Help define, plan, design, and implement Bugzilla's future!
Randall Munroe of XKCD has written a whole book which explains things using only simple words. It’s called “Thing Explainer“. He’s also written a writing checker for people who want to write more things like that.
I am asking everyone to see if they can write the ten key points of the Mozilla Manifesto in a new way, saying the same things but using only simple words which his checker likes (like this writing that you are reading does).
You are allowed to use “Internet” even though it’s not a simple word, but if you find a way to not use “Internet”, that’s even better. You are also allowed to use “Mozilla” in the heading at the top, which will be “Mozilla Manifesto” but using only simple words.
It’s probably best if you put up your writing somewhere else on the Internet and then add some information here to say where it is. But if that’s a problem for you, you can put your writing here instead.
The person who makes the best writing will get something. I don’t know what yet. But making the best writing should make you happy anyway.
If you think this is a good and fun idea, then please tell everyone you know (in a nice way) so they can try as well.
I hope everything goes very well for you in this.
the following changes have been pushed to bugzilla.mozilla.org:
-  change the suggested fxos 2fa app (again)
-  Backport upstream testsuite changes to test against bug 1202447
-  Feature request: STR and regression-range pulldowns
-  extend 2fa protection beyond login
-  the ‘last seen’ value in the group membership report should use a profile’s last-seen date, not the cookie
discuss these changes on mozilla.tools.bmo.
Filed under: bmo, mozilla
Cameron Kaiser: Sandboxin' Safari on PowerPC (because plugins can't be trusted, and neither can you)
When I started getting alarms that oslo was unresponsive from the systems that couldn't dump backups on it anymore, I tried to bring it back up after work and noticed I was missing the array's core HFS+ volume (the array is partitioned into three). While the array's UFS volume seemed intact, none of the files verified; worse, not only was the HFS+ volume on it completely hosed, DiskWarrior actually crashed trying to repair it after throwing an error I'd never seen before (2351, -36 in case anyone is searching in the future).
Now, this is a backup array, so it could be dispensed with, but I wanted to understand what was going on first before wiping it. In the interest of ruling out the controller, I first decided to see if it was a problem with the array hardware and connected the RAID over FireWire to the iBook instead. To my surprise and delight, the files on the UFS volume checked out! I quickly booted DiskWarrior on the iBook and managed to get the HFS+ volume repaired -- it was pretty hideously mangled but spot checks on the files seemed to validate. So that ruled out the array.
At this point I concluded it must have been something wrong with the FW800 card. I'm notorious for keeping large amounts of spares on hand, so I got a spare FW800 card out that I'd bought as a Fry's special six years ago, pulled the old one from the bottom slot and installed the new one in the same place, and connected the array. This time, no volumes mounted, and System Profiler actually crashed when I asked it to enumerate FireWire devices. I powered off the system and said something intemperate, then started to wonder if it was something about the slot or (grr) the logic board. Fortunately, I could dispense with the Grappler+ since it was just occupying space, so I pulled that and put the new card in its slot instead. Everything mounted. Whew! Conclusion: bad PCI slot, possibly bad card as well, not clear if or which one caused the other, but I'm not going to take chances -- that card's going in the eWaste bin. Either way, the moral of this story is to not only keep backups, but keep spare parts on hand, because you never know when you'll need them. And oslo has a complete body double in the stock closet for the day it might blow its logic board entirely. Still, not bad for a machine that was built 15 years ago.
Now to the main event. I mentioned a while back a couple of secret projects I've been working on, and while one of them is probably going to get invalidated by Google again in the very near future, this second one has bigger import: no less than a safer, sandboxed way to run Flash and other plugins on Tiger. Let me introduce you to SandboxSafari.
First, let's be painfully clear about two important points: both Flash and Java remain unsafe to run on Power Macs, and TenFourFox's no-plugins policy remains inviolate. That's not ever going to change. But there are still sites people want to visit that insist on requiring a plugin and some of the sites either still work or can be coerced to work with the older version of Flash Player available for PowerPC. While not all the problems can be mitigated, it seemed to me that there could be a safer way of doing so that would reduce a potential attack profile.
Because our primary operating system of interest is Tiger (Leopard is supported, but I've always been frank that the best reason to still own a Power Mac is to run Classic apps, and that means 10.4), we can't use the Leopard sandbox, and the Leopard sandbox has at least one sandbox escape that was never fixed (though I suppose in the future it could be part of a blended implementation). So SandboxSafari takes a different approach: it runs a very limited WebKit instance in a separate process as nobody so that it doesn't run within TenFourFox or even run as you. By limiting the functionality it exposes and the privileges it can wield, it reduces the chance of an unsafe operation because it can't do many such operations.
In fact, SandboxSafari is so limited you can't even use it as a regular browser; there's no tabs, no downloads, only a single window and almost no chrome except for a right-click context menu for navigation. You feed it URLs through Launch Services, not through a typical address bar -- because there isn't one! It can't even save its own settings, nor can any plugin it instantiates, let alone anything else. The overriding idea is "as little as possible to go wrong."
So how do you use it? TenFourFox integrates with SandboxSafari through an enabler add-on included in the package. Let's say you're on one of those troublesome sites and you need Flash to operate on it. Just right-click on an open area of the page and from the context menu select the option to pass the URL to SandboxSafari (or pass it and close the tab simultaneously, such as a video site you don't need to keep open in TenFourFox). SandboxSafari will open to that URL; when you're done, just close the window and it will return to the previous app (invariably TenFourFox). You can drive SandboxSafari from your own application with AppleEvents, btw; see the openurl tool in the source code bundle.
SandboxSafari is not at all complete protection. Even though crashes are limited to the SandboxSafari process, it may still be possible for a malicious or misbehaving site to trigger other OS bugs, and while it's designed to resist modifying old files as well as creating new files, it may still be able to read other files and possibly be manipulated to upload them. A subverted plugin may also be able to activate input contexts that capture all keyboard events or draw things that look like password dialogues, and while these would disappear when SandboxSafari quits, they could potentially grab data anyway if you type in sensitive information while SandboxSafari is running. These kinds of operations are not generally dependent on the user ID in use or cannot otherwise be blocked with this method of sequestration. There are other limitations with what it can access and you should read the documentation thoroughly beforehand so you understand why.
SandboxSafari is also provided to you "best effort" and strictly "as-is." It's a means to get obsolete, insecure software to run a little more safely, but the software in question is unmaintained and known to have problems, and that means you should expect to have problems with it too. Because I don't want to turn my life into a living hell with people who can't read and don't care sending me complaints I don't want, the policy is explicit: bug reports that do not include fixes will be ignored (unless it's an obvious security issue over and above the security issues I already know it has). Don't write it here, don't post it to Tenderapp, don't E-mail me. If you're having trouble with it and you don't know why or don't care to find out how to fix it, then don't use it. I'm serious. I have enough to worry about with TenFourFox without regretting anything else I maintain. :P
Download SandboxSafari here, after reading the page thoroughly, and God have mercy on your souls.
Yunier José Sosa Vázquez: Firefox añade nuevas características para desarrolladores y mejoras en Hello
Siguiendo el ciclo de actualizaciones rápidas, Mozilla liberó hace unas horas una nueva versión de Firefox. En esta entrega podremos disfrutar de nuevas funcionalidades, relacionadas principalmente con la seguridad y orientadas a los desarrolladores web. Por su parte, la decodificación de imágenes es hasta 2 veces más rápida en algunos dispositivos especialmente cuando se hace scroll.
Firefox Hello, el servicio público y gratuito de videollamadas ha sido actualizado e incluye mensajería instantánea (chat) para mejorar las conversaciones o en caso que no poseamos una webcam.
Ahora tenemos la posibilidad de agregar una foto al perfil a la cuenta Firefox (empleada en Sync para sincronizar nuestros dispositivos) y se ha mejorado el soporte IME en Windows (Vista o superior) a través de TSF (Text Services Framework).
- Desde el panel de búsqueda puedes buscar fácilmente con diferentes proveedores (Google, Yahoo, DuckDuckGo, etc).
- Mejorada la administración de marcadores y la detección de marcadores duplicados.
- Ahora puedes deslizar para cerrar las pestañas en las tabletas.
- Añadido el idioma Croata (hr).
- Posibilidad de abrir aplicaciones de Android desde una página web mediante Intent URIs.
- Las imágenes SVG pueden ser usadas como favicons.
- Las peticiones de red pueden ser exportadas en formato HAR.
- El código HTML de una página web se abre ahora en una nueva pestaña.
- WebRTC requiere perfect forward secrecy.
- Desde la vista de etiquetas se pueden realizar capturas a los nodos.
- La API CSS Font Loading ha sido habilitada por defecto.
- Añadida el soporte para la propiedad transform-origin en los elementos SVG.
- Puedes añadir nuevas reglas CSS con el nuevo botón Nueva regla del Inspector.
- Eliminado el soporte para los componentes XPCOM en las extensiones, en su lugar use el módulo “system/child_process” del Add-on SDK.
- Las APIs MessageChannel y MessagePort han sido habilitadas por defecto.
- Otras mejoras de seguridad y rendimiento.
Si deseas, puedes leer las notas de lanzamiento para conocer más novedades.
Puedes obtener esta versión desde nuestra zona de Descargas en español e inglés para Linux, Mac y Windows. La versión para Android no la tenemos pero en cuanto esté disponible les avisaremos.
The latest Firefox update is now available. This release includes minor updates to personalize your Firefox Account and adds a new functionality to Firefox Hello Beta.
Firefox Accounts provides access to services like Firefox Sync to let you take browsing data such as passwords, bookmarks, history and open tabs across your desktop and mobile devices. The latest update to Firefox Accounts allows you to personalize your Firefox Account profile in Firefox for Windows, Mac, Linux and Android by adding a photo.
Firefox Hello Beta, developed with our partner Telefónica, is the global communications system built directly into a browser and it will now let you send and receive instant messages when you’re in a video call in Firefox for Windows, Mac and Linux.
Sometimes that is done via over the top gzip of text resources (html, js, css), but other times it is accomplished via the compression inherent in the file format of media elements. Modern sites apply gzip to all of their text as a best practice.
Time marches on, and it turns out we can often do a better job than the venerable gzip. Until recently, new formats struggled with matching the decoding rates of gzip, but lately a new contender named brotli has shown impressive results. It has been able to improve on gzip anywhere from 20% to 40% in terms of compression ratios while keeping up on the decoding rate. Have a look at the author's recent comparative results.
The deployed WOFF2 font file format already uses brotli internally.
If all goes well in testing, Firefox 44 (ETA January 2016) will negotiate brotli as a content-encoding for https resources. The negotiation will be done in the usual way via the Accept-Encoding request header and the token "brotli". Servers that wish to encode a response with brotli can do so by adding "brotli" to the Content-Encoding response header. Firefox won't decode brotli outside of https - so make sure to use the HTTP content negotiation framework instead of doing user agent sniffing.
We expect Chrome will deploy something compatible in the near future.
The brotli format is defined by this document working its way through the IETF process. We will work with the authors to make sure the IANA registry for content codings is updated to reference it.
You can get tools to create brotli compressed content here and there is a windows executable I can't vouch for linked here
Password Store (aka “pass”) is a very handy wrapper for dealing with pgp encrypted secrets. It greatly simplifies securely working with multiple secrets. This is still true even if you happen to keep your encrypted secrets in non-password-store managed repositories, although that setup isn’t covered in the docs. I’ll show my setup here. (See the Password Store page for usage: “pass show -c <spam>” & “pass search <eggs>” are among my favorites.)
- Short version:
Have gpg installed on your machine.
Setup a local password store. Scroll down in the usage section to “Setting it up” for instructions.
Clone your secrets repositories to your normal location. Do not clone inside of ~/.password-store/.
Set up symlinks inside of ~/.password-store/ to directories inside your clone of the secrets repository. I did:ln -s ~/path/to/secrets-git/passwords rePasswords ln -s ~/path/to/secrets-git/keys reKeys
Enjoy command line search and retrieval of all your secrets. (Use the regular method for your separate secrets repository to add and update secrets.)
- By using symlinks, pass will not allow me to create or update secrets in the other repositories. That prevents mistakes, as the process is different for each of those alternate stores.
- I prefer to have just one tree of secrets to search, rather than the “multiple configuration” approach documented on the Password Store site.
- By using symlinks, I can control the global namespace, and use names that make sense to me.
- I’ve migrated from using KeePassX to using pass for my personal secret management. That is my “main” password-store setup (backed by a git repo).
- If you’d prefer a GUI, there’s qtpass which also works with the above setup.
This summer went by fast. Back in May we announced the opportunity to participate in the DX project. In June we announced the team. August ended and the project officially came to a halt. First off, I would really like to thank all the participants who took interest in this program. With 5 eager hackers, there is a lot to do! As the summer wore on, some folks got side tracked, others worked when they could and some kept moving forward. No matter what the outcome, I do applaud the 5 great contributors who spent their free time getting setup and started on a project.
Now that we are at the end, I would like to outline some of the work that was done and things that were learned.
A few great things got started like mach usage statistics, and Marionette harness cleanup. These are not easy to get started on and figure out all the quirks with our full scale ecosystem. It is wonderful to see ideas and progress being made. Thanks BYK and sehgalvibhor.
Two other projects didn’t get much traction. While I like to blame myself as a mentor (yes, I could have done a bit more or scoped the projects differently), we ended up not making progress on a few projects. This is OK, and there is always stuff to learn. On the projects that didn’t get going, I saw gma_fav struggle a bit, but persist. I know the right project is out there and she will succeed next time, ideally at Mozilla! I enjoyed learning about wunderlist from stanley, and will look forward to more of his enthusiasm.
The last project is run-by-dir. kaustabh93 really worked consistently on this and learned a lot about working in the mozilla-central tree, using try, and understanding our infrastructure. A lot of work was done for mochitest-plain and mochitest-chrome. He is still hacking away and making fast progress. As Kaustabh was the only contributor who was consistent throughout the entire program, I wanted to hear his perspective on the program:How did you hear about the program, why were you interested? I had been a contributor at Mozilla for quite sometime working mainly on AlertManager and familiarizing myself with Mochitests by means of solving bugs and reading code. It was at this time, that my curriculum needed me to do an industrial project (internships/training/other programs for which the company would acknowledge mt work by means of certificates or letters or both). I brought this up with my mentor and a few days later, he informed me about this program. It had been an awesome experience coding for Mozilla so far & hence I got interested instantly. What did you find challenging? How did you overcome these challenges? The existing volume of codes were huge and getting to know what is what was challenging. I overcame this by solving smaller bugs first and reading codes and of course a lot of help, advice & explanation from my mentor, jmaher. He is an awesome person and one of the best mentors, I’ve known.
What advice would you give for anybody looking to contribute in this program?
While I appreciate the callout as a great mentor, there are many other great Mozillian mentors, it is my pleasure to work with folks who contribute their free time to the project,Without making this too long, I did learn a lot from this great group of participants. A few tips for becoming a better mentor (you get better with experience and learn from mistakes) is to communicate regularly with whom you are mentoring, this should be at least twice a week. While mentoring involves a lot of encouragement and gentle guidance, it is important to listen more to what roadblocks are in place (schedules, technical, etc.) and sometimes we need to move to a smaller or simpler project until the timing is right for the big project. One other big callout was that gma_fav was helpful in making me really understand how our use of master/slave is offensive to many, I am glad I listened to her and worked with her for a couple months! I look forward to watching these contributors grow outside of this program and meeting more great folks!
With the release of Firefox 41, we are pleased to welcome the 62 developers who contributed their first code change to Firefox in this release, 51 of whom were brand new volunteers! Please join us in thanking each of these diligent and enthusiastic individuals, and take a look at their contributions:
- dvedvick: 1163416
- kdavis: 1167538
- mathieu: 1157664
- mchenryc: 1163447
- mootoh: 1167503
- parthbakshi: 1139873
- rshenthar: 1167922
- sd001dev: 1154059
- shubham_sinha: 1142817
- yanisellami: 967031, 1118372
- Aditya Srivastava: 1138481
- Akshit Khurana: 1171520
- Alex: 1155969
- Alexander Ploner: 1148549
- Amanda Sambath : 1157669, 1158120
- AmilaAmunugama: 1161495
- Amin Bandali: 1167360, 1168618
- Andrew Martin McDonough: 1168556
- Anthony Zhang: 1167689
- Atul Kumar: 1136301
- Baptiste Emmanuel: 1157663, 1166596
- Christos Alewa: 1114333
- Clayton Bodendein: 1159904
- Edoardo Putti: 1121896
- Evan Tseng: 1165134
- Franziskus Kiefer: 1145199, 1161221, 1163743, 1165501, 1168538
- Gary Chen: 1115480
- Hieu Le: 1142272
- Jarda Snajdr: 1034724, 1159922, 1162677, 1169667
- Jessie Hildebrandt: 972567
- John Pavlicek: 1164210, 1164906
- Jonathan Almeida: 1161820
- Kapil Bakshi: 1131274
- Karim Benhmida: 602818, 1138635, 1153904, 1159978, 1164301
- Kyle Fung: 1164970, 1166585, 1169039
- Kyle Zentner: 1164918, 1164953, 1169837, 1170173
- Lorien Hu: 1109891, 1168932, 1169408, 1169701, 1172577, 1173418, 1174204
- Martin Heller: 1122280
- Matt Wobensmith: 1169823, 1170619
- Maxim Philippov: 1145230
- Mayank Jethva: 1168103
- Michael Layzell: 309731, 1012662, 1027560, 1159490, 1161721, 1162952, 1167375, 1167378, 1167380, 1167385, 1167402, 1167403, 1167588, 1167589, 1167590, 1167603, 1167663, 1167665, 1167697, 1168115, 1168154, 1168156, 1168158, 1168167, 1168170, 1168172, 1168176, 1168179, 1168180, 1168219, 1169337, 1173503
- Michael LoPiccolo: 1168808
- Miles Richardson: 1160771
- Muhsin A. Steiman: 1146331, 1149279, 1167229, 1170799, 1172012
- Nate Weiner: 1163411, 1163576, 1164161, 1164419, 1164698, 1165416
- Nicolas Belleville: 948466
- Nihanth Subramanya: 1108648, 1118285, 1129529, 1163559, 1166465
- Oliver Henshaw: 1164886
- Piervincenzo Parisi: 1164616
- Riley Baldin: 1172011
- Rudy Lu: 1162680
- Sanchit Kumar: 1171016
- Sandeep Murthy: 1145112
- Sergej Kravcenko: 1175563, 1175566
- Thomas Escalon: 1132189, 1157677
- Tom Klein: 853889, 1063486
- Ursula Sarracini: 1145303, 1167594, 1168589, 1175657, 1176517
- Vijendra Singh: 1150688
- Wander Lairson Costa: 1144994
- Youngsun Suh: 1170852
- juan becerra: 1087629
- shivang nagaria: 1077339