1. 8

    Turn off JS then? Isn’t this what a modern browser is by definition? A tool that executes arbitrary code from URLs I throw at it?

    1. 7

      I am one of those developers whom surfs the web with “javascript.options.wasm = false” and NoScript to block just about 99% of all websites from running any Javascript on my home-machine unless I explicitly turn it on. I’ve also worked on various networks where Javascript is just plain turned off and can’t be turned on by regular users. I’ve heard some, sadly confidential, war-stories that have led to these policies. They are similar in nature to what the author states in his Medium-post.

      If you want to run something, run it on your servers and get off my laptop, phone, tv or even production-machines. Those are mine and if your website can’t handle it, then your website is simply terrible from a user experience viewpoint, dreadfully inefficient and doomed to come back hunting you when you are already in a bind because of an entirely different customer or issue. As a consequence of this way of thinking, a few web-driven systems I wrote more than a decade ago, are still live and going strong without a single security incident and without any performance issues while at the same time reaping the benefits of the better hardware they’ve been migrated to over the years.

      Therefore it is still my firm belief that a browser is primarily a tool to display content from random URLs I throw at it and not an application platform which executes code from the URLs thrown at it.

      1. 3

        That’s a fine and valid viewpoint to have, and you are more than welcome to disable JS. But as a person who wants to use the web as an application platform, are you suggesting that browsers should neglect people like myself? I don’t really understand what your complaint is.

        1. 2

          But as a person who wants to use the web as an application platform, are you suggesting that browsers should neglect people like myself?

          I don’t think so. But using Web Applications should be opt-in, not opt-out.

          1. 3

            Exactly.

            There are just to many issues with JavaScript-based web-applications. For example: Performance (technical and non-technical). Accessibility (blind people perceive your site through a 1x40 or 2x80 Braille-character-display matrix, so essentially 1/2 or 2 lines on a terminal). Usability (see gmail’s pop-out feature which misses from by far most modern web-applications and you get it almost for free if you just see the web as a fancy document-delivery/viewing system). Our social status as developers as perceived by the masses: They think that everything is broken, slow and unstable, not because they can make a logical argument, but because they “feel” (in multiple ways) that it is so. And many more.

            However the author’s focus is on security. I totally get where the author is coming from with his “The web is still a weapon”-posts. If I put off my developer-goggles and look through a user’s eyes it sure feels like it is all designed to be used as one. He can definitely state his case in a better way, although I think that showing that you can interact with an intranet through a third-party javascript makes the underlying problems, and therefore the message too, very clear.

            It also aligns with the CIA’s Timeless tips for sabotage which you can read on that link.

            We should think about this very carefully, despite the emotionally inflammatory speech which often accompanies these types of discussions.

            1. 1

              He can definitely state his case in a better way

              I sincerely welcome suggestions.

        2. 1

          by the same stretch of logic you could claim any limited subset of functionality is the only things computers should do in the name of varying forms of “security.”

          perhaps something like: “The computer is a tool for doing computation not displaying things to me and potentially warping my view of reality with incorrect information or emotionally inflammatory speech. This is why I have removed any form of internet connectivity.”

        3. 7

          This is not a bug and it’s not RCE. JavaScript and headers are red herrings here. If you request some URL from a server, you’re going to receive what that server chooses to send you, with or without a browser. There’s a risk in that to be sure, but it’s true by design.

          1. 3

            Turn off your network and you should eliminate the threat. Turn your computer off completely for a safer mitigation.

          1. 3

            We use Taskcluster, a home developed CI system. It supports both per-checkin and cron-like tasks. We use it because it was becoming increasingly clear that our previous buildbot based CI was a major productivity bottleneck, and other off the shelf solutions couldn’t handle the scale and complexity we needed.

            While possibly a case of not-invented-here syndrome, I’d argue the decision to build from scratch was the right one. We are now in a very good spot where developers can self-serve their own tasks simply by adding some in-tree configuration. The tasks can run on a wide variety of platforms including AWS, Azure, physical machines in our data centre and more.

            The taskcluster team has been working to make it easier for other organizations to run their own instances.

            1. 2

              Does anyone here use Bitwarden? I didn’t know about it, but it looks really attractive.

              1. 3

                Yes, it’s awesome. It’s also the only password manager that has a Firefox for Android extension (to my knowledge).

                1. 3

                  Yes. It has some rough edges – I wish syncing was better – but it’s working great.

                  My syncing issue has to do with the fact that everything has its own copy the data: desktop app, mobile app, browser plugins, etc. When you make a change they do not sync between them all immediately. You can have a Bitwarden app or plugin that is days behind so you have to go to settings and do a manual sync. Very annoying, but not a deal breaker.

                  1. 2

                    I use the venerable pass. It has none of this mobile mumbojumbo or autosync frills the kids today are talking about.

                    It’s so simple and lean, I never thought pass git pull would be annoying.

                    I would appreciate a mobile UI sometimes, though. A Sailfish client. But that’s not a dealbreaker either.

                    Maybe I could hook the missus up with Rubywarden, though. Pass would be too much for her.

                    Addendum: There appears to be a QML frontend on OpenRepos. Found through storeman. Not a complete client but have to give it a spin :)

                    1. 1

                      There is definitely a pass app for android. I’m not sure about iOS.

                      1. 1

                        As someone who uses a mobile and two desktops, having passwords being synced across devices is a must-have. It’s just too much of a pain to remember to copy new passwords from my phone to machine A, then B, and vice-versa.

                        1. 1

                          Home desktop, work desktop, work laptop, work macOS laptop and hopefully soon two Sailfish mobiles running pass.

                          Made git pull a habit, not a chore, but ymmv.

                    2. 2

                      yeah, it’s open source and possible to run self-hosted as well.

                      check out the discussion from a topic from a few days ago, id just be copying from there:

                    1. 2

                      I can’t decide if Let’s Encrypt is a godsend or a threat.

                      On one hand, it let you support HTTPS for free.
                      On the other, they collect an enourmous power worldwide.

                      1. 8

                        Agreed, they are quickly becoming the only game in town worth playing with when it comes to TLS certs. Luckily they are a non-profit, so they have more transparency than say Google, who took over our email.

                        It’s awesome that we have easy, free TLS certs, but there shouldn’t be a single provider for such things.

                        1. 3

                          Is there anything preventing another (or another ten) free CAs from existing? Let’s Encrypt just showed everyone how, and their protocol isn’t a secret.

                          1. 6

                            OpenCA tried for a long time, and I think now has pretty much given up: https://www.openca.org/ and just exist in their own little bubble now.

                            Basically nobody wants to certify you unless you are willing to pay out the nose and are considered friendly to the way of doing things. LE bought their way in I’m sure, to get their cert cross-signed, which is how they managed so “quickly” and it still took YEARS.

                            1. 1

                              Have you ever tried to create a CA?

                              1. 3

                                I’ve created lots of CAs, trusted by at most 250 people. :)

                                Of course it’s not easy to make a new generally-trusted CA — nor would I want it to be. It’s a big complicated expensive thing to do properly. But if you’re willing to do the work, and can arrange the funding, is anything stopping you? I don’t know that browser vendors are against the idea of multiple free CAs.

                                1. 3

                                  Obviously I was not talking about the technical stuffs.

                                  One of my previous boss explored the matter. He had the technical staff already but he wanted to become an official authority. It was more or less 2005.

                                  After a few time (and a lot of money spent in legal consulting) he gave up.

                                  He said: “it’s easier to open a bank”.

                                  In a sense, it’s reasonable, as the European laws want to protect citizens from unsafe organisations.

                                  But, it’s definitely not a technical problem.

                            2. 1

                              Luckily they are a non-profit

                              Linux Foundation is a 501(c)(6) organization, a business league that is not organized for profit and no part of the net earnings goes to the benefit of any private shareholder or individual.
                              The fact all shareholders benefit from its work without a direct economical gain, doesn’t means it has the public good at heart. Even less the public good of the whole world.

                              It sound a lot like another attempt to centralize the Internet, always around the same center.

                              It’s awesome that we have easy, free TLS certs, but there shouldn’t be a single provider for such things.

                              And such certificates protect people from a lot of relatively cheap attacks. That’s why I’m in doubt.

                              Probably, issuing TLS certificates should be a public service free for each citizen of a state.

                              1. 3

                                Oh Jeez. Thanks, I didn’t realize it was not a 501c3, When LE was first coming around they talked about being a non-profit and I just assumed. That’s what happens when I assume.

                                Proof, so we aren’t just taking @Shamar’s word for it:

                                Linux Foundation Bylaws: https://www.linuxfoundation.org/bylaws/

                                Section 2.1 states the 501(c)(6) designation with the IRS.

                                My point stands, that we do get more transparency this way than we would if they were a private for-profit company, but I agree it’s definitely not ideal.

                                So you think local cities, counties, states and countries should get in the TLS cert business? That would be interesting.

                                1. 5

                                  It’s true the Linux Foundation isn’t a 501(c)(3) but the Linux Foundation doesn’t control Let’s Encrypt, the Internet Security Research Group does. And the ISRG is a 501(c)(3).

                                  So your initial post is correct and Shamar is mistaken.

                                  1. 1

                                    The Linux Foundation will provide general and administrative support services, as well as services related to fundraising, financial management, contract and vendor management, and human resources.

                                    This is from the page linked by @philpennock.

                                    I wonder what is left to do for the Let’s Encrypt staff! :-)

                                    I’m amused by how easily people forget that organisations are composed by people.

                                    What if Linux Foundation decides to drop its support?
                                    No funds. No finance. No contracts. No human resources.
                                    Oh and no hosting, too.

                                    But hey! I’m mistaken! ;-)

                                    1. 2

                                      Unless you have inside information on the contract, saying LE depends on the Linux Foundation is pure speculation.

                                      I can speculate too. Should the Linux Foundation withdraw support there are plenty of companies and organisations that have a vested interest in keeping LetsEncrypt afloat. They’ll be fine.

                                      1. 1

                                        Agreed.

                                        Feel free to think that it’s a philanthropic endeavour!
                                        I will continue to think it’s a political one.

                                        The point (and as I said I cannot answer yet) is if the global risk of a single US organisation being able to break most of HTTPS traffic world wide is worth the benefit of free certificates.

                                        1. 3

                                          Any trusted CA can MITM, though, not just the one that issued the certificate. So the problem is (and always has been) much, much worse than that.

                                          1. 1

                                            Good point! I stand corrected. :-)

                                            Still note how it’s easier for the certificate issuer to go unnoticed.

                                2. 4

                                  What’s Linux Foundation got to do with it? Let’s Encrypt is run by ISRG, Internet Security Research Group, an organization from the IAB/IETF family if memory serves.

                                  They’re a 501(c)(3).

                                  1. 2

                                    LF provide hosting and support services, yes. Much as I pay AWS to run some things for me, which doesn’t lead to Amazon being in charge. https://letsencrypt.org/2015/04/09/isrg-lf-collaboration.html explains the connection.

                                    1. 1

                                      Look at the home page, top-right.

                                      1. 2

                                        The Linux Foundation provides hosting, fundraising and other services. LetsEncrypt collaborates with them but is run by the ISRG:

                                        Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

                              1. 35

                                A few months ago I upgraded my Linux system and Firefox stopped using my dark GTK theme and fell back to the default “adwaita” theme. Firefox tries to avoid dark themes, with special settings in about:config and even env vars to control whether it should allow them. I tried enabling all of these to no avail (I later figured out the problem was due to the GTK/XDG directory paths being wrong)

                                When I asked in #firefox in IRC I was advised to install the Stylish extension and pick a dark theme for it. I pointed out that it seemed like overkill, since it would be adding theme engines on top of theme engines, but tried it anyway. When the extension asked for permission to access all of the information from every page I visit, I promptly deleted it, went back to IRC and pointed out that I’d rather have ugly widgets than leak so much info to a purely cosmetic extension. I was told that it’s fine, I should just click “accept” since loads of people use it, etc.

                                I feel vindicated now :)

                                1. 5

                                  Was this the one on freenode? If so I’m pretty sure that’s unaffiliated with Mozilla and you’ll get better advice asking on a topical channel from irc.mozilla.org.

                                  1. 2

                                    Can’t remember, but yeah I was aware it was enthusiastic volunteer users (I’ve often played that role) rather than anything official.

                                1. 1

                                  I get the author’s point about the Z component being broken. If the library behaves incorrectly but the dependent program uses the incorrect behavior to get functionality, once the incorrect behavior is fixed in the library, the program will stop working. But the library will now be working correctly!

                                  I think semver is not able to solve this issue, but it can mitigate against it: thorough testing and quality analysis before a 1.0.0 release is made is necessary, and careful review of anything that comes afterward.

                                  1. 1

                                    If strictly adhering to SemVer, wouldn’t the correct approach be to change the default behaviour, while still providing a fallback for the old incorrect behaviour? You could then provide a deprecation notice and actually remove the old incorrect behaviour with the next major version.

                                    I think the problem is that libraries rarely do this (especially for “trivial” fixes) because it’s a PITA. But that’s not really SemVer’s fault.

                                    1. 1

                                      But that doesn’t solve the problem: dependents upgrade to Z+1 and their stuff breaks, which is expressly not what should happen when doing that under semver. Semver in this case tells you to bump the major version. I don’t mind, it works and it does satisfy the semver specification. I don’t have a problem with stupidly high major versions, since it’s all meaningless anyway, only the differentials are meaningful. Fundamentally going from 98 to 101 is the same as going from major version 3 to 6.

                                      1. 1

                                        Yeah, I think we’re on the same page. Either you figure out a way to fix the bug in a manner that’s backwards compatible, or you bump the major version. In practice people rarely do this for Z level fixes, but that’s more of a problem with how people interpret SemVer than with the philosophy itself.

                                  1. -1

                                    I disagree with Stallman here.

                                    If you surrender your data, then you do not have any right over them. If you upload your photos to facebook, then facebook has them.

                                    For public utility, it is fine to restrict the collection and usage of personal data. But for private corporations, the private individuals should be able to decide for themselves if giving a corporation access to your entire search history for wifi access at the coffee shop is worth it.

                                    1. 25

                                      More and more we are getting forced to use services that spy on us. Cash is being phased out for credit cards and mobile payments. I can’t even pay for parking at my uni without installing their mobile app. We need laws to protect us from these companies because they are impossible to 100% avoid.

                                      1. [Comment removed by author]

                                        1. 40

                                          Governments aren’t there to protect you.

                                          That is literally what governments are for.

                                          1. 3

                                            Not anymore… at least here where I live, Government is composed of people and people will have their own agendas which might not include protecting other people or even obeying the laws they’ve passed. I see government as an instrument of power, some will use this power to help society, others to accumulate wealth at the expense of society.

                                            1. 31

                                              What your particular government does and what the purpose of the government is are two separate topics.

                                              1. 2

                                                That is true but still, you can probably agree with me that when dealing with the real world, the creators intention has very little bearing in whatever usage people do of something. For example: the web was a way to share scientific hypertext and now we’re doing crazy stuff with it, or, tide pods were supposed to be used for laundry… governments, much like many other human creations happened over time, in different places, with different purposes. Monarchy is government but one can argue that historically it was not meant to protect people, dictatorships also work that way. We can say that the “platonic ideal of a pure and honest government” is to protect people but thats just us reasoning after the fact. There are no “letter of intention” about creation of government which all governments across time and space need to follow. What we perceived as “purpose” has very little meaning to what actually happens.

                                                Personally, I find most interesting when things are not used accordingly to the creators intention, this creative appropriation of stuff by inventive users is at the same time what spurs a lot of cool stuff and what dooms us all, we here in Brazil have a moniker for it “Jeitinho Brasileiro” which could be translated as an affectionate version of “the brazilian way”. Everyone here is basically born in a fractal of stuff whose real world usage does not reflect its ideal purpose to the point that it is IMHO what makes us creative and cunning.

                                                1. 3

                                                  Monarchy is government but one can argue that historically it was not meant to protect people…

                                                  Well, monarchy was actually a simple protection racket. It enabled a significant growth of the agricultural society through stabilization of violent power — no raids, just taxes.

                                                  We can say that the “platonic ideal of a pure and honest government” is to protect people…

                                                  That’s unreasonable. Establishment of a democratic government is just a consensus seeking strategy of it’s electorate. A move from a simple racket to a rule of law that is a compromise of various interests.

                                                  In feudalism, people choose other people to follow. In democracy, people chose policies to enact. Both systems are very rough and fail in various ways, but democracy has evolved because it just makes more people a lot less unhappy than an erratic dictator ever can.

                                                  … people will have their own agendas which might not include protecting other people or even obeying the laws they’ve passed…

                                                  You seem to be alienated from the political process and perceive your government as something that is not actually yours to establish and control. That’s a very dangerous position for you to take, since government has a monopoly on violence. Of course others won’t take you automatically into consideration. That’s what you do every time you do virtually anything — you never take the full situation into account.

                                                  But you just can’t quite ditch the government… otherwise your neighbor might try building a nuclear reactor using whatever he got from the Russians, which is something you (and perhaps a few other neighbors) might be against. Then on the other hand, he might convince a few others that the energy will be worth it… so you meet up, decide on some rules that will need to be followed so as to prevent an armed conflict and in the end, some who originally opposed the project might even join it to ensure it’s safety and everyone will benefit from the produced energy.

                                                  1. 5

                                                    Friend, lets agree to disagree. What you say do make sense, I am not saying you’re talking bullshit or anything like that, on the contrary, I find your arguments plausible and completely in tune with what I’ve learned at the university buuuuut my own country has been a monarchy, an “empire”, a monarchy again, a republic, a dictatorship, a republic again, an who knows what will happen before 2018 ends.

                                                    Our experience, is vastly different than what is explained above. I haven’t said we’re out of the political process, heck, I’ve organized demonstrations, helped parties I was aligned with, entered all the debates I could long ago, I was a manager for a social program, and am married to an investigative journalist. I am no stranger to political processes, but it is a very simplistic approach to say “(…) your government as something that is (…) yours to establish and control”, this sidesteps all the historical process of governments here and how the monopoly of violence is used by the powerful (which might or might not be actual government) with impunity on anyone who tries to pull government into a different path. Couple weeks ago, one of our councilwoman was executed by gunshots to her car (where a friend of mine was as well as she worked for her), killing our rising star politician, and the driver, and forever traumatizing my friend. I have tons of stories about people dying while trying to change things. Talking about the root of feudalism is meaningless to whatever is happening today. Today people die for defending human rights here (and elsewhere).

                                                    Academic and philosophical conversations about the nature and contracts of government are awesome but please, don’t think this shit is doable, lots of people here died trying to improve the lifes of others. I don’t know if you’ve ever been to a place like here, those conversations don’t really apply (we still have them though).

                                                  2. 1

                                                    I do think it’s important for people to have the power to keep the government accountable. Without checks and balances the government looks after its own interests as opposed to those of its constituents.

                                                2. 7

                                                  I clicked at your profile with absolute certain that you’d be from Brazil. Now I’m kinda depressed I was right.

                                                  1. 4

                                                    Can spot a Brazilian from miles away right? Don’t know if I laugh or cry that we’re so easy to recognize through our shared problems.

                                                  2. 3

                                                    I can feel your pain (and I admire your courage for talking in a public space about the issues you see in your government).

                                                    But @Yogthos is right: we should not be afraid of our governments, at least not of democratic ones.

                                                    In democracy the government literally exists to serve people. If it doesn’t, it’s not a democracy anymore.

                                                    1. 3

                                                      @soapdog @yogthos @dz This is an interesting discussion for me (though not appropriate for lobste.rs). Any interest in discussing this together, say over email or something else. I’ve always wanted to discuss this topic of government vs individual corporations but it’s a complex subject and hard to keep devolving into a bar-fight.

                                                      1. 0

                                                        Change the name then, not the definition of what it is.

                                                      2. 2

                                                        Shouldn’t governments primariy govern? For whatever reason, but usually something along the lines of “the common good” or “to protect (individual) rights”? But sometimes sadly also in the interests of the more powerful in society…

                                                        1. 0

                                                          Why do you believe that is the purpose of governments? Can you imagine a situation where something recognized as a government doesn’t protect it’s citizens in some cases?

                                                          Is the government supposed to protect you if you put your hand in a garbage disposal, slip in the shower, or attempt suicide?

                                                        2. 11

                                                          Governments aren’t there to protect you.

                                                          They’re definitely there to protect us. However, they’re also their own separate entity. They’re also a group of ambitious, often-lying people with a variety of goals. They can get really off track. That’s why the folks that made the U.S. government warned its people needed to be vigilant about it to keep it in check. Then, its own agents keep the individuals or businesses in check. Each part does its thing with discrepencies corrected by one of the others hopefully quickly. The only part of this equation failing massively is the people who won’t get the scumbags in Congress under control. They keep allowing them to take bribes for laws or work against their own voters. Fixing that would get a lot of rest in line.

                                                          We have seen plenty of protection of individuals by laws, regulations, and courts, though. Especially whenever safety is involved. In coding, the segment with highest-quality software on average right now is probably group certifying to DO-178B for use in airplanes since it mandates lots of activities that reduce defects. They do it or they can’t sell it. The private sector’s solution to same problem was almost always to lie about safety while reducing liability with EULA’s or good legal teams. They didn’t produce a single, secure product until regulations showed up in Defense sector. For databases, that wasn’t until the 1990’s with just a few products priced exhorbitantly out of greed. Clearly, we need a mix of private and public action to solve some problems in the marketplace.

                                                          1. 0

                                                            Governments shouldn’t impose speed limits, people should just drive at reasonably safe speeds.

                                                            Just because a particular behaviour might be most beneficial to a person, does not mean they will do it. Because consumers’ behaviour has not changed (and will not), this type of surveillance has proliferated to the point it’s nearly impossible to escape, even for the most dedicated privacy advocate.

                                                            1. 2

                                                              Funny you should mention that…the setting of speed limits to drive revenue irrespective of actual engineering and human factors is pretty well documented at this point.

                                                        3. 5

                                                          For public utility, it is fine to restrict the collection and usage of personal data. But for private corporations, the private individuals should be able to decide for themselves if giving a corporation access to your entire search history for wifi access at the coffee shop is worth it.

                                                          But that’s precisely what fails when dealing with Facebook et al, isn’t it?

                                                          No matter how assiduously you or I might refuse to sign up for Facebook and its ilk, block their tracking scripts, refuse to upload our photos, our text messages, our data – other people sign up for these things, and give these services permission to index their photos and text message logs etc, and Facebook builds a comprehensive shadow profile of you and I anyways.

                                                          There is no avoiding or opting out of this short of opting out of all human contact, at this point, and the “simple”-sounding solution of “let every individual decide for themselves!” completely fails to engage with the collective consequences that everyone is losing privacy regardless of what decision they make individually.

                                                          When your solution doesn’t engage with reality, it’s not useful.

                                                          1. 4

                                                            But for private corporations, the private individuals should be able to decide for themselves if giving a corporation access

                                                            This will be true when everybody will be able to program and administrate a networking system.

                                                            That’s the only way people can understand what they are giving and for what.

                                                            Till then, you must protect them from people who use their ignorance against them.

                                                            1. 1

                                                              You can’t protect people from their own ignorance, long-term, except by education.

                                                              1. 3

                                                                You have to. No citizen can foresee the effects of all their actions. The technology we use today is too complicated to understand all of it.

                                                                That’s why generally everything needs to be safe by default.

                                                                1. 3

                                                                  The technology we use today is too complicated to understand all of it.

                                                                  The entire field of engineering is predicated on being able to do things without understanding how they work. Ditto beer brewing, baking, cooking, and so forth.

                                                                  That’s why generally everything needs to be safe by default.

                                                                  Bathtubs are not safe by default. Kitchen knives are not safe by default. Fire is not safe by default. Even childbirth isn’t safe by default, and you’d think that would’ve been solved generations ago by evolution.

                                                                  No citizen can foresee the effects of all their actions.

                                                                  Then why would we trust policies enacted by a handful of citizens deemed able to create laws any more than individual citizens making their own decisions? That’s a far riskier proposition.

                                                                  ~

                                                                  We can’t make the world safe for people that won’t learn how to be safe, and efforts to do so harm and inhibit everybody else.

                                                                  1. 6

                                                                    The entire field of engineering is predicated on being able to do things without understanding how they work. Ditto beer brewing, baking, cooking, and so forth. … You can’t protect people from their own ignorance, long-term, except by education.

                                                                    Try buying an oven that will spontaneously catch fire just by being on. It’s going to be complicated, because there are mandatory standards. And it’s a good thing they are this reliable, right? Leaves us time to concentrate on our work.

                                                                    Then why would we trust policies enacted by a handful of citizens deemed able to create laws any more than individual citizens making their own decisions? That’s a far riskier proposition.

                                                                    Because a lot of shouting from many sides went into the discussions before the laws were enacted. Much like you discuss your network infrastructure policies with your colleagues instead of just rewiring the DC as you see fit every once in a while.

                                                                    1. 3

                                                                      The entire field of engineering is predicated on being able to do things without understanding how they work. Ditto beer brewing, baking, cooking, and so forth.

                                                                      No.

                                                                      Engineering is about finding solutions by using every bit of knowledge available.

                                                                      Ignorance is an enemy to fight or work around, but for sure it’s not something to embrace!

                                                                      That’s why generally everything needs to be safe by default.

                                                                      Bathtubs are not safe by default. Kitchen knives are not safe by default. Fire is not safe by default. Even childbirth isn’t safe by default, and you’d think that would’ve been solved generations ago by evolution.

                                                                      I agree that we should work to make programming a common knowledge, like reading and writing so that everyone can build his computing environment as she like.

                                                                      And to those who say it’s impossible I’m used to object that they can read, write and count just because someone else, centuries before, said “no, it’s possible to spread this knowledge and we have the moral duty do spread it”.

                                                                      But all your example are wrong.

                                                                      They are ancient technologies and techniques that are way simpler than programming: humans have learnt to master them and teach each generation how to do so.

                                                                      We have to protect people.

                                                                      The states and laws can help, but the first shield of the people against the abusive use of technology are hackers.

                                                                      We must spread our knowledge and ethics, not exploit the ignorance of others for a profit.

                                                              1. 2

                                                                You can edit user.js which has the same format. Modifications to prefs.js will be overwritten.

                                                                1. 1

                                                                  Oh right :)

                                                              1. 7

                                                                One wonders why not just, say, use JSON for this.

                                                                1. 24

                                                                  I believe the prefs format predates JSON (or at least JSON’s popularity), and changing it now is a non-starter as it would break everyone’s user preferences. Even this changeset whose only backwards incompatible changes were fixing some glaringly obvious bugs caused some reports of failing CI around the web.

                                                                  We could try to migrate prefs files to a new format, but that would be a high risk/low reward operation.

                                                                  1. 5

                                                                    We could try to migrate prefs files to a new format, but that would be a high risk/low reward operation.

                                                                    I wish you folks would do that. :(

                                                                    1. 19

                                                                      Would you volunteer to respond to all the breakage reports it might cause?

                                                                      I may sound bitter now, but when a maintainer says something is too hard/risky, and a random user replies with “yeah, you should do it anyway” disregarding who is it that’s going to deal with problems, it’s just utterly disrespectful.

                                                                      1. 17

                                                                        Respect doesn’t enter into it–hell, I even agree with the assessment that the work is high-risk/low-reward…then again, I feel the proposed fix has some of the same issues. Like, the parser has worked well-enough that refactoring is maybe not a good use of time.

                                                                        If the decision is made “We must refactor it”, then it makes sense to go one step further and fix the underlying file format anyways. Then again, Mozilla has a history of derping on file formats.

                                                                        As for “all of the breakage reports it might cause”, given that the docs themselves discourage direct editing of files, it would seem that there probably isn’t a huge amount of breakage to be concerned about. Further, if the folks are clever enough to write a neat parser for the existing format, I’m quite sure they’re clever enough to write a tool that can correctly convert legacy config files into a new thing.

                                                                        (And again, it’s common advice that there are no user-servicable parts inside good chunks of it, because it’s a derpy file format.)

                                                                        Like, just to hammer this home, here is the format of a prefs.js file:

                                                                        # Mozilla User Preferences
                                                                        
                                                                        /* Do not edit this file.
                                                                         *
                                                                         * If you make changes to this file while the application is running,
                                                                         * the changes will be overwritten when the application exits.
                                                                         *
                                                                         * To make a manual change to preferences, you can visit the URL about:config
                                                                         */
                                                                        
                                                                        user_pref("accessibility.typeaheadfind.flashBar", 0);
                                                                        user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1520626265);
                                                                        user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1520626385);
                                                                        user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1520640065);
                                                                        user_pref("app.update.lastUpdateTime.experiments-update-timer", 1520626145);
                                                                        user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1520626025);
                                                                        user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1520625785);
                                                                        user_pref("app.update.lastUpdateTime.telemetry_modules_ping", 1520625905);
                                                                        user_pref("app.update.lastUpdateTime.xpi-signature-verification", 1520626505);
                                                                        
                                                                        <snip>
                                                                        

                                                                        There is no reason that this shouldn’t be in a sane file format (read: JSON). This could be accomplished with a conversion tool, and gracefully deprecated.

                                                                        Edit:

                                                                        It even already contains JSON!

                                                                        user_pref("browser.onboarding.tour.onboarding-tour-performance.completed", true);
                                                                        user_pref("browser.pageActions.persistedActions", "{\"version\":1,\"ids\":[\"bookmark\",\"bookmarkSeparator\",\"copyURL\",\"emailLink\",\"sendToDevice\",\"pocket\",\"screenshots\"],\"idsInUrlbar\":[\"pocket\",\"bookmark\"]}");
                                                                        user_pref("browser.pagethumbnails.storage_version", 3);
                                                                        
                                                                        1. 7

                                                                          No disrespect taken :)

                                                                          For the record, I agree a standard format would be better. Also for the record I’ve never even looked at the prefs code before, so my statement was coming more from experience knowing how much the tiniest changes can blow up on the scale of the web.

                                                                          You never know, maybe we’ll support JSON and the legacy format at some point, but that smells like it might be unnecessary complexity to me.

                                                                          1. 2

                                                                            You said unnecessary complexity. Normally, I’d either say that’s a good thing or suggest a simple subset if it’s something like JSON. If Firefox already supports JSON, wouldn’t there already be a component included that could be called to handle it? Is that inaccessible? Or does it suck so much it’s worth rolling and including ones’ own parser that’s not a cleaned-up, subset of JSON? Just curious given Firefox is an older, big project.

                                                                            1. 5

                                                                              The pref parser is a small isolated module, so I don’t think it would be technically difficult to implement (bear in mind I’m not familiar with it at all).

                                                                              The complexity I’m referring to was more around ux, maintenance, and support, that come with providing two different ways of doing the same thing.

                                                                        2. 2

                                                                          ““yeah, you should do it anyway” disregarding who is it that’s going to deal with problems, it’s just utterly disrespectful.”

                                                                          Bringing up respect and morals when a FOSS project uses non-standard formats instead of standard ones that already existed with tooling people could’ve used? And that definitely would need extra work or fixes later? I doubt they were thinking of morality when they did it. More like “Let’s implement this feature the way I feel like doing it with my preferences and constraints right now.” Kind of a similar mindset to many people asking them for changes.

                                                                          A better question would be, “Is replacing non-standard stuff in the browser with well-supported, standardized stuff worth the effort to fix the breakage?” In this case, I’m not sure without knowing more specifics. The general answer for file formats is “Yes wherever possible for interoperability and ecosystem benefits.”

                                                                          1. 6

                                                                            non-standard formats instead of standard ones that already existed with tooling people could’ve used

                                                                            That’s untrue, the grandparent comment mentions this probably predates JSON’s popularity.

                                                                            Edit: Yeah, the bug itself is 17 years old, and the prefs format is probably older. Wikipedia says “Douglas Crockford originally specified the JSON format in the early 2000s;”, which means that at best the prefs format came around the same time Crockford first specified it, and at worst it probably came into being a couple eyears earlier.

                                                                            1. 1

                                                                              Good thinking on the history. I did say “standard formats,” not JSON. Before JSON, the formats I used included LISP-style sexprs for easy parsing, Sun’s XDR, ASN.1, and XML. I also hoped simpler ones gaining popularity would lead to secure or verified implementations. That was effortless for LISP-based syntax with Galois doing a verified ASN.1 later. Most went with the overcomplicated formats or hand-rolled their own each with problems. For XML, I found I could just use a subset of it close to basic HTML tags that made it easier for someone to convert later with standard or customer tooling.

                                                                              So, those were among alternative approaches back in those days that many projects were taking. Except LISP syntax which only LISPers were using. ;)

                                                                    2. 3

                                                                      Or Toml, since that’s Rust’s go-to data markup language.

                                                                      1. 4

                                                                        That’d be just a little too cute.

                                                                    1. 23

                                                                      GitHub URLs are pretty badly designed.

                                                                      For example, /contact is their contact page, and /contactt is a user profile.

                                                                      Apparently, there’s a hardcoded list of ”reserved words” in the code, and when someone adds a new feature, they add the word/path segment there and check that it’s not taken by a user.

                                                                      So it could perhaps be the case that they’re adding some feature related to malware?

                                                                      1. 13

                                                                        That could very well be the case – and I’d be totally fine with that. I understand being coded into a corner, and wanting to fix things for the greater good at the expense of a few users.

                                                                        I just can’t figure out why, for the sake of “privacy and security”, they don’t want to tell me.

                                                                        1. 16

                                                                          I think this is absurd behavior on GitHub’s part, and you’re right to be upset by it.

                                                                          Since you do seem curious, I have a guess why they’re being so evasive, and it’s pretty simple: They’re a large organization. The person you’re talking to would probably need to get approval from both legal and PR teams to tell you about their product plan before it’s launched. I have no information on how busy GitHub’s lawyers and PR people are, but I would expect an approval like that to take a few weeks. Based on what they told you about the timeframe, it sounds like they want to launch their feature sooner than that.

                                                                          What I’d really like to know is whether this is a one-off, or whether they’ve done it to other people before. It seems like their URL scheme will require it pretty frequently…

                                                                          1. 7

                                                                            The person you’re talking to would probably need to get approval from both legal and PR teams to tell you about their product plan before it’s launched.

                                                                            Which is why I didn’t single out the support representative that contacted me; they clearly were not in the decision process for any of this, and I don’t want to cause them any undue grief/trouble past my first email reply asking for clarification.

                                                                            To be clear: I don’t really care about the malware username, other than it’s a pretty cool name. I’m more interested in the reason behind why the forced rename.

                                                                            Lots of people (read: salty News of Hacker commenters) say it’s obvious (wanting to reserve the /malware top level URL) and call me dumb for even asking, but no one has given me any evidence other than theories and suppositions. Which is great! I love thinking and hypothesizing.

                                                                            1. 5

                                                                              I don’t have any documented evidence other than anecdotal, but when I worked at a similar company with an almost identical URL structure this was one of the hardest parts of launching a new top level feature. It turns out recognizable words make for good usernames… so it’s almost impossible to find one that’s still available when working on a new feature. The choice ends up being between picking a horrible URL or displacing one user to make it easier to find.

                                                                              It’s also worth noting that GitHub has a habit of being very secretive about what they’re working on - it’s almost impossible to get information about known bugs which have been reported before, let alone information about a potential new feature.

                                                                              I would be willing to bet that this is being done for something we’ll hear about in the next year or two.

                                                                        2. 11

                                                                          We made a team that was just the unicode pi symbol and GitHub assigned us the url /team/team.

                                                                          1. 4

                                                                            That’s a great unicode hack.

                                                                          2. 11

                                                                            The curse of mounting user paths directly to /. When in doubt, always put a namespace route on it.

                                                                            1. 6

                                                                              That was my thought as well. I would imagine they want it as a landing page for some new feature or product.

                                                                            1. 3

                                                                              This is such a crucial plugin. I absolutely hate reading through all the cruft just to get the recipe. Its a shame I don’t use Chrome as my daily driver but I do appreciate you for making this.

                                                                              1. 3

                                                                                What browser are you using most often to look at recipes? I was thinking about porting to FF if there’s traction on this one.

                                                                                edit: ok fellas, you talked me into it, I’ll work on a FF plugin this weekend

                                                                                1. 4

                                                                                  I’ll add a second request for FF support, it’s easier than ever these days as they both use web extensions: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Porting_a_Google_Chrome_extension

                                                                                  1. 3

                                                                                    Yep, I’m a Firefox user. I think there’s enough of us now to make it worth your while. I would offer a helping hand but I have never made a browser extension so I don’t think I’d be much help.

                                                                                    1. 2

                                                                                      I also use firefox and would be interested in this extension.

                                                                                  1. 11

                                                                                    I think I would have preferred the source code….

                                                                                    1. 3

                                                                                      I could go either way on this. On the one hand, our intellectual property laws are horrible, and the game is 20 yrs old, so who cares?

                                                                                      But, on the other, I’d be pissed if I lost my camera and someone decided to dump the contents on imgur.

                                                                                      I think the reason there is any debate around this is because the owner is a giant, and successful game corporation, which seemingly has nothing to lose from sharing the source. But if that were actually true, why wouldn’t they on their own terms?

                                                                                      1. 9

                                                                                        Many game publishers would rather have their game rot into obscurity and make no profits than share the code. Abandonware is so common these days. I think it’s mostly rooted in a bad theoretical perspective of how the software market works.

                                                                                        1. 2

                                                                                          According to an IP lawyer friend of mine, software companies are often afraid that if their source gets out it will more likely be discovered that they accidentally infringed someone else’s IP in ways they weren’t even aware of.

                                                                                          1. 1

                                                                                            This is the reason for most of the NDA’s in the hardware industry. It’s a patent minefield. Any FOSS hardware might get taken down. I don’t know as much about the software industry except that big players like Microsoft and Oracle patent everything they can. A quick Google looking for video game examples got me this article. Claims included in-game directions, d-pad, and unlocking secrets but I haven’t vetted this article’s claims by reading the patents or anything.

                                                                                          2. 1

                                                                                            Many game publishers would rather have their game rot into obscurity and make no profits than share the code.

                                                                                            I think it comes down to thing, actually: Do you believe in the betterment of society (sharing), or do you believe in maximizing profits (greed)? In the last 20 years, we’ve seen this go from strictly white and black, to a full color spectrum. Blizzard, even Microsoft, are somewhere in the middle, but neither of them have shared much of their core, profit producing, products.

                                                                                            I think it’s mostly rooted in a bad theoretical perspective of how the software market works.

                                                                                            Can you clarify a bit? I think what you’re saying might be similar to what I’m thinking… that the media industries have not yet adapted from “copies” sold as a metric of success, despite tons of evidence and anecdotes suggesting other ways to success.

                                                                                            1. 1

                                                                                              We’re saying the same thing yes. It’s hard for businesses to realize that price discrimination can go down to $0 and you can still make a hearty profit.

                                                                                          3. 1

                                                                                            I bet there’s a lot of code in there that’s still heavily used in their games today, so probably not accurate to say they have nothing to lose.

                                                                                            1. 1

                                                                                              One would imagine! Though, the engines of 1998 vs. the engines of 2018 have probably changed quite significantly.

                                                                                        1. 25

                                                                                          I think ads are the worst way to support any organization, even one I would rate as highly as Mozilla. People however are reluctant to do so otherwise, so we get to suffer all the negative sides of ads.

                                                                                          I just donated to Mozilla with https://donate.mozilla.org, please consider doing the same if you think ads/sponsored stories are the wrong path for Firefox.

                                                                                          1. 14

                                                                                            Mozilla has more than enough money to accomplish their core task. I think it’s the same problem as with Wikimedia; if you give them more money, they’re just going to find increasingly irrelevant things to spend it on. Both organizations could benefit tremendously from a huge reduction in bureaucracy, not just more money.

                                                                                            1. 9

                                                                                              I’ve definitely seen this with Wikimedia, as someone who was heavily involved with it in the early years (now I still edit, but have pulled back from meta/organizational involvement). The people running it are reasonably good and I can certainly imagine it having had worse stewardship. They have been careful not to break any of the core things that make it work. But they do, yeah, basically have more money than they know what to do with. Yet there is an organizational impulse to always get more money and launch more initiatives, just because they can (it’s a high-traffic “valuable” internet property).

                                                                                              The annual fundraising campaign is even a bit dishonest, strongly implying that they’re raising this money to keep the lights on, when doing that is a small part of the total budget. I think the overall issue is that all these organizations are now run by the same NGO/nonprofit management types who are not that different from the people who work in the C-suites at corporations. Universities are going in this direction too, as faculty senates have been weakened in favor of the same kinds of professional administrators. You can get a better administration or a worse one, but barring some real outliers, like organizations still run by their idiosyncratic founders, you’re getting basically the same class of people in most cases.

                                                                                            2. 21

                                                                                              So Mozilla does something bad, and as a result I am supposed to give it money?? Sorry, that doesn’t make any sense to me. If they need my money, they should convince me to donate willingly. What you are describing is a form of extortion.

                                                                                              I donate every month to various organizations; EFF, ACLU, Wikipedia, OpenBSD, etc. So far Mozilla has never managed to convince me to give them my money. On the contrary, why would I give money to a dysfunctional, bureaucratic organization that doesn’t seem to have a clear and focused agenda?

                                                                                              1. 9

                                                                                                They may be a dysfunctional bureaucratic organisation without a focused agenda (wouldn’t know as I don’t work for it) which would surely make them less effective, but shouldn’t the question instead be how effective they are? Is what they produce a useful, positive change and can you get that same thing elsewhere more cost-effectively?

                                                                                                If I really want to get to a destination, I will take a run-down bus if that is the only transport going there. And if you don’t care about the destination, then transport options don’t matter.

                                                                                                1. 17

                                                                                                  They may be a dysfunctional bureaucratic organisation without a focused agenda (wouldn’t know as I don’t work for it) which would surely make them less effective, but shouldn’t the question instead be how effective they are? Is what they produce a useful, positive change and can you get that same thing elsewhere more cost-effectively?

                                                                                                  I am frequently in touch with Mozilla and while I sometimes feel like fighting with windmills, other parts of the org are very quick moving and highly cost effective. For example, they do a lot of very efficient training for community members like the open leadership training and the Mozilla Tech speakers. They run MDN, a prime resource for web development and documentation. Mozilla Research has high reputation.

                                                                                                  Firefox in itself is in constant rebuild and is developed. MozFest is the best conferences you can go to in this world if you want to speak tech and social subjects.

                                                                                                  I still find their developer relationship very lacking, which is probably the most visible part to us, but hey, it’s only one aspect.

                                                                                                  1. 9

                                                                                                    The fact that Mozilla is going to spend money on community activities and conferences is why I don’t donate to them. The only activity I and 99% of people care about is Firefox. All I want is a good web browser. I don’t really care about the other stuff.

                                                                                                    Maybe if they focused on what they’re good at, their hundreds of millions of dollars of revenue would be sufficient and they wouldn’t have to start selling “sponsored stories”.

                                                                                                    1. 18

                                                                                                      The only activity I and 99% of people care about is Firefox.

                                                                                                      This is a very easy statement to throw around. It’s very hard to back up.

                                                                                                      Also, what’s the point of having a FOSS organisation if they don’t share their learnings? This whole field is fresh and we have maintainers hurting left and right, but people complain when organisations do more then just code.

                                                                                                      1. 6

                                                                                                        To have a competitive, web browser we can trust plus exemplary software in a number of categories. Mozilla couldve been building trustworthy versions of useful products like SpiderOak, VPN services, and so on. Any revenue from business licensing could get them off ad revenue more over time.

                                                                                                        Instead, they waste money on lots of BS. Also, they could do whaf I say plus community work. It’s not either or. I support both.

                                                                                                        1. 8

                                                                                                          To have a competitive, web browser we can trust plus exemplary software in a number of categories. Mozilla couldve been building trustworthy versions of useful products like SpiderOak, VPN services, and so on. Any revenue from business licensing could get them off ad revenue more over time.

                                                                                                          In my opinion, the point of FOSS is sharing and I’m pretty radical that this involves approaches and practices. I agree that all you write is important, I don’t agree that it should be the sole focus. Also, Mozilla trainings are incredibly good, I have actually at some point suggested them to sell them :D.

                                                                                                          Instead, they waste money on lots of BS. Also, they could do whaf I say plus community work. It’s not either or. I support both.

                                                                                                          BS is very much in the eye of the beholder. I also haven’t said that they couldn’t do what you describe.

                                                                                                          Also, be aware that they often collaborate with other foundations and bring knowledge and connections into the deal, not everything is funded from the money MozCorp has or from donations.

                                                                                                          1. 1

                                                                                                            “Also, Mozilla trainings are incredibly good, I have actually at some point suggested them to sell them :D.”

                                                                                                            Well, there’s a good idea! :)

                                                                                                        2. 3

                                                                                                          That’s a false dichotomy because there are other ways to make money in the software industry that don’t involve selling users to advertisers.

                                                                                                          It’s unfortunate, but advertisers have so thoroughly ruined their reputation that I simply will not use ad supported services any more.

                                                                                                          I feel like Mozilla is so focused on making money for itself that it’s lost sight of what’s best for their users.

                                                                                                          1. 2

                                                                                                            That’s a false dichotomy because there are other ways to make money in the software industry that don’t involve selling users to advertisers.

                                                                                                            Ummm… sorry? The post you are replying to doesn’t speak about money at all, but what people carry about?

                                                                                                            Yes, advertising and Mozilla is an interesting debate and it’s also not like Mozilla is only doing advertisement. But flat-out criticism of the kind “Mozilla is making X amount of money” or “Mozilla supports things I don’t like” is not it

                                                                                                          2. 3

                                                                                                            This is a very easy statement to throw around. It’s very hard to back up.

                                                                                                            Would you care to back up the opposite, that over 1% of mozilla’s userbase supports the random crap Mozilla does? That’s over a million people.

                                                                                                            I think my statement is extremely likely a priori.

                                                                                                            1. 1

                                                                                                              I’d venture to guess most of them barely know what Firefox is past how they do stuff on the Internet. They want it to load up quickly, let them use their favorite sites, do that quickly, and not toast their computer with malware. If mobile tablet, maybe add not using too much battery. Those probably represent most people on Firefox along with most of its revenue. Some chunk of them will also want specific plugins to stay on Firefox but I don’t have data on their ratio.

                                                                                                              If my “probably” is correct, then what you say is probably true too.

                                                                                                          3. 5

                                                                                                            This is a valid point of view, just shedding a bit of light on why Mozilla does all this “other stuff”.

                                                                                                            Mozilla’s mission statement is to “fight for the health of the internet”, notably this is not quite the same mission statement as “make Firefox a kickass browser”. Happily, these two missions are extremely closely aligned (thus the substantial investment that went into making Quantum). Firefox provides revenue, buys Mozilla a seat at the standards table, allows Mozilla to weigh in on policy and legislation and has great brand recognition.

                                                                                                            But while developing Firefox is hugely beneficial to the health of the web, it isn’t enough. Legislation, proprietary technologies, corporations and entities of all shapes and sizes are fighting to push the web in different directions, some more beneficial to users than others. So Mozilla needs to wield the influence granted to it by Firefox to try and steer the direction of the web to a better place for all of us. That means weighing in on policy, outreach, education, experimentation, and yes, developing technology.

                                                                                                            So I get that a lot of people don’t care about Mozilla’s mission statement, and just want a kickass browser. There’s nothing wrong with that. But keep in mind that from Mozilla’s point of view, Firefox is a means to an end, not the end itself.

                                                                                                            1. 1

                                                                                                              I don’t think Mozilla does a good job at any of that other stuff. The only thing they really seem able to do well (until some clueless PR or marketing exec fucks it up) is browser tech. I donate to the EFF because they actually seem able to effect the goals you stated and don’t get distracted with random things they don’t know how to do.

                                                                                                      2. 3

                                                                                                        What if, and bear with me here, what they did ISN’T bad? What if instead they are actually making a choice that will make Firefox more attractive to new users?

                                                                                                      3. 9

                                                                                                        The upside is that atleast Mozilla is trying to make privacy respecting ads instead of simply opening up the flood gates.

                                                                                                        1. 2

                                                                                                          For now…

                                                                                                      1. 12

                                                                                                        It’s a good story, but the headline (just copied from CBC, not av’s fault!) is entirely wrong. Computer code didn’t put people in jail. An oppressive government put people in jail.

                                                                                                        1. 1

                                                                                                          I think both interpretations could be correct. The laws of the regime are wholly unethical, so I agree blame lies mostly with the government. But the Gülenists who created the link back to bylock did so knowing that innocent (in the eyes of the law) people might be incarcerated under the laws of the regime. The authors are partly culpable.

                                                                                                          Of course, “Oppressive regime throws innocents in jail” isn’t going to get as many clicks.

                                                                                                          1. 1

                                                                                                            This is an excellent point. I’m not a Turk myself, but I hate Erdogan and the Islamist political views he represents. If Turkey were within my sphere of immediate political concern (rather than a country I have no particular connection to), I could easily see myself supporting the coup attempt itself, let alone a communications app connected with it. So seeing people legally exonerated for doing something that I think ought to be completely legitimate brings me no joy.

                                                                                                            For an analogy closer to home, imagine that this article was about people trying desperately to prove that they were being falsely accused of using was Gab, because their jobs were at stake.

                                                                                                          1. 2

                                                                                                            The only thing I’m undecided about is tagging as a prefix for the title. Examples:

                                                                                                            Refactor: moves foo into bar

                                                                                                            Frontend: handle frobnicator requests

                                                                                                            1. 2

                                                                                                              I like to tag when I have a large(ish) commit series that spans multiple modules. It helps me (and others) identify at a glance which commit is modifying what. Though this approach only makes sense if you have embraced micro-commits.

                                                                                                              That said, I don’t think I would ever tag something as ‘refactor’. To me that’s just something that should be in the message itself.

                                                                                                            1. 6

                                                                                                              One of the biggest differences is design philosophy. Like you noticed, mercurial is much simpler than git by default. This is largely because many of the features are hidden behind extensions (built-in or otherwise) or config options. Mercurial, when configured for it, is every bit as powerful as git.

                                                                                                              Concepts I’d highly recommend familiarizing yourself with are: DAG, phases, revsets, templates, changeset evolution

                                                                                                              Built-in extensions I recommend include: rebase, purge, pager, shelve, show, color, progress, histedit, fsmonitor

                                                                                                              External extensions: evolve (this is an official one, highly recommended), absorb, bookbinder

                                                                                                              I sort of liken hg to vim and git to atom. Tweaking mercurial to your liking takes a lot of time and effort, but is well worth the effort in the long run.

                                                                                                              1. 7

                                                                                                                What hg calls “branches” are entirely different from git branches. They are generally meant to be permanent, and shouldn’t be used if no one else would ever want to pull them in. A good application of hg branches, would be to have a “dev” branch that merges into the “stable” branch from time to time.

                                                                                                                From here on out, when I say “branch” I mean it in the sense of a git branch.

                                                                                                                People often say “bookmarks” are the equivalent of git branches, but this is a bit misleading. Bookmarks are, very simply, a tag that automatically updates when it is activated and you make a new commit. A bookmark only knows the direct commit it is applied to, nothing more.

                                                                                                                So how do you create a “git-like” branch in mercurial? You update to any non-head revision and commit. This creates a new (unnamed) branch on the DAG. You can see it by running hg log -G, or better hg show work (after enabling the show extension in your hgrc). All bookmarks do are add a string label to these unnamed branches which can help you track them a bit better. They are not necessary to do branching however, many of my colleagues just use revision numbers and hg show work to keep track of it all.

                                                                                                                Finally, there is an experimental feature called “topics” being developed. It’s currently packaged in the “evolve” extension, so this needs to be installed separately. I won’t go into much detail on topics here, but they can enable more “git-like” branching workflows than heads + bookmarks can.

                                                                                                                1. 4

                                                                                                                  Bookmarks are, very simply, a tag that automatically updates when it is activated and you make a new commit.

                                                                                                                  Strictly speaking, this is exactly what a git branch is too: just a ref. People use the word “branch” in git loosely, though, to refer to both the ref and the commits reachable from that ref. Actually, most of the time people use it in the latter sense without having a firm grasp that the former is all that is happening.

                                                                                                                  There are some UI ways in which git branch-refs are handled differently than hg-branches, for example, git calls a “merge” what may only be advancing a git branch-ref and has no merge-like qualities at all (i.e. no merging of files, thus no potential to resolve conflicts and certainly no merge commit). It is for this reason that hg merge does not advance bookmarks in hg and instead says that there is no merge to be done. Another UI difference is that git also has additional markers called remote branches that are another ref but one that is only moved by different parts of the UI i.e. push/pull/fetch commands.

                                                                                                                  1. 2

                                                                                                                    I’ve actually switched to describing classic Mercurial branches as “labels” to people coming from Git, and just telling them to use bookmarks and to always make a bookmark called @ when they start. That, combined with Bitbucket natively supporting obsolete markers, usually helps them get used to the Hg workflow more easily (since things like rebase now do what you’d expect and cleanly allow pushing with deprecation).

                                                                                                                  1. 5

                                                                                                                    Great rundown! The article hints at an important point in the mono vs multi debate without explicitly stating it: complexity of scale can’t be solved by your choice of vcs strategy. In either case, a sufficiently large and complicated architecture is going require a lot of in-house tooling to ensure everything runs smoothly.

                                                                                                                    1. 34

                                                                                                                      Using the nightlies, holy poop it made me switch back to firefox.

                                                                                                                      1. 6

                                                                                                                        Same here. I actually switched to the betas when 58 starting being the nightlies. Only issue for me was hangouts, but my company recently switched away from hangouts so its not a problem anymore.

                                                                                                                        1. 9

                                                                                                                          My issues is that WebExtensions are not as powerful as older ones. Now it’s all “chromey” in it’s limitations.

                                                                                                                          1. 27

                                                                                                                            This really is a good thing for privacy and security.

                                                                                                                            1. 20

                                                                                                                              Also performance and compatibility.

                                                                                                                              1. 1

                                                                                                                                I’m curious why it’s a performance win. I would think spinning up an isolated JS virtual machine for each extension would be significantly more expensive and slower than the old compiled extensions.

                                                                                                                                1. 9

                                                                                                                                  Old extensions weren’t compiled. The new ones don’t get their own JS VM. Performance win here is likely by cutting of old, crufty, synchronous APIs (mostly internal, but was hard to remove if used by lots of popular addons). This is easier once you declare them legacy.

                                                                                                                                  1. 7

                                                                                                                                    It was previously the case that a poorly written add-on could slow down all facets of Firefox in general. Now that the only way to hook into Firefox’s internals are via well-defined and optimized APIs, this should happen much less often.

                                                                                                                                    1. 4

                                                                                                                                      It also allows the firefox devs to iterate quickly without worry of breaking extensions as there is a defined interface for extensions that they need to worry about.

                                                                                                                              2. 3

                                                                                                                                I have two questions about that:

                                                                                                                                One, I want the same theme capability as I’ve always had. I want Firefox to look like it does for me now, not like the stock Firefox. Is that possible?

                                                                                                                                Two, I want ad blocking and script blocking and all the other privacy-enhancing add-ons to work as well, not like they do in Chrome where the bad stuff is fundamentally still loaded, it’s just hidden at some point in the rendering cycle. Is that possible?

                                                                                                                                1. 6

                                                                                                                                  You can still manually edit userChrome.css. Complete Themes are not supported in >= 57.

                                                                                                                                  Blocked stuff is not “fundamentally still loaded”, not even in Chrome I think?!? E.g. Privacy Badger here returns {cancel: true} in an onBeforeRequest interception handler. IIRC the “just hidden” stuff is from very early days of Chrome extensions

                                                                                                                                  1. 1

                                                                                                                                    For addons, the answer is yes. See the Privacy add-on collection or other featured extensions

                                                                                                                                    Your look and feel question is hard to answer, without knowing what Firefox looks like to you now. :) If you insist that tabs should be round, it’s not going to be easy, but possible.

                                                                                                                                    1. 2

                                                                                                                                      I insist that tabs go below the address bar, like they did in in the original Firefox and like they do now with the right add-on: https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/

                                                                                                                            1. 6

                                                                                                                              So, I guess I need to come to terms with the fact that in 2017 everybody writes using by-lines that generate the most splash. I guess I can’t fault them for that.

                                                                                                                              But I get very skeptical whenever I hear someone use the phrases “dead” or even “dying”.

                                                                                                                              I have a different conclusion - the web is one particular medium that’s well adapted to certain kinds of interactions. Big companies are trying to get beyond that and move into areas that aren’t optimized for that kind of interactivity with home assistants and the like.

                                                                                                                              The web isn’t dying at all. Sure, a few big sites are responsible for most of the traffic, and that’s fine. There still exists an incredibly rich, varied web should you care to look past the big three - this site and others like it are proof of that.

                                                                                                                              1. 5

                                                                                                                                It might be more accurate to say “at risk of dying” given the author makes a few assumptions (net neutrality, trinet), but the worst case scenario described in the article doesn’t sound all that far-fetched to me.

                                                                                                                                Sure, there will always be a small niche of people who will continue to use the web. But I think the author defines “dead” as not collectively relevant. Just like how vinyl has no relevance to modern society despite a niche of people who still collect them.

                                                                                                                                1. 3

                                                                                                                                  I started research on making of a search engine for this varied web. It would not index sites serving ads and possibly e-commerce. I would like to also penalize JavaScript use at least as an option. At the beginning I would use Adblock rulesets like the Easy List - if there is a match I do not index the site.

                                                                                                                                  I hope that this would remove most crap out there with some minor collateral damage. Also that the index would be small enough that a little fish like me could do it without massive cost or infrastructure.

                                                                                                                                  1. 1

                                                                                                                                    Do you want to penalize JavaScript use, or do you want to ignore its existence and just index what can be seen with JavaScript totally off? (Of course, some sites can be viewed with JS and CSS off, but not with JS off and CSS on; maybe you do not like that)

                                                                                                                                    1. 2

                                                                                                                                      I’m not sure.

                                                                                                                                      At least penalize - they would have lower ranking. Maybe give user an option to not show them. Probably for the first version not including them at all would be the simplest thing to do. Some later version could attempt to classify used JavaScript.

                                                                                                                                      I would like it to index information first and not care much about web apps. I’m wondering if it would make sense to distribute whole index via torrent. Then search could be done locally. But for this too make sense it would have to be in an order of, at most, tens of gigabytes. The problem would be to make updates as small as possible and also to not use prohibitive amount of CPU time.

                                                                                                                                      I’m almost totally green in this area.

                                                                                                                                      1. 1

                                                                                                                                        I think a nice site is one that you can curl | lynx --dump without suffering. Known-bad ad/tracker networks can be grepped in between, but is checking for JS even worth it? The recommended mode of using the index is with JS completely off anyway (and if content is loaded via JS, the site will get classified as garbage with no useful content — a classification that you need even for zero-JS-carrying sites).

                                                                                                                                        In concrete terms: do you consider indexing Lobste.rs discussions a bad idea?

                                                                                                                                    2. 1

                                                                                                                                      I know a lot of people who would very much love such a search engine. Let us know if you actually implement this!