since almost twenty years before this and it had been almost that long since I last wore it. I went for a slightly less conservative purple colored shirt with the dark suit. Apart from my kids, my wife was of course also present and so was my brother Björn and my parents in law. Plus a few hundred other visitors, most of them of course unknown to me. My eleven year old son truly appreciates this museum so we took the opportunity to quickly check out parts of the exhibitions while the pre-event mingling went on and drinks were served. Not too long though as we were soon asked to proceed to the restaurant part and take our assigned seats. I was seated at table #6. The whole evening was not entirely “mine”, but as I am the winner of this year’s Polhem Prize it was setup to eventually lead to the hand over of the award to me. An evening for me. Lots of attention on me and references to my work through-out the evening, that otherwise had the theme of traffic safety (my guess is that’s partly due to last year’s Prize winner who was a lead person in the invention of seat belts in cars). A three-course dinner, with some entertainment intermixed. At my table I sat next to some brilliant and interesting people and I had a great time and good conversations. Sitting across the table from the His Majesty the king of Sweden was an unexpected and awesome honor. Somewhere mid-through the evening, a short movie was presented on the big screens. A (Swedish-speaking) movie with me trying to explain what curl is, what it does and why I’ve made it. I think the movie was really great and I think it helps explaining curl to non-techies (including my own family). The movie is the result of a perhaps 40 minutes interview/talk we did on camera and then a fair amount of skilled editing by the production company. (Available here.) At around 21:30 I was called on stage. I received a gold medal from the king and shook his hand. I also received a diploma and a paper with the award committee’s motivation for me getting the prize. And huge bouquet of lovely flowers. A bit more than what I could hold in my arms really. (me, and Carl XVI Gustaf, king of Sweden) As the king graciously offered to hold my diploma and medal, I took the microphone and expressed a few words of thanks. I was and I still am genuinely and deeply moved by receiving this prize. I’m happy and proud. I said my piece in which I explicitly mentioned my family members by name: Anja, Agnes and Rex for bearing with me. (me, H.M the king and Cecilia Schelin Seidegård) Afterwards I received several appraisals for my short speech which made me even happier. Who would’ve thought that was even possible? I posed for pictures, shook many hands, received many congratulations and I even participated in a few selfies until the time came when it was time for me and my family to escape into a taxi and go home. What a night. In the cab home we scanned social media and awed over pictures and mentions. I hadn’t checked my phone even once during the event so it had piled up a bit. It’s great to have so many friends and acquaintances who shared this award and moment with us! I also experienced a strong “post award emptiness” sort of feeling. Okay, that was it. That was great. Now it’s over. Back to reality again. Back to fixing bugs and responding to emails. Thank you everyone who contributed to this! In whatever capacity. The Swedish motivation (shown in a picture above) goes like this, translated to English with goog[...]

JavaScript at Mozilla: HolyJit: A New Hope

Fri, 20 Oct 2017 11:07:28 +0000

tl;dr: We believe there is a safer and easier way of writing a Jit.

Current State

Today, all browsers’ Jits share a similar design. This design makes extending the language or improving its performance time-consuming and complex, especially while avoiding security issues.

For instance, at the time of this writing, our Jit relies upon ~15000 lines of carefully crafted, hand-written assembly code (~36000 in Chromium’s v8). The Jit directory represents 5% of all the C++ code of Firefox, and contains 3 of the top 20 largest files of Firefox, all written by hand.

Interestingly, these files all contain code that is derived by hand from the Interpreter and a limited set of built-in functions of the JavaScript engine. But why do it by hand, when we could automatize the process, saving time and risk? HolyJit is exploring this possibility.

Introducing HolyJit (prototype)

This week, during the JS Team meetup, we have demonstrated the first prototype of a Rust meta-Jit compiler, named HolyJit. If our experiment proves successful, we believe that employing a strategy based on HolyJit will let us avoid many potential bugs and let us concentrate on strategic issues. This means more time to implement JavaScript features quickly and further improve the speed of our Jit.


For instance, in a recent change, we extended the support of optimizations to Array.prototype.push. What should have been a trivial modification required diving into safety-critical code and adding 135 lines of code, and reading even more code to check that we were not accidentally breaking invariants.

With HolyJit, what should have been a trivial change would effectively have been a trivial change. The following change to a hypothetical JS Jit built with HolyJit does exactly the same thing as the previous patch, i.e. allowing the Jit to inline the Array.prototype.push function when it is being called with more than one argument.

 fn array_push(args: &CallArgs) -> Result {
-    jit_inline_if!(args.len() == 1);
+    jit_inline_if!(args.len() >= 1);

By making changes self-contained and simple, we hope that HolyJit will improve the safety of our Jit engine, and let us focus on optimizations.

HolyJit Repository:

Thanks to David Teller, Jason Orendorff, Sean Stangl, Jon Coppeard for proof reading this blog post.

Air Mozilla: [Rescheduled event]

Fri, 20 Oct 2017 02:00:00 +0000

(image) [Rescheduled]

Mozilla GFX: WebRender newsletter #8

Thu, 19 Oct 2017 17:26:11 +0000

Better late than never for the 8th newsletter. On the WebRender side, things keep getting faster and look smoother which is always nice. On Gecko’s side the work is, as always, hard to summarize but there are some self contained bits worth getting excited about like the great progress on reducing the overhead of building and transferring the display list to the parent process.

Lin Clark wrote an excellent blog post about WebRender. Now that the post is out I’ll resume working on the the series I started about WebRender on this blog, focusing on areas that were not included in Lin’s post and going to delve into some of the gory details of 2D rendering. Hopefully I’ll have time to work on this soon.

Notable WebRender changes

  • A large improvement in deserialization performance. This improved GMail drawing from 150fps to 200 fps
  • Nical improved (and fixed bugs in) the anti-aliasing of all rendering primitives.
  • Jerry added fallback paths to avoid crashing when some very large texture allocations fail.
  • Glenn made semi transparent text support sub-pixel anti-aliasing.
  • Glenn fixed text clipping.
  • Morris fixed a floating point precision issue in plane splitting (a method used to render 3d transforms with preserve-3d).
  • Gankro fixed several shadow rendering issues.
  • Martin fixed a bug with nested clips in position-sticky frames.

Notable Gecko changes

  • Further WebRender display list building time improvements
    • We now build the WebRender text display items directly during text paint instead of a two pass approach where we’d gather the information and then in a second pass construct the WebRender display items.
    • Inlining ToRelativeLayoutPoint to further speed up WebRender text display item construction.
  • Gankro made us stop hitting the fallback path for most elements in nsFieldSetFrame (in particular those used on GMail).
  • Sotaro ensured canvas updates are sent to the compositor on empty transactions.

(image) (image)

Will Kahn-Greene: rob-bugson 1.0: or how I wrote a webextension

Thu, 19 Oct 2017 16:00:00 +0000

I work on Socorro and other projects which use GitHub for version control and code review and use Mozilla's Bugzilla for bug tracking.

After creating a pull request in GitHub, I attach it to the related Bugzilla bug which is a contra-dance of clicking and copy-and-paste. Github tweaks for Bugzilla simplified that by adding a link to the GitHub pull request page that I could click on, edit, and then submit the resulting form. However, that's a legacy addon and I use Firefox Nightly and it doesn't look like anyone wrote a webextension version of it, so I was out-of-luck.

Today, I had to bring in my car for service and was sitting around at the dealership for a few hours. I figured instead of working on Socorro things, I'd take a break and implement an attach-pr-to-bug webextension.

I've never written a webextension before. I had written a couple of addons years ago using the SDK and then Jetpack (or something like that). My JavaScript is a bit rusty, especially ES6 stuff. I figured this would be a good way to learn about webextensions.

It took me about 4 hours of puzzling through docs, writing code, and debugging and then I had something that worked. Along the way, I discovered exciting things like:

  • host permissions let you run content scripts in web pages
  • content scripts can't access browser.tabs--you need a background script for that
  • you can pass messages from content scripts to background scripts
  • seems like everything returns a promise, but async/await make that a lot easier to work with
  • the attachment page on Bugzilla isn't like the create-bug page and ignores querystring params

The MDN docs for writing webextensions and the APIs involved are fantastic. The webextension samples are also great--I started with them when I was getting my bearings.

I created a new GitHub repository. I threw the code into a pull request making it easier for someone else to review it. Mike Cooper kindly skimmed it and provided insightful comments. I fixed the issues he brought up.

TheOne helped me resurrect my AMO account which I created in 2012 back when Gaia apps were the thing.

I read through Publishing your webextension, generated a .zip, and submitted a new addon.

About 10 minutes later, the addon had been reviewed and approved.

Now it's a thing and you can install rob-bugson.

Air Mozilla: Reps Weekly Meeting Oct. 19, 2017

Thu, 19 Oct 2017 16:00:00 +0000

(image) This is a weekly call with some of the Reps to discuss all matters about/affecting Reps and invite Reps to share their work with everyone.

Hacks.Mozilla.Org: How we rebuilt the website

Thu, 19 Oct 2017 14:41:16 +0000

As a front-end developer at Mozilla, I end up working on big sites that have been around for a long time. There are a lot of interesting challenges when working with legacy code at a large scale, but rebuilding from scratch usually isn’t an option. The View Source Conference website, on the other hand, is a small site. So when we decided to move away from WordPress, we had the chance to start fresh. Here are a few highlights of the architectural decisions we made to make the site faster, more secure, and more reliable. A Static Site When a user requests a page from a CMS (content management system) like WordPress the server puts it together from databases and templates. This takes the server a small amount of time. When a site is built on request like this we call it a “dynamic” website. When a user requests a page from a static site the server only has to find and serve one file. It’s faster and takes fewer resources. We used a static site generator to generate our files before transferring them to the server. Static files are also easier to copy than dynamic sites, this means we can copy our static site to different CDNs (content delivery networks) around the world. Getting our content closer to our users is a very effective way to reduce latency which is one of the biggest hurdles to delivering a site fast. Offline First A service worker is JavaScript that runs in a browser but not as part of a page. The most common use for service workers is to watch network requests and respond instead of the server. I wanted to be sure the conference attendees would have access to the event schedule, even if they didn’t have wifi. So, when a user arrives on the site, browsers that support service workers automatically cache the conference schedule. If the user returns to the site without a network connection the service worker will reply to the request with the cached schedule. I am very grateful for the documentation published by The Guardian, Jeremy Keith, and others who are already using Service Workers. Mobile First When responsive web design first became the norm, the industry standard was to serve the full desktop site to all browsers with a bunch of extra code telling mobile browsers which pieces to remove to make the simplified mobile version. With the spread of mobile came the Mobile First development approach. Mobile first delivers the content and code for the mobile version of a site first and then the larger more powerful desktop computers do the work of creating a better large screen experience. The View Source Conf site starts as a minimal mobile-friendly version. Then media queries in CSS and media queries in JavaScript add more complicated layout instructions for larger screens. SVG I used inline SVGs for the logo and icons. They look crisper on retina screens and, because they’re inline, don’t require any extra assets to download. Inlining also meant that I could change the logo’s colour in our print styles. It was my first time creating accessible SVGs. No Script All the content and functionality on the View Source site works with JavaScript disabled. Instead of sending shims and polyfills to older browsers to make them handle newer JavaScript features, we support those browsers by telling them not to load the JavaScript at all. This meant we could write modern JavaScript! It also simplified testing. Less capable browsers just get functional, readable content, with no chance for odd JavaScript errors. This isn’t a new idea, it’s progressive enhancement combined with the BBC News’ “Cut the Mustard” test. HTTPS HTTPS protects the pr[...]

Chris H-C: Two-Year Moziversary

Thu, 19 Oct 2017 13:35:02 +0000

Today marks two years since I became a Mozillian and MoCo Staff. What did I do this year… well, my team was switched out from under me again. This time it was during the large Firefox + Platform reorg, and basically means my team (Telemetry Client Engineering) now has a name that more closely matches what I do: writing client-side Telemetry code, performing ad hoc data analysis, and reading a lot of email. I still lurk on #fce and answer questions for :ddurst about data matters from time to time, so it’s not a clean break by any means. This means my work has been a little more client-focused. I completed my annual summer Big Refactor or Design Thing That Takes The Whole Summer For Some Reason. Last year it was bug 1218576 (whose bug number is lodged in my long-term memory and just won’t leave). This year it was bug 1366294 and its friends where, in support of Quantum, we reduced our storage overhead per-process by quite a fair margin. At the same time we removed excessive string hashes, fast-pathing most operations. Ah, yes: Quantum. Every aspect of Firefox was under scrutiny… and from a data perspective. I’ve lost count of the number of times I’ve been called in to consult on data matters in support of the quickening of the new Firefox Quantum (coming this November to an Internet Near You!). I even spent a couple days in Toronto as part of a Quantum work week to nail down exactly what we could and should measure before and after shipping each build. A pity I didn’t leave myself more time to just hang out with the MoCoTo folks. In All Hands news we hit Hawai’i last December. Well, some of us did. With the unrest in the United States and the remoteness of the location this was a bit more of a Most Hands. Regardless, it was a productive time. Not sure how we managed to find so much rain and snow in a tropical desert, but we’re a special bunch I guess? In June we were in San Francisco. There I ate some very spicy lunch and helped nail down some Telemetry Health metrics I’ve done some work on this autumn. Hopefully we’ll be able to get those metrics into Mission Control next year with proper thresholds for alerting if things go wrong. This summer I mentored :flyingrub for Google Summer of Code. That was an interesting experience that ended up taking up quite a lot more time than I imagined it would when I started. I mean, sure, you can write it down on paper how many hours a week you’ll spend mentoring an intern through a project, and how many hours beforehand you’ll spend setting it up… but it’s another thing to actually put in the work. It was well worth it, and :flyingrub was an excellent contributor. In last year’s Moziversary post I resolved to blog more, think more, and mentor more. I’ve certainly mentored more, with handfuls of mentored bugs contributed by first-time community members and that whole GSoC thing. I haven’t blogged more, though, as though I’ve written 23 posts with only April and July going without a single writing on this here blog, last year I posted 27. I also am not sure I have thought more, as simple and stupid mistakes still cast long shadows in my mind when I let them. So I guess that makes two New MozYear Resolutions (New Year Mozolutions?) easy: actually blog more, even if they are self-indulgent vanity posts. (Let’s be honest, though: they’re all self-indulgent vanity posts). actually think more. Make fewer stupid mistakes, or if that’s not feasible at least reduce the size of their influence on the world and my mind after I make them. That might be enough to think a[...]

Daniel Pocock: FOSDEM 2018 Real-Time Communications Call for Participation

Thu, 19 Oct 2017 08:33:31 +0000

FOSDEM is one of the world's premier meetings of free software developers, with over five thousand people attending each year. FOSDEM 2018 takes place 3-4 February 2018 in Brussels, Belgium. This email contains information about: Real-Time communications dev-room and lounge, speaking opportunities, volunteering in the dev-room and lounge, related events around FOSDEM, including the XMPP summit, social events (the legendary FOSDEM Beer Night and Saturday night dinners provide endless networking opportunities), the Planet aggregation sites for RTC blogs Call for participation - Real Time Communications (RTC) The Real-Time dev-room and Real-Time lounge is about all things involving real-time communication, including: XMPP, SIP, WebRTC, telephony, mobile VoIP, codecs, peer-to-peer, privacy and encryption. The dev-room is a successor to the previous XMPP and telephony dev-rooms. We are looking for speakers for the dev-room and volunteers and participants for the tables in the Real-Time lounge. The dev-room is only on Sunday, 4 February 2018. The lounge will be present for both days. To discuss the dev-room and lounge, please join the FSFE-sponsored Free RTC mailing list. To be kept aware of major developments in Free RTC, without being on the discussion list, please join the Free-RTC Announce list. Speaking opportunities Note: if you used FOSDEM Pentabarf before, please use the same account/username Real-Time Communications dev-room: deadline 23:59 UTC on 30 November. Please use the Pentabarf system to submit a talk proposal for the dev-room. On the "General" tab, please look for the "Track" option and choose "Real Time Communications devroom". Link to talk submission. Other dev-rooms and lightning talks: some speakers may find their topic is in the scope of more than one dev-room. It is encouraged to apply to more than one dev-room and also consider proposing a lightning talk, but please be kind enough to tell us if you do this by filling out the notes in the form. You can find the full list of dev-rooms on this page and apply for a lightning talk at Main track: the deadline for main track presentations is 23:59 UTC 3 November. Leading developers in the Real-Time Communications field are encouraged to consider submitting a presentation to the main track. First-time speaking? FOSDEM dev-rooms are a welcoming environment for people who have never given a talk before. Please feel free to contact the dev-room administrators personally if you would like to ask any questions about it. Submission guidelines The Pentabarf system will ask for many of the essential details. Please remember to re-use your account from previous years if you have one. In the "Submission notes", please tell us about: the purpose of your talk any other talk applications (dev-rooms, lightning talks, main track) availability constraints and special needs You can use HTML and links in your bio, abstract and description. If you maintain a blog, please consider providing us with the URL of a feed with posts tagged for your RTC-related work. We will be looking for relevance to the conference and dev-room themes, presentations aimed at developers of free and open source software about RTC-related topics. Please feel free to suggest a duration between 20 minutes and 55 minutes but note that the final decision on talk durations will be made by the dev-room administrators based on the received proposals. As the two previous dev-rooms have been combined into one, we may decide to give shorter slots than in previous years[...]

Robert O'Callahan: Microsoft's Chrome Exploitation And The Limitations Of Control Flow Integrity

Thu, 19 Oct 2017 01:37:31 +0000

Microsoft published an interesting blog post about exploiting a V8 bug to achieve arbitrary code execution in a Chrome content sandbox. They rightly point out that then even if you don't escape the sandbox, you can break important Web security properties (e.g., assuming the process is allowed to host content from more than one origin, you can break same-origin restrictions). However, the message we're supposed to take away from this article is that Microsoft's CFI would prevent similar bugs in Edge from having the same impact. I think that message is basically wrong.

The problem is, once you've achieved arbitrary memory read/write from Javascript, it's very likely you can break those Web security properties without running arbitrary machine code, without using ROP, and without violating CFI at all. For example if you want to violate same-origin restrictions, your JS code could find the location in memory where the origin of the current document is stored and rewrite it to be a different origin. In practice it would quite a lot more complicated than that, but the basic idea should work, and once you've implemented the technique it could be used to exploit any arbitrary read/write bug. It might even be easier to write some exploits this way than using traditional arbitrary code execution; JS is a more convenient programming language than ROP gadgets.

The underlying technical problem is that once you've achieved arbitrary read/write you can almost completely violate data-flow integrity within the process. As I recently wrote, DFI is extremely important and (unlike CFI) it's probably impossible to dynamically enforce with low overhead in the presence of arbitrary read/write, with any reasonable granularity.

I think there's also an underlying cultural problem here, which is that traditionally "Remote Code Execution" — of unconstrained machine code — has been the gold standard for a working exploit, which is why techniques to prevent that, like CFI, have attracted so much attention. But Javascript (or some other interpreter, or even some Turing-complete interpreter-like behavior) armed with an arbitrary memory read/write primitive is just as bad in a lot of cases.

Firefox Browser Architecture: Browser Architecture Newsletter 4

Thu, 19 Oct 2017 00:00:00 +0000

A newsletter on architecture review, XBL Conversion, Storage and Sync, Workflow Improvements and a developer survey

Florian Quèze: Thunderbird is the next version of Instantbird

Wed, 18 Oct 2017 21:55:00 +0000

Ten years ago, on October 18th 2007, I released Instantbird 0.1. I was soon joined by a team of enthusiastic hackers, and I hoped we could make a better IM client that would replace the painfully broken ones that were dominant at the time.The Internet has changed a lot since then. Messaging has moved significantly toward mobile apps. The clients we were competing with mostly died themselves. Even the services we were connecting to are closing down (AOL, MSN, ...), or moved away from standard protocols (Facebook).While we made a pretty good product, we never managed to attract a critical mass of users, and we lost half of them when the Facebook XMPP gateway was closed. Instantbird still has some uses (especially as an IRC client), but its user interface has aged significantly.I don't think maintaining our infrastructure to support only a few thousand users is a good use of my time, and I've lost motivation to do it. While Instantbird regularly received code contributions from several people and had a nice and friendly community, nobody stood up to replace me and take care of our build infrastructure. This means we haven't been able to produce nightly builds for the last couple months, and are extremely unlikely to be able to ship a new release any time soon. It's time to announce that we are stopping development of Instantbird as a standalone product.The code base isn't dying though! A large part of it is shared with Thunderbird (since it received chat support in 2012). Thunderbird is actively maintained, and has lots of users.Instead of working on Instantbird, we'll refocus our energy on improving the chat features in Thunderbird, so that it becomes friendly for users who loved Instantbird and will seek a replacement. This should allow us to focus on features and not worry about infrastructure that was sapping our energy and time. Thunderbird is the spiritual successor to Instantbird![...]

Joel Maher: A formal introduction to Ionut Goldan – Mozilla’s new Performance Sheriff and Tool hacker

Wed, 18 Oct 2017 19:57:53 +0000

About 8 months ago we started looking for a full time performance sheriff to help out with our growing number of alerts and needs for keeping the Talos toolchain relevant. We got really lucky and ended up finding Ionut (:igoldan on irc, #perf).  Over the last 6 months, Ionut has done a fabulous job of learning how to understand Talos alerts, graphs, scheduling, and narrowing down root causes.  In fact, he has not only been able to easily handle all of the Talos alerts, Ionut has picked up alerts from Autophone (Android devices), Build Metrics (build times, installer sizes, etc.), AWSY (memory metrics), and Platform Microbenchmarks (tests run inside of gtest written by a few developers on the graphics and stylo teams). While I could probably write a list of Ionut’s accomplishments and some tricky bugs he has sorted out, I figured your enjoyment of reading this blog is better spend on getting to know Ionut better, so I did a Q&A with him so we can all learn much more about Ionut. Tell us about where you live? I live in Iasi. It is a gorgeous and colorful town, somewhere in the North-East of Romania.  It is full of great places and enchanting sunsets. I love how a casual walk leads me to new, beautiful and peaceful neighborhoods. I have many things I very much appreciate about this town: the people here, its continuous growth, its historical resonance, the fact that its streets once echoed the steps of the most important cultural figures of our country. It also resembles ancient Rome, as it is also built on 7 hills. It’s pretty hard not to act like a poet around here. What inspired you to be a computer programmer? I wouldn’t say I was inspired to be a programmer. During my last years in high school, I occasionally consulted with my close ones. Each time we concluded that IT is just the best domain to specialize in: it will improve continuously, there will be jobs available; things that are evident nowadays. I found much inspiration in this domain after the first year in college, when I noticed the huge advances and how they’re conducted.  I understood we’re living in a whole new era. Digital transformation is now the coined term for what’s going on. Any interesting projects you have done in the past (school/work/fun)? I had the great opportunity to work with brilliant teams on a full advertising platform, from almost scratch. It got almost everything: it was distributed, highly scalable, completely written in Python 3.X, the frontend adopted material design, NoSQL database in conjunction with SQL ones… It used some really cutting-edge libraries and it was a fantastic feeling. Now it’s Firefox. The sound name speaks for itself and there are just so many cool things I can do here. What hobbies do you have? I like reading a lot. History and software technology are my favourite subjects. I enjoy cooking, when I have the time. My favourite dish definitely is the Hungarian goulash. Also, I enjoy listening to classical music. If you could solve any massive problem, what would you solve? Greed. Laziness. Selfishness. Pride. We can resolve all problems we can possibly encounter by leveraging technology. Keeping non-values like those mentioned above would ruin every possible achievement. Where do you see yourself in 10 years? In a peaceful home, being a happy and caring father, spending time and energy with my loved ones. Always trying to be the best example for them.  I envision becoming a t[...]

Air Mozilla: Mozilla Festival 2017 - Volunteer Training

Wed, 18 Oct 2017 18:30:00 +0000

(image) Training evening for those volunteering as part of Mozilla Festival 2017.

Sam Foster: On finding productivity

Wed, 18 Oct 2017 17:55:35 +0000

Recently, I joined a new-to-me team at Mozilla and started working on Firefox. Its not been an easy transition - from the stuff I was doing in the Connected Devices group to getting back to fixing bugs and writing code every day. And not just any code: the Firefox codebase is large and spread across a couple of decades. Any change is an exercise in code-sleuthing, to understand what it does today, why it was implemented that way and how to implement a patch that doesnt fix one thing while breaking a dozen others. My intuition on how long a task should take has been proven so wildly wrong so many times in the last few months that I’ve had to step back and do some hard thinking. Do I just suck at this? Or am I pushing hard but in the wrong direction. Sometimes I think I’m just getting worse as a developer/software engineer over time, not better. In truth, I have good days and bad days. On the bad days, the slightest snag, obfuscation of the problem, or ambiguity around how to proceed can freeze me up. I stare at it, futz with it. Procrastinate. Every possible action seems too complicated for my small brain, or to highlight something I haven’t learned well enough to proceed with. On these days, I count any movement forward at all as a success. Some trivial bug fixed, some observation noted down - its better than nothing. Then there are the good days. By their nature they are not as note-worthy or memorable. I work through the tasks in front of me, fixing bugs and getting stuff done. I follow the trail to the end, note the solution and implement it. Maybe I see opportunities for future improvements or help out a colleague. The day ends and I go home feeling satisfied and ready to go at it again the next day. Checklists and self-hacksI’ve tried out lots of ways of turning bad days into good days. I have a list of check lists that I sometimes have the presence of mind to consult. One example goes like this: For extrication from the weeds: Q: What needs to be accomplished? Is there a logical set of steps to get from here to there? Q: Has this been done before? What patterns already exist for solving this kind of problem? Q: How many problems are you trying to solve? (Hint, the answer should be one) Q: Could the next step be simplified and still be useful? And there are others - for starting a new feature, for code reviews, for wrapping up and landing a patch. Check-lists are great - they are a concise way of distilling hard-won experience into something actionable and repeatable. I keep notes on each task or bug I’m working on. I find a good first step is to write down all the questions that pertain to the problem, however obvious or simple. This list of questions then forms a task list and I can start filling in answers. Finding an answer to a question like “Q: wtf is this function supposed to do?” is a discrete, achievable task that removes an unknown and builds momentum. (A search of the code repository and bug database can tell me when it was introduced, by who and what problem it solved at the time.) Further questions start to close up the gaps in my knowledge and point to a path forward. Sometimes, just re-writing out the problem as I understand it is enough to nudge me out of paralysis. Its a kind of rubber duck debugging. Re-reading my earlier notes might jog something. Other times, the best thing I can do I stand up and walk away for[...]

Air Mozilla: Rust Berlin Meetup October 2017

Wed, 18 Oct 2017 17:15:00 +0000

(image) Talks: Arvid E. Picciani ( Application container deployment for the Internet of Things with Rust Solving containerization on very constrained devices will enable a new...

Air Mozilla: The Joy of Coding - Episode 117

Wed, 18 Oct 2017 17:00:00 +0000

(image) mconley livehacks on real Firefox bugs while thinking aloud.

Air Mozilla: Weekly SUMO Community Meeting October 18, 2017

Wed, 18 Oct 2017 16:00:00 +0000

(image) This is the SUMO weekly call

QMO: Firefox 57 Beta 8 Testday Results

Wed, 18 Oct 2017 14:23:40 +0000

Hello everyone,

As you may already know, last Friday – October 13th – we held a new Testday event, for Firefox 57 Beta 8.

Thank you all for helping us make Mozilla a better place: Surentharan R.A and Suren.
Thank you India community: Surentharan R.A and K. Bhuvana Meenakshi.
Thank you Bangladesh community: Huque Nayeem, Tanvir Rahman, Humayra Khanum, Saheda Reza Antora, Maruf Rahman, Md. Almas Hossain, Syed Nayeem Roman, Ratul Islam Mizanur Rahman, Sontus Chandra Anik, Sajedul Islam, Sahara Samia Sam and Md. Rahimul islam.


– several test cases executed for Activity Stream, Photon Structure and Photon Onboarding Tour Notifications & Tour Overlay 57 features;
– several bugs were verified: 1399963, 1396205, 1404286, 1395332 and 1404651

Thanks for another successful testday! (image)

We hope to see you all in our next events, all the details will be posted on QMO!

Michael Kaply: The Future of Keyword Search

Wed, 18 Oct 2017 13:45:50 +0000

A lot of folks have been asking about the future of my Keyword Search extension with the switch to WebExtensions coming with Firefox 57. Unfortunately, because Keyword Search relies on the internals of browser search as well as access to privileged pages, it can’t be simply ported to a WebExtension.

What I’ve done instead is created a WebExtension that uses the omnibox API. In order to execute a keyword search, you simply type the letter “k” followed by a space and then the search. That search will be sent to the Keyword Search WebExtension.

Because I don’t have access to the list of search engines in the browser, I’ve just created a basic set based on the US version of Firefox. You can also set a custom search URL. If you’d like your favorite search engine added to Keyword Search, please let me know.

I’ve also decided to make this a completely different extension on AMO so that existing users are not migrated. You can get the new extension here.

The Mozilla Blog: Mozilla brings Microsoft, Google, the W3C, Samsung together to create cross-browser documentation on MDN

Wed, 18 Oct 2017 13:00:01 +0000

Today, Mozilla is announcing a plan that grows collaboration with Microsoft, Google, and other industry leaders on MDN Web Docs. The goal is to consolidate information about web development for multiple browsers – not just Firefox. To support this collaboration, we’re forming a Product Advisory Board that will formalize existing relationships and guide our progress in the years to come. Why are we doing this? To make web development just a little easier. “One common thread we hear from web developers is that documentation on how to build for the cross-browser web is too fragmented,” said Daniel Appelquist, Director of Developer Advocacy at Samsung Internet and Co-Chair of W3C’s Technical Architecture Group. “I’m excited to be part of the efforts being made with MDN Web Docs to address this issue and to bring better and more comprehensive documentation to developers worldwide.” More than six million web developers and designers currently visit MDN Web Docs each month – and readership is growing at a spectacular rate of 40 percent, year over year. Popular content includes articles and tutorials on JavaScript, CSS and HTML, as well as detailed, comprehensive documentation of new technologies like Web APIs. Community contributions are at the core of MDN’s success. Thousands of volunteers have helped build and refine MDN over the past 12 years. In this year alone, 8,021 users made 76,203 edits, greatly increasing the scope and quality of the content. Cross-browser documentation contributions include input from writers at Google and Microsoft; Microsoft writers have made more than 5,000 edits so far in 2017. This cross-browser collaboration adds valuable content on browser compatibility and new features of the web platform. Going forward, Microsoft writers will focus their Web API documentation efforts on MDN and will redirect relevant pages from Microsoft Developer Network to MDN. A Broader Focus Now, the new Product Advisory Board for MDN is creating a more formal way to absorb all that’s going on across browsers and standards groups. Initial board members include representatives from Microsoft, Google, Samsung, and the W3C, with additional members possible in the future. By strengthening our relationships with experts across the industry, the Product Advisory Board will ensure MDN documentation stays relevant, is browser-agnostic, and helps developers keep up with the most important aspects of the web platform. “The reach of the web across devices and platforms is what makes it unique, and Microsoft is committed to helping it continue to thrive,” said Jason Weber, Partner Director of Program Management, Microsoft Edge. “We’re thrilled to team up with Mozilla, Google, and Samsung to create a single, great web standards documentation set on MDN for web developers everywhere.” Mozilla’s vision for the MDN Product Advisory Board is to build collaboration that helps the MDN community, collectively, maintain MDN as the most comprehensive, complete, and trusted reference documenting the most important aspects of modern browsers and web standards. The board’s charter is to provide advice and feedback on MDN content strategy, strategic direction, and platform/site fe[...]

Air Mozilla: Privacy as a Competitive Advantage with Gry Hasselbalch

Wed, 18 Oct 2017 12:00:00 +0000

(image) Today it's a competitive edge for companies to respect user privacy and their right to control their own data. The organizations who view data ethics...

Cameron Kaiser: KRACK is wack on Power Macs

Wed, 18 Oct 2017 03:49:21 +0000

After WEP fell due to the 2001 Flurher-Mantin-Shamir attack, WPA2 became the standard way to secure a WiFi connection. Now, the mighty have fallen due to KRACK (Key Reinstallation AttACK), meaning no WiFi network is safe. KRACK is particularly wack problematic because there are multiple varieties of attack and virtually every system tested was vulnerable to at least one of them: The attacks concentrate primarily on the handshakes used to distribute keys, including the 4-way handshake used to bring up a new client ("supplicant"). This last point is particularly relevant because Mavericks and Sierra were both vulnerable to attacks on the 4-way handshake but iOS 10.3.1 is not. We can confidently assume that 10.4 and 10.5 (and 10.6, for that matter) are vulnerable in the same or similar ways that at least 10.9.5 are (I'll dive into this in a moment), but the situation is really bad for Linux. wpa_supplicant 2.6 and prior are vulnerable to all of the variants, including current PPC Linux users and devices running Android 6.0+. These will almost certainly be patched eventually, even considering the shrinking support for 32-bit PowerPC in Linux. OpenBSD is also vulnerable, but patches emerged prior to the embargo, and its close relative NetBSD will likely be repaired in a similar fashion. Microsoft has quietly issued a Patch Tuesday update that covers KRACK. There are reports that the issue is already patched in current betas of macOS and iOS, but it's not clear yet if these patches will be backported to Sierra or El Capitan. 10.5 and earlier exclusively use the private framework Apple80211.framework for WiFi connectivity. Although the public wireless networking framework CoreWLAN was introduced with 10.6, the later private framework CoreWifi is not present and a comparison of symbols shows subsequent upgrades to Apple80211's functionality in Snow Leopard, so it is very likely in use invisibly there as well. Although this framework still exists in 10.12, it does not appear to be used or linked by CoreWLAN, implying it was since internally deprecated. Apple never documented this framework or made it open source, but there have been attempts to reverse engineer it. However, the necessary changes likely mean inserting more sanity checks during the key handshake, which would require a bit more than just patching the library in place. I've done a little preliminary disassembly of it but I haven't found where this critical section exists yet. However, there is a tool in this framework which will be very helpful to determine your actual risk; read on. WPA2 has three major encryption protocols, only two of which are supported by PPC Mac OS X, namely TKIP (a legacy encryption protocol from WEP intended as an interim compatibility measure), and AES-CCMP, a more secure protocol which is supported in 10.3.3+ and is sometimes just abbreviated "AES" (incorrectly) or "CCMP." TKIP was deprecated in 2012, but is still often used. The last form is GCMP, which no Power Mac supports in OS X and is part of 802.11ac Gigabit WiFi. This turns out to be a blessing, because KRACK can actually recover the key from GCMP-based connections and forge packets in both directi[...]

Anne van Kesteren: Dara

Tue, 17 Oct 2017 20:29:48 +0000


Joel Maher: Talos tests- summary of recent changes

Tue, 17 Oct 2017 19:15:30 +0000

I have done a poor job of communicating status on our performance tooling, this is something I am trying to rectify this quarter.  Over the last 6 months many new talos tests have come online, along with some differences in scheduling or measurement. In this post I will highlight many of the test related changes and leave other changes for a future post. Here is a list of new tests that we run: * cpstartup – (content process startup: thanks :gabor) * sessionrestore many windows – (instead of one window and many tabs, thanks :beekill) * perf-reftest[-singletons] – (thanks bholley, :heycam) * speedometer – (thanks :jmaher) * tp6 (amazon, facebook, google, youtube) – (thanks :rwood, :armenzg) These are also new tests, but slight variations on existing tests: * tp5o + webextension, ts_paint + webextension (test web extension perf, thanks :kmag) * tp6 + heavy profile, ts_paint + heavy profile (thanks :rwood, :tarek) The next tests have  been updated to be more relevant or reliable: * damp (many subtests added, more upcoming, thanks :ochameau) * tps – update measurements (thanks :mconley) * tabpaint – update measurements (thanks :mconley) * we run all talos tests on coverage builds (thanks :gmierz) It is probably known to most, but earlier this year we stood up testing on Windows 10 and turned off our talos coverage on Windows 8 (big thanks to Q, for making this happen so fast) Some changes that might not be so obvious, but worth mentioning: * Added support for Time to first non blank paint (only tp6) * Investigated mozAfterPaint on non-empty rects– updated a few tests to measure properly * Added support for comparing perf measurements between tests (perf-reftests) so we can compare rendering time of A vs B- in this case stylo vs non-stylo * tp6 requires mitmproxy for record/replay- this allows us to have https and multi host dns resolution which is much more real world than serving pages from http://localhost. * Added support to wait for idle callback before testing the next page. Stay tuned for updates on Sheriffing, non Talos tests, and upcoming plans. [...]

Air Mozilla: TechWomen 2017 Emerging Leader Presentations

Tue, 17 Oct 2017 18:30:00 +0000

(image) As part of the TechWomen program, an Initiative of the U.S. Department of State's Bureau of Educational and Cultural Affairs, Mozilla has had the fortunate...

Hacks.Mozilla.Org: An Introduction to CSS Grid Layout: Part 1

Tue, 17 Oct 2017 16:46:18 +0000

This is the first post in a two-part series for getting started with CSS Grid Layout. If you are interesting in learning more about CSS Grid and the new CSS Grid Layout feature in Firefox, visit the Firefox DevTools Playground. CSS Grid Layout is completely changing the game for web design. It allows us to create complex layouts on the web using simple CSS. “But wait! I can already create layouts with floats/hacks/tables/frameworks.” This is true, but CSS Grid Layout is a two-dimensional grid system that is native to CSS. It is a web standard, just like HTML, and it works in all modern browsers. With CSS Grid Layout you can create precise layouts for the web. You can build orderly columns and rows, or artful overlapping content areas to create stunning new designs. Ready? Let’s get started. Before we dive into CSS Grid concepts, let’s cover some basic terminology. Terminology Grid lines The vertical and horizontal lines that divide the grid and separate the columns and rows. Grid cell A single unit of a CSS grid. Grid area A rectangular space surrounded by four grid lines. A grid area can contain any number of grid cells. Grid track The space between two grid lines. This space can be horizontal or vertical Grid row A horizontal track of a grid. Grid column A vertical track of a grid. Note: Rows and columns are switched if you are using a vertical writing mode. Gutter The space between rows and columns in a grid. Grid container The container that holds the entire CSS grid. It will be the element that has the display: grid or display: inline-grid property on it. Grid item Any element that is the direct child of a grid container. …Got it? Let’s move on now to creating our first grid with CSS Grid Layout. Create a grid The first thing we want to do is create a grid container. We can do this by declaring display: grid on the container element. In this example we are using a div with the class of container. Define rows and columns There are several ways to define rows and columns. For our first grid, we will use properties grid-template-columns and grid-template-rows. These properties allow us to define the size of the rows and columns for our grid. To create a grid where the first two rows have a fixed-height of 150px and the first three columns have a fixed-width of 150px, simply write: grid-template-columns: 150px 150px 150px; grid-template-rows: 150px 150px; To set the fourth column as 70px wide, write: grid-template-columns: 150px 150px 150px 70px; …and so on to add more columns. Note: In the above example, we defined an explicit grid of 3×2. If we place something outside of that defined grid, then CSS Grid Layout will create those rows and columns in the implicit grid. Implicit grids aren’t covered in this tutorial, but check out this article on MDN to learn more about implicit and explicit grids. Add a gutter Adding a gutter to your grid is amazingly easy with CSS Grid Layout. Simply add: grid-gap: 1rem; That simple line of code gives you an equal-sized gutter between all rows and columns. To define t[...]

Hacks.Mozilla.Org: An Introduction to CSS Grid Layout: Part 2

Tue, 17 Oct 2017 16:45:38 +0000

This is the second post in a two-part article for getting started with CSS Grid Layout. If you are interesting in learning more about CSS Grid and the new CSS Grid Layout feature in Firefox DevTools, visit the Firefox DevTools Playground. Understanding grid lines If you’ve read Part 1, you should now be comfortable creating a grid and defining the row and column sizes. We can now move on to placing items on a grid. There are several ways to place items, but we will start with a basic example. Consider a grid with six items: Each item within this grid will be placed automatically in the default order. If we wish to have greater control, we can position items on the grid using grid line numbers. Grid lines are numbered left to right and top to bottom (if you are working in a right-to-left language, then grid lines are numbered right to left). The above example would be numbered like so: Position an item Here is the HTML we will be using for this example:
Say we want to position our first grid item (with a class of item1) to be in the second row and occupy the second column. This item will need to start at the second row line, and span to the third row line. It will also need to start at the second column line and span to the third column line. We could write our CSS like so: .item1 { grid-row-start: 2; grid-row-end: 3; grid-column-start: 2; grid-column-end: 3; } Shorthand property We can also rewrite this with shorthand properties: .item1 { grid-row: 2 / 3; grid-column: 2 / 3; } Here is the result: See the Pen CSS Grid Layout – Position Items by Mozilla Developers (@mozilladevelopers) on CodePen. Creating a Basic Layout Now that we have a basic understanding of how to position items, we can create a basic layout. Let’s create the same layout using three different methods. Method 1: Position Items For our first layout method, we won’t be introducing any new concepts. We’ll simply be using the grid-row and grid-column shorthand properties to manually place items such as a header, footer, and so on. Here is the HTML:
Here is the CSS: .container { display: grid; width: 750px; height: 600px; grid-template-columns: 200px 1fr 1fr; grid-template-rows: 80px 1fr 1fr 100px; grid-gap: 1rem; } .header { grid-row: 1 / 2; grid-column: 1 / 4; } .sidebar { grid-row: 2 / 4; grid-column: 1 / 2; } .content-1 { grid-row[...]

Mozilla Addons Blog: Join the Featured Add-ons Advisory Board

Tue, 17 Oct 2017 15:05:37 +0000

Do you love add-ons? Have a keen appreciation for great functionality? Interested in making a huge impact on AMO? If so, consider applying to join our Featured Add-ons Community Board!

The board is comprised of a small group of add-ons enthusiasts from the community. During a six-month term, board members help nominate and select new featured extensions for AMO each month. Your participation will make a big difference to millions of users who look to AMO’s featured content to help them find great content!

As the current board wraps up their tour of duty, we are looking to assemble a new board for the months January – June.

Anyone from the add-ons community is welcome to apply: power users, developers, and advocates. Priority will be given to applicants who have not served on the board before, followed by those from previous boards, and finally from the outgoing board. This page provides more information on the duties of a board member.

To be considered, please send us an email at amo-featured [at] mozilla [dot] org with your name and a few sentences about how you’re involved with AMO and why you are interested in joining the board. The deadline is Monday, October 30, 2017 at 23:59 PDT. The new board will be announced shortly thereafter.

The post Join the Featured Add-ons Advisory Board appeared first on Mozilla Add-ons Blog.

Kim Moir: Saying thanks to teammates halfway around the world

Tue, 17 Oct 2017 14:50:47 +0000

Photo by Hanny Naibaho One of things I struggle with as a member of a distributed team is that a lot of  feedback on my work in text form.  For instance, code reviews generally state what was good and what was could be improved, specific to the code you submitted in a patch. There is often a lot of emotion associated with that patch, because you have spent a lot of time working understanding the how the existing code base works, the problem definition, iterating on patches for the best solution and then implementing tests to ensure your code works.  So if the code review that your colleague gives you only concentrates on the negative, it can be often difficult to process.  Text often lacks nuance and emotion.  This is even more difficult if the code reviewer doesn’t work in a timezone that overlaps with your working hours, because it’s difficult to discuss the review in person. On a recent bug,  I noticed a simple statement that my colleague Joel made that explicitly  states positive intent on code reviews.   “Looking forward to this landing”.  With all the back and forth on code reviews, this statement is a way to center that you are happy that this problem will be solved soon.  In the case of this bug, it was one I had shifted to another coworker because I had too much on my plate with the 56 release, so I also tried to convey enthusiasm and gratitude in the comments for Alin’s work.  Thanks Alin! The other thing that I would mention with code reviews if that if you have a lot of changes to discuss with the person, or as a reviewer you feel that the they should take a different approach, the best path forward is probably to discuss face to face in a video call.  Again, you can convey thanks for their work, but it will probably save time if you communicate in a manner that allows any misunderstandings to be cleared up immediately versus back and forth in text. I recently watched a talk by Mathias Meyer, who is the CEO of Travis CI from the Lead Developer conference. (Side note: All the talks from the Lead Dev conference are fantastic and worth watching) It’s an excellent talk about how the the culture of Travis CI has evolved over the years to be more remote friendly, sensitive to the timezones people work in, and incorporate continuous learning. Around the 19 minute mark, he talks about how the entire team has an online all hands every month, where they have shout outs where a person can thank an individual or entire person for their work, celebrate achievements and discuss what they plan to ship over the next couple of months.  This is a great idea!  I really like the idea of thanking people on a regular basis. I recently read a post by Cate Huston, Automattic’s mobile lead, about showing appreciation for her distributed team.  She asks her engineers to write something they are happy about that they accomplished in the last month, and something that one of their teammates did that they really appreciate. She then [...]

The Mozilla Blog: A Week-Long Festival for Internet Health

Tue, 17 Oct 2017 13:00:17 +0000

MozFest is convening technologists, activists and artists this October to tackle the biggest problems facing the web   The Internet is sick. From ransomware and trolls to misinformation and mass surveillance, the very health of the Internet is at risk. Says Mark Surman, Mozilla’s Executive Director: “The Internet is layered into our lives like we never could have imagined. Access is no longer a luxury — it’s a fundamental part of 21st century life. A virus is no longer a nuisance consigned to a single terminal — it’s an existential threat that can disrupt hospitals, governments and entire cities.” But much of the Internet’s best nature is flourishing, too. Each day, new communities form despite members being separated by whole continents. Start-ups and artists have access to a global stage. And open-source projects put innovation and inclusion ahead of profit. In an effort to heal the bad and uplift the good, Mozilla is reimagining MozFest, our annual London-based festival. We will address these issues head on. This October, our eighth-annual festival will draw nearly 2,000 technologists, hackers and activists from around the world to experience: A week-long festival Three days isn’t enough time to heal the Internet. So for the first time ever, we’re making MozFest a week-long festival. Monday, October 23 through Friday, October 27 is “MozFest House” — workshops, talks and film screenings at the Royal Society of Arts (RSA) in London. Programming will include MisinfoCon London, an event exploring solutions to misinformation online; Detox & Defend for Women, an online privacy workshop; and much more. The week culminates with the traditional MozFest weekend at Ravensbourne College from October 27 to October 29 An interactive exhibit at MozFest 2016 19 big-name keynote speakers hailing from nine countries. Speakers include Audrey Tang (Digital Minister, Taiwan), Gisela Perez de Acha (journalist and lawyer, Derechos Digitales) and Alan Knott-Craig (founder of Project Isizwe). Speakers will discuss hacking, botnets, digital rights and misinformation. Meet all 19 speakers 320 hands-on sessions On Saturday, October 28 and Sunday, October 29, sessions will be led by international experts and spread across five tracks: Privacy and Security; Digital Inclusion; Decentralization; Web Literacy; and Openness. Here’s a peek at just five of them: Privacy in Virtual Reality, unpacking how our most intimate data can be used against us online Decolonizing the Net, showing how communities across the global Black diaspora wield the internet to counter false narratives and spark change IRL Make a 3D Body Scanner, empowering participants to build seemingly-complex hardware using just Rasberry Pis CryptoZombie, an interactive introduction to the fundamentals of encryption Fighting Fake News in the Library, exploring how librarians can combat misinformation online The Glass Room, a sister event  hosted by[...]

Alex Vincent: Help wanted with HTML user interface for es7-membrane

Tue, 17 Oct 2017 06:39:16 +0000

I’ve continued to work on es7-membrane in my spare time, to the point where I released version 0.8 (“first beta”) without announcing it on my blog… oops.  (I also forgot to tag the 0.8.1 release on GitHub.)  For those who don’t know what it is about, just read the first few paragraphs of the 0.7 release announcement. I also have a low-traffic Google Groups mailing list for release announcements and general support. I’m looking for unpaid-intern-level help.  Not in the membrane implementation itself, but in crafting the es7-membrane distortions user interface.  (“Distortions” is a relatively new term in the Membranes lexicon:  it means altering proxies so that they don’t exactly match the original value, such as a whitelist for hiding properties.)   The distortions user interface is a subproject for configuring a Membrane instance, and for persisting that configuration for future edits… all with a static GitHub website. This means JavaScript, HTML, CSS, SVG, modern Web API’s (FileReader, Blob, CSS grids, etc.), build configuration, continuous integration, and more JavaScript (Jasmine, CodeMirror).  It means in particular almost no HTTP server code (so no Python, PHP, etc.) It does not mean including a library like jQuery.  Call me biased if you want, but I think libraries like jQuery or YUI are unnecessary with recent advances in web browser technologies, and even less so in the future with Web Components evolving.  These libraries were written for older Web API’s, and have to support thousands of websites… I don’t mind reinventing the wheel a little bit, as long as it’s tightly written code. I’m looking for help because while I could do all of this on my own, I have time constraints in the form of a full-time job and university classes.  On the other hand, I am an experienced Mozilla developer and JavaScript expert, so I can definitely mentor people… and this is cutting-edge JavaScript we’re dealing with here.  Already, I have two interested customers for this open-source project (besides myself, of course), and one fellow student who took over a small widget (a “multistate” HTML button). What I’m looking for are people who don’t have a lot of experience, but do have the time, an open mind and the willingness to do some of the grunt work in exchange for mentorship and letters of recommendation and/or equivalent written credit good for a résumé.  I just recently added a few “good-first-bug” labels to the 0.9 milestone list of tickets. If this fits your bill, please reach out through the Google Groups link above, or through my GitHub user page… and thank you.[...]

François Marier: Checking Your Passwords Against the Have I Been Pwned List

Tue, 17 Oct 2017 05:10:20 +0000

Two months ago, Troy Hunt, the security professional behind Have I been pwned?, released an incredibly comprehensive password list in the hope that it would allow web developers to steer their users away from passwords that have been compromised in past breaches.

While the list released by HIBP is hashed, the plaintext passwords are out there and one should assume that password crackers have access to them. So if you use a password on that list, you can be fairly confident that it's very easy to guess or crack your password.

I wanted to check my active passwords against that list to check whether or not any of them are compromised and should be changed immediately. This meant that I needed to download the list and do these lookups locally since it's not a good idea to send your current passwords to this third-party service.

I put my tool up on Launchpad / PyPI and you are more than welcome to give it a go. Install Postgres and Psycopg2 and then follow the README instructions to setup your database.

Mike Taylor: FastClick (more like Thing-of-the-Past-Click)

Tue, 17 Oct 2017 05:00:00 +0000

-level awkward to middle-school-dance-party-level awkward. (In that the , because there's never really been a web standards way to programatically open them via JS. Per DOM level 3(000), untrusted events (think event.isTrusted == false...except for click) shouldn't trigger the default action. And the default action for elements, or never worked properly in Chrome Mobile, but developers (being developers) found a workaround with mousedown events for Chrome Mobile (in a stackoverflow thread, naturally), put it into FastClick. This unintentionally broke it for other browsers, and later on some fixes were introduced to unbreak that for Firefox and Blackberry. But... that's only some of the select-related bugs. Fast foward a few years and Chrome fixed their untrusted events default action bug, and as a result broke