1. 34

    This is exactly what I thought when I heard the rumour. A lot of people were keen to tell me that “Google already dominates web standard committees”, and while this is true, it is just another symptom of the same illness.

    I understand that for a company, building a browser engine is expensive and might not be worth it, but Microsoft giving up the browser engine game means we only have one alternative to Blink/WebKit left, Mozilla Firefox. And while I am a loyal Firefox user, I can’t help but notice that year after year, our numbers get fewer.

    The web is an open platform only because we have multiple implementations of the standards. If we move to a single engine, the standard doesn’t even matter anymore, only the implementation does.

    And how long before other vendors have only a token handful of developers working on integrating Blink into their branded shells? How long before Google decides that in fact, they are altering the deal (much like they did with Android) and are moving the new parts into proprietary extensions that can only be used with Google’s approval? How long before they make it impractical to use any Blink based engine without phone home circuitry or without logging in to an account linked to their wider ecosystem? Having a single entity control both the user agent and the major services puts the user in a much weaker position to resist such pressures.

    Google has already shown they are changing from the “do no evil” company they at least pretended to be a decade ago. They have also shown they will not shy away from requiring their browser for certain features of their services (for a while, you could not make calls in Hangouts without Chrome).

    But regardless of whether you believe Google will betray the public interest, do we really want to put all our eggs in the same basket, no matter who owns the basket?

    1. 19

      The web standards are baroque, the process byzantine, and the implementations often dumb.

      This is the future we deserve, given the choices we failed to contest and the horses we decided to trade.

      1. 3

        When Google said it’s time to kill IE6 (2010), I was still using a browser without javascript support for my daily browsing. The web was quite usable. That started to change pretty soon after, and the experience got miserable due to the number of sites that would just not work any longer. When I complained, people just told me to fuck off.

        I don’t think I ever had a real chance to contest.

        1. 2

          Similar experiences here, and the state of noscript web is not much to celebrate. Most of my spare time is spent getting rid of as much ‘web’ (!= internet) as possible from the everyday of my life; admittedly thwarted by an increased forced dependence on e-gov here for basic infrastructure.

          The current browser/javascript management setup I have settled on is basically a set of “volatile” nodes on AlpineLinux (config system fits this purpose well) that pre-boots into a ‘one-time use’ / PXE chrome instance. “spawning a tab” means remoting into one of the nodes and when the connection is severed, the node reboots. Suspicious crashes gets collected for later study.

        2. 2

          Google is going to forge ahead with technologies that improve their products with or without standards. The result of more stringent standards would be a browser that supports cool new features that no other browser does, resulting in a monoculture anyway.

          1. 5

            Time, then, to disband the w3c, since its job is apparently to describe Chrome’s features.

            1. 4

              To be brutally honest, the W3C has always seemed a little silly as a standards body.

              They started out chasing the browsers, and they’re still chasing the browsers. There was that little period with HTML5/XForms/XHTML where it looked like they were going to create their own thing, but the browsers ignored them, so they went back to standardizing the existing behavior.

        3. 12

          we only have one alternative to Blink/WebKit left

          It doesn’t make any sense to me to lump together Blink and WebKit like this. One may be a fork of the other, but they’re controlled by separate companies that have, at best, wary attitudes toward each other. The fact that they share code is irrelevant when we’re talking about the danger of a web-engine monoculture.

          How long before Google decides that in fact, they are altering the deal (much like they did with Android) and are moving the new parts into proprietary extensions that can only be used with Google’s approval?

          I agree that this is a danger, although it seems like it would be way easier to resist bad Blink changes via the “lazy dev’s fork” of simply continuing to use the older version. If worse came to worst the community could create an actual fork; the code is still a mixture of LGPL- and BSD-licensed, after all. The tricky part is that I don’t know if there is currently a “the community” of people who rely on Blink/Chromium, and it seems like it would be difficult to coalesce one absent some widely-condemned action by Google. I’m not sure what the solution to this is, although as I mentioned elsewhere in the thread, perhaps Mozilla should be looking closely at the “embedding Chromium in other things” market and coming up with a Servo-based alternative.

          1. 6

            “It doesn’t make any sense to me to lump together Blink and WebKit like this.”

            Im with you on that. Didnt make sense. I’ll add they’re not only wary: they’re very opinionated with their own OS’s, new languages, and so on. Despite shared code, that should maintain some diversity in the engines.

            1. 3

              However, they still share enough code that what works in one is more likely to work the same way in the other than, say, Gecko.

          1. 36

            Such irony in the title here–“open source” is not about you; it’s a movement to hijack the free software movement and turn it into something a company can profit from, riding on free software goodwill and stripping the political aspects that are hard to reconcile with shameless capitalism.

            I don’t think it’s what Rich meant here, but it does nicely serve to underscore the vast gulf between the oss and free software camps; if you are in software because you want to make the world a better place, move right along.

            1. 25

              it’s a movement to hijack the free software movement

              There’s a problem with this statement, it doesn’t apply to me.

              When I was open-sourcing my project I wasn’t joining any movement. I didn’t sign any contract. I use the words “open source” in a plain sense: this is a source code that someone can get and use according to the posted license. I’m totally fine with any company making profit off of this code. No company ever indoctrinated me into thinking this, and I deliberately chose BSD license over GPL exactly to not having to be associated with Free Software movement (I don’t hate it, I just didn’t want to). Yes, for real. People like me exist.

              What I’m saying is, we already have a term meaning “open source + a particular ideology”. It’s Free Software. Please don’t try to appropriate “open source” to mean anything more than “available source code”. And no, I don’t really care what OSI thinks about this “term”. It’s their idea, not mine. I need some words to describe what I’m doing, too.

              1. 9

                When I was open-sourcing my project I wasn’t joining any movement

                That’s exactly the difference between the “free software” movement and Open Source. You made @technomancy’s point for him.

                1. 1

                  It’s contradicting the framing that he’s somehow been duped out of believing in the fsf’s ideology by an open source movement.

                2. 9

                  P.S. In fact, there was a time when “Free Software” also wasn’t associated with not letting companies profit from it. Here’s a classic Mark Pilgrim on this: https://web.archive.org/web/20091102023737/http://diveintomark.org/archives/2009/10/19/the-point

                  Part of choosing a Free license for your own work is accepting that people may use it in ways you disapprove of.

                  1. 5

                    Check Selling Free Software from 1996.

                    1. 6

                      I came here to share this link. the GPL, and free software, was never about gratis, was never about not paying for software. It has always been about liberty and the freedom to control one’s own software.

                    2. 3

                      2009 is classic? Am I old?

                      1. 1

                        “Classic” in a sense “explains well”, has nothing to do with being old :-)

                    3. 5

                      Just because you use a term doesn’t mean you get to define it. Saying “I don’t care what OSI thinks or why the term was invented” seems pretty strange to me… it’s their term and has a history, like it or not.

                      1. 8

                        What word should I use if I publish source code so people can use it but don’t care about furthering the cultural revolution?

                        1. 5

                          “Open source”.

                          1. 1

                            Billionaire. In a historical interview, that’s what the CEO of Apple believed he’d become if a lot of things lined up, one being getting a whole, networking stack for free from BSD developers. The other thing he envisions is them begging for money at some point so their projects don’t close down. He bragged his main competition would be contributing their fixes back since they got themselves stuck with la licence de la révolution. Attendees were skeptical about such a one-sided deal going down.

                          2. 4

                            No :-) The only way a natural languages is defined is through use, and the most common usage becomes a definition. OSI didn’t make this term theirs by simply publishing their definition, they just joined the game and have as much weight in it as every single user of the word.

                            1. 4

                              True, but also like it or not language evolves over time (always to the chagrin of many). This is not unique to technology or English. At the end of the day it doesn’t matter what either OSI or /u/isagalaev thinks, society at large makes the definitions.

                              Having said that, if you step outside of the FOSS filter bubble, it seems pretty clear to me that society leans towards /u/isagalaev’s definition.

                              1. 3

                                Also, as a sensible dictionary would, Merriam-Webster defines both current interpretations of it: https://www.merriam-webster.com/dictionary/open-source

                            2. 4

                              we already have a term meaning “open source + a particular ideology”. It’s Free Software.

                              You can’t remove politics from this question; the act of pretending you can is in itself a political choice to support the status quo.

                              1. 2

                                You can remove “politics” from open source, and that is precisely what open source has done.

                                The term open source can be operationally defined (i.e., descriptive, constructed, and demonstrable). From Wikipedia, citing the book “Understanding Open Source & Free Software Licensing.” (Though feel free to use Merriam Webster or the OED as a substitute): “source code is released under a license in which the copyright holder grants users the rights to study, change, and distribute the software to anyone and for any purpose.”

                                The license terms are selected that most parsimoniously accomplish the stated definition. (i.e., make it possible for the stated definition to become externally correspondent and existentially possible). The fewest number of rules (formula, statements, decisions) possible to accomplish the work–producing a limited number of legal operations (rights, grants, privileges) that can be fully accounted for.

                                It is the deflationary nature of the process that removes “politics.” Making the license commensurable and testable while removing suggestion, loading, framing, or overloading. BSD/MIT are small and shrinking, whereas GPL 2/3 are large and growing. That’s the difference.

                                1. 2

                                  “source code is released under a license in which the copyright holder grants users the rights to study, change, and distribute the software to anyone and for any purpose.”

                                  You can still get patent sued for that due to laws paid for by lobbyists. The effects of politicians on what we can and can’t do with open-source mean it’s inherently political. The people who say they want its benefits with no interest in politics or whose licenses don’t address it are still involved in a political game: they’re just not players in it.

                                  1. 1

                                    I’m not sure why do you think I’m trying to “remove politics”. Of course I do have some political view on this, however vague it might be. This is totally beside the point. The point is that I don’t want to proclaim/discuss my political views every time I want to say that the code is available. It’s a completely valid desire.

                                  2. 1

                                    Why BSD license over public domain? The latter makes the source code more “available”, does it not?

                                    (If you wonder how I feel about the GPL, check my repos.)

                                    1. 11

                                      The latter makes the source code more “available”, does it not?

                                      No. In jurisdictions that don’t recognise public domain (e.g. France) and in which authors cannot give up their copyright, giving it to the public domain is meaningless and it’s as if the code has no free license at all. It’s the same as “all rights reserved”.

                                      1. 2

                                        That’s very interesting. Would folks in such jurisdictions be interested in working together with others to reform copyright law? Perhaps among .. other things?

                                        1. 2

                                          Why? It’s a different branch of copyright law and the idea of authorship being something you cannot give up is fundamental to those. You can only perpetually license.

                                          CC0 is a great license to use in those cases, btw.

                                          1. 2

                                            Why?

                                            One reason being that some people think copyright, or perhaps even more generally, intellectual property, is unethical. Another reason could be a desire for a single simple concept of “public domain,” perhaps similar to what we have in the US.

                                      2. 1

                                        I like the idea of retaining an exclusive right to the project’s name, BSD is explicit about it.

                                    2. 10

                                      Companies are profiting massively from both. The License Zero author figured out the reason is the FOSS authors focused on distribution methods instead of results. That’s why Prosperity straight up says commercial use like many non-free licenses mention. The other one says any change has to be submitted back.

                                      The license needs to explicitly mention them making money or sharing all changes to achieve what you’re describing. That plus some patent stuff. The “free” licenses trying to block commercial exploitation are neither believably free nor stopping commercial exploitation after companies like IBM (massive capitalist) bet the farm on them. I mean, the results should prove they dont work for such goals but people keep pushing old ways to achieve them.

                                      Nope. Just reinforcing existing systems of exploitation by likes of IBM. We need new licenses that send more money and/or code improvements back.

                                      1. 3

                                        It should not be the job of a license enforced by copyright to extract rents. That’s the playbook we are fleeing.

                                        1. 2

                                          ““open source” is not about you; it’s a movement to hijack the free software movement and turn it into something a company can profit from”

                                          The commenter wrote as if they expected whatever license or philosophy was in use to prevent companies from using the software for profit or with exploitation central focus. Several companies are making billions leveraging FOSS software. One even lobbies against software freedom using patent law since suits won’t affect it. So, if the goal is stopping that and spreading software freedom, then the so-called “free” licenses aren’t working. Quite the opposite effect moving billions into the hands of the worst, lobbying companies imaginable.

                                      2. 2

                                        I just don’t see “open-source” being an hijack of “free software” for corporate purposes. Why would corporate care, they can exploit the free labor of free software just as much, the politics are not visible in the final software product. If anything, it seems like the social goals of free software have been diluted by other programmers who like the technical side of it, but neither care or agree about the politics.

                                        1. 3

                                          Why would corporate care, they can exploit the free labor of free software just as muc

                                          Depends on the market. If it’s software they sell directly, the copyleft requirement means they have to give up their changes. Those changes might be generating the customers. They might also be causing lock-in. Better for them to keep their changes secret.

                                          Your point remains if it’s anything that lets them dodge the part about returning changes, esp SaaS.

                                          1. 3

                                            I just don’t see “open-source” being an hijack of “free software” for corporate purposes.

                                            It’s not really a matter of opinion. That hijacking is exactly what happened in 1998. The fact that today you forgot that this is what happened means that it worked: you stopped thinking about free software, as the OSI intended to happen in 1998.

                                            OSI was created to say “open source, open source, open source” until everyone thought it was a natural term, with the goal of attracting corporate interests. They even called it an advertising campaign for free software. Their words, not mine.

                                        1. 1

                                          Nice, this looks pretty useful! I might look into making this available for use at work.

                                          A couple things that would be nice to have:

                                          1. Ability to specify a root directory under which all cache files get saved (e.g via env)
                                          2. Ability to use either @cache or @cache(args). You can accomplish this by checking whether the first argument is callable or not and if so setting fname manually before returning the inner decorator.
                                          1. 2

                                            I think this is a product of supply and demand.

                                            A lesser known company (or a company with a bad reputation) might get a dozen or so candidates for a posting. Generally it will be pretty easy to find the best candidate after a round or two of chats and simple coding problems.

                                            But a top tier company (in terms of desirability) might get many hundreds of applications. At this point phone screens and coding challenges are needed to weed out the obvious rejections. What you’re left with is still a long list of highly capable candidates who are hard to compare as they all had different interviewers. So you need baselines and more complicated coding challenges and multiple rounds etc.

                                            I’d be curious to know how the author would propose dealing with a very large number of applications.

                                            That’s not to say that there aren’t companies who do this without a large volume of applicants.

                                            1. 13

                                              From a cold, pure systems perspective:

                                              • Human interviews are extremely expensive and have a ton of variance
                                              • Any judge of a person’s abilities will have very wide error bars
                                              • There’s 80,000 ways of biasing the process
                                              • I have no idea if it’s even rigorously possible to rank candidates
                                              • Most people are way under their potential anyway because they haven’t had dedicated practice and training

                                              This all suggests a way to cut the Gordian knot. If you’re a large company, take the pool of highly capable candidates, filter out the assholes, and offer jobs at random.

                                              1. 1

                                                Heh, I actually really like that idea! I wonder if it’s ever been tried.

                                                1. 2

                                                  Idk about offering jobs randomly but random promotion was suggested in academic research as best way to counter the next problems: biased promotions and Peter Principle.

                                              2. 3

                                                So in short, there is a large volume of developers, and companies can afford to be picky. But companies (think they) cannot afford to cultivate talent, so there’s also a large volume of inexperienced / junior / less-than-average would-be-developers who have difficulty getting a foot in…

                                                You’ll recognize true shortage of labor pool when companies try to outbid each other on an applicant with no degree and no work experience in the field..

                                              1. 2

                                                How did it come to be like this? I don’t imagine this has anything to do with efficiency, judging by the amount of labour (on the employer’s end) exerted to make candidates jump through hoops.

                                                1. 8

                                                  Nobody wants to take a risk and get blamed for a bad hire, so they set up more and more process. It’s like sifting for gold, except you have like twenty pans and you throw away everything that doesn’t make it through any of the sifters without looking.

                                                  1. 3

                                                    That explanation seems plausible, but then I wonder, why is the process so much more heavyweight in tech than just about any other field, including other STEM fields? In sheer number of hours of interviewing that it takes to get a job, counting all the phone screens, take-home assignments, in-person interviews, etc., tech is way out of sync with norms elsewhere. A typical hiring process is any other STEM field is a resume screen, followed by one phone screen (typically an hour), followed by an on-site interview that can last somewhere between a few hours and a full day.

                                                    1. 8

                                                      Survivorship bias could be why. The ones perpetuating this broken process are those who sailed through it.

                                                      There’s also a lot of talent floating around, and the average company won’t be screwed by an average hire. So even if you miss out on that quirky dev with no social skills but the ability to conjure up a regex interpreter solely from memory, it doesn’t really matter to them.

                                                      It should matter to startups, though, because hiring average devs means you’ll fail.

                                                      1. 3

                                                        Depends on the startup; until you have product-market fit, you don’t need amazing engineers so much as you need people who can churn out prototypes fast.

                                                      2. 4

                                                        It might be partly due to the volume of applicants. With tech you have:

                                                        1. Massive concentration of talent (e.g silicon valley)
                                                        2. Remote work

                                                        For those reasons you can often get hundreds of applicants to a posting. Other STEM disciplines don’t support working remotely, and in some cases (think civil engineering) need their engineers to be physically on-site. I’d wager they tend to be much more dispersed around the country and companies can only draw from the local talent pool.

                                                        1. 3

                                                          I applied to a remote London based, three-person not-a-startup. I did the homework and got among the 50 or so people they interviewed on phone. They told they got over 2000 applications.

                                                        2. 4

                                                          Particularly in other STEM fields it’s pretty common to have more rigorous formal education requirements as part of the hiring bar (either explicitly or by convention.) Software development has always been somewhat more open to those from other backgrounds, but the flip side to that is that there seems to be a desire to set a higher performance/skills bar (or at least look like you are) as a result. There are potentially pros and cons to both.

                                                          I’d also wonder, particularly around the online tests/challenges/screenings/etc…, whether this is a result of tech people trying to come up with a tech solution to scale hiring the same way you’d approach scaling a technological system, and the resulting expansion in complexity.

                                                      3. 4

                                                        Hiring is hard, and a lot of work, and not something most engineers will willfully dive into. Therefore, at most companies, as much as possible of the hiring process gets farmed out to HR / management. And they do the best job they can, given their lack of domain knowledge. Unsurprisingly, they also favor potential employees that they think will be “good” based on their ability to sit, stay, heel, and jump through hoops. Fetch. Good boy. Who wants a cookie. ;)

                                                        Another take: Mistakes really, really, suck. And if you just add more analysis and testing to a hiring process you’re more likely to spot a problem in a candidate.

                                                        1. 2

                                                          I think mistakes are a big part of it. Software work is highly leveraged: what you write might run hundreds, thousands or millions of times per day. Being a little off can have big downstream consequences.

                                                        2. 4

                                                          I think it’s partly because there’s no training for it in most jobs, it’s very different to expertise in software, it’s very unclear what best practices are (if there are any), and for a lot of people it’s a time suck out of their day, when they’ve already got lots of work to do.

                                                          So you end up with these completely ad-hoc processes, wildly different from company to company (or differing even person to person during the interview), without anyone necessarily responsible for putting a system in place and getting it right.

                                                          Not to mention HR incentives may not align (points / money for getting someone hired) with engineering, and then you’ve got engineers who use the interview as a way to show off their own smarts, or who ask irrelevant questions (because though you all do code review, no-one does interview question review), or who got the interview dumped on their plate at the last minute because someone else is putting out a dumpster fire, and they’ve never heard of you or seen your resume before they walk into the room…

                                                          And decision making is ad-hoc, and the sync-up session after the interview gets put off for a couple of days because there’s a VP who wants to be on the call but they’re tied up in meetings, and in the meantime the candidate has an interview with another company so you’ve just moved forward with booking the onsite anyway…

                                                          So many reasons :)

                                                          1. 2

                                                            It’s all marketing.

                                                            I don’t think I would have taken any of my jobs if the recruiters were like “we’re not going to bother interviewing you because all we have is monkey work, when can you start?”, even though in hindsight that would have been totally adequate.

                                                            So companies play hard to get and pretend 99% of their applicants are too bad to do the jobs on offer, when the reality is closer to the opposite.

                                                            1. 1

                                                              <[apple] insert [google] company [facebook] here [microsoft]> only hires the best.

                                                            1. 8

                                                              This article is great, and it’s painfully true. The business/customer/whoever always wants the highest quality product, immediately, for as cheap as possible. However, this article poses a problem, and leaves out the solution.

                                                              This article doesn’t address how you should deal with these problems professionally. It essentially concludes in the last paragraph with “Don’t deliver squirrel burgers.” Unfortunately, this isn’t going to fly. You can’t tell your boss “no, I’m not going to do xyz in 5 weeks. It’ll take 8, and I need 8.” Sometimes that may work, but for most companies, there’s no way that’s going to work 100% of the time. Even if you’re right about the time assessment, just saying no doesn’t solve the business need.

                                                              So, I’m curious. What do you all think is the right way to solve this? You should still offer your thoughts on how long something will take, and as a paid professional, you should give your opinions / advice if possible. But it seems sometimes you’ll just have to bite the bullet, even though it’ll be worse in the future, and just hope management learns it’s less painful to trust you up front rather than backtrack later to fix problems.

                                                              1. 6

                                                                Under promise, over deliver. Come up with your initial estimate, then double it. If manager isn’t happy with your estimate, you can start negotiating features. If manager doesn’t budge you can “concede” a bit of time, though I’d avoid this if at all possible because we are terrible at making estimates and almost always forget to account for things that add significant length to a project. The doubled estimate is likely much closer to reality than your initial one.

                                                                Using this strategy in the example post, Joe would have said 12 weeks instead of 6. Manager would be much more likely to understand that a 12 week task cannot be fully completed in 5 weeks and would be more willing to concede either time or features.

                                                                1. 1

                                                                  Great point. The only catch is that management may notice your pattern of under promising and over delivering (they’ll notice if you continuously complete your stuff before the deadline). The problem begins when they start to not trust your initial estimate, because you’re always faster than you say.

                                                                  One solution people may argue for is that if you finish before your estimate, don’t tell management, and wait until the deadline. However, the question of “if that’s right” comes in to play. But there are a million different directions you could take this…

                                                                  1. 2

                                                                    Also a good point!

                                                                    Though I think one of the reasons this works, is that the doubled estimate is closer to reality than the original estimate anyway. In the rare occasions your original estimate was actually accurate, instead of doing nothing you can do things like improve the testing, working on maintainability, adding additional useful features that manager never even thought of, etc.

                                                                    Doing this work will decrease your original estimate the next time manager asks for a change to this code, thus making you look even better. Also I probably should have mentioned that this strategy is probably best used for workplaces where management is unreasonable with their expectations/demands. It’s probably better to be honest if that’s acceptable at your workplace :), e.g “My gut instinct says 6 weeks, but let’s call it 10 to make up for unforeseen issues”.

                                                                    1. 2

                                                                      This feels like the sort of thing that agile was supposed to fix. Your manager asks how long it’ll take to do XYZ so you say you’ll get the most useful part (we’ll call it X) done first and see what people think of it, then either change it as desired or start on Y next.

                                                                      1. 2

                                                                        Yep, sounds about right. Quickly ship the MVP, and then the iterations towards the final product. Helps eliminate long estimates, and theoretically starts bringing in the money sooner.

                                                                1. 1

                                                                  I’ve been meaning to rewrite this for awhile :)

                                                                  Not that it’s inaccurate or anything. It just contains many concepts and ideas without much logical connection between them. It’s also missing many key aspects (e.g history rewriting), and has sections that should be removed (e.g MQ).

                                                                  1. 2

                                                                    I have been curious about mercurial for a while (regular git user) and I think it would be good to have a well-maintained page covering these topics. especially the plugin/addon ecosystem is totally intransparent to new users. A lot of plugins seem to be outdated or have fallen out of favour, but you cannot tell when googling for “how can I do this or that”.

                                                                  1. 1

                                                                    I don’t understand how this works. This is like discuss but it stores the comments directly into my git repo, which has a post commit hook to re-render the static site?

                                                                    Can you iframe your own site for security, so that a malicious comment doesn’t attack a user or the site itself?

                                                                    1. 2

                                                                      All staticman does is dump the comments some place of your choosing in your repo. It’s up to you to actually render them however you see fit. Many static site generators will have some sort of built-in way to make rendering them easier (and safer). It would also be up to you to set up a post-commit hook to automatically re-render if desired.

                                                                      Also, the default mode is for staticman to create a pull request with the comment so you can reject spam/malicious comments before they get merged. Pro tip: don’t put a ‘url’ field in your comment schema :)

                                                                    1. 4

                                                                      It’s all easy to tell people to switch from X to Y (browser, OS, antivirus, etc.) but you can’t just go preaching when the alternatives aren’t quite the same. Sure you have Firefox (or any other flavour) and while I’d love to fully switch, it isn’t quite there yet. You can tell people to switch to some Linux distro or to install LineageOS but that comes with losing certain features or apps (try doing gamedev from Linux for example).

                                                                      And Firefox won over IE because it was better not for the fact IE back in the XP days was crap with its ActiveX madness. And same with the general switch to Chrome, it performed better.

                                                                      The bottom line for me is: make better alternatives to cover the general use case and people WILL switch (because their “techy” friend installs it for them) but they probably won’t just to get away from privacy issues if it gives them less headaches.

                                                                      1. 7

                                                                        same with the general switch to Chrome, it performed better

                                                                        Most people did not care that it performed “better”.

                                                                        They just saw the ads. On every google page. Including the search front page.

                                                                        1. 6

                                                                          Pretty sure Chrome grew its popularity when Firefox became quite sluggish, together with its strong presence in smartphones.

                                                                          1. 8

                                                                            Yeah, it is easy to forget how amazing Chrome was versus the competition in 2008. Other browsers were covered in garbage and layers of UI, Chrome was minimalist. When other browsers would crash when you went to a bad webpage, chrome just lost a tab due to the process separation. Even at initial release, Chrome was much faster than the competition. It also had the omnibar which felt like the “right way”.

                                                                          2. 3

                                                                            Watch the Google Chrome announcement video

                                                                            They compare it side-by-side with Internet Explorer. It shows that, for JavaScript, Chrome was around 100 times faster. For rendering it was around 3 times faster. The tab isolation, simpler user experience etc was also a serious win.

                                                                            These types of improvements did matter to a lot of people.

                                                                            1. 2

                                                                              The ads gave Google an opportunity to win people over, but ads alone don’t convince anyone to commit to a product. IMO by the time Chrome ads started popping up on Google properties, Chrome had already won.

                                                                              When Chrome came out it had superior UX to Firefox on every front. Performance, extensions, sync, transparent auto-updates, omnibar: everything was better and simpler for the 90% use-case. I specifically remember switching my parents and grandparents to Chrome because they kept getting stuck on old versions of Firefox and/or extensions would randomly stop working (namely ABP; about once a quarter I would get a call complaining that “the ads are back”). Chrome solved that problem for me.

                                                                              I’m a big fan of Mozilla but Firefox has always been a funky browser for nerds. It dominated IE because Microsoft had made zero technical investments for years and years. Firefox has made great strides competing with Chrome, but it hasn’t made any huge leaps and it still has rough edges. I think Mozilla as an organization struggles to put out products that are uncompromisingly great for the non-technical user.

                                                                              1. 2

                                                                                It dominated IE because Microsoft had made zero technical investments for years and years.

                                                                                Uh, when did Firefox “dominate IE”? Even after major EU legal wins, etc, Firefox was second until Chrome came with an even bigger backer that the regulators hadn’t smacked yet and ate everyone’s lunch.

                                                                                1. 1

                                                                                  Uh, maybe it was too strong a word. But the market-share numbers are distorted by the incapability of corporate IT to move off IE at that time. That’s why the lifecycles of IE 6/7/8 were so drawn out.

                                                                                  My recollection of that era is that anyone who understood what a browser was and had the ability to choose whichever one they wanted was using Firefox.

                                                                                2. 2

                                                                                  Wow, I had forgotten auto-update, that might have been the most important feature!

                                                                                  When Chrome was released, it actually lacked both extensions and sync, but the per-tab process and auto-update were killer features – plus general performance.

                                                                                  1. 1

                                                                                    When Chrome was released, it actually lacked both extensions and sync

                                                                                    It got them in 2010, shortly before the first release for macOS, which is probably what I’m remembering as the initial release. It didn’t surpass Firefox and IE in market share until 2012.

                                                                                3. 2

                                                                                  Most people did not care that it performed “better”.

                                                                                  I don’t think this is true. At the time, both IE and FF were very slow and frustrating for people. A crash in either would take down the entire browser. “Updating their browser” was something their tech friends would tell them to do, and they wouldn’t do. Chrome was automatically updated, simpler, faster, more stable (re: crashing) and it was less complicated (at least in UI – omnibar, better on smaller screen). I think it won due to fitness for purpose, not ads.

                                                                                4. 6

                                                                                  What about Firefox “isn’t quite there”?

                                                                                  1. 5

                                                                                    Firefox is not “quite there” because developers today mostly create Chrome apps, and consider other browsers as an afterthought. On desktop, and even more on Android, I often need to switch back to Chrome because the app I’m using doesn’t work on Firefox or is way too slow.

                                                                                    Technically it’s very easy to get a website to work on any browser, but we don’t create websites anymore, often even plain text articles are “apps”, with JS all over the place and this is mostly designed to work on Chrome only.

                                                                                    1. 1

                                                                                      Firefox isn’t quite there because developers don’t target it. Developers don’t target Firefox because it isn’t quite there.

                                                                                      I understand and agree with your point, but this isn’t really something Mozilla can do much about (other than actually gaining back market share).

                                                                                    2. 4

                                                                                      I’ve tried to adopt Firefox seriously many times over the years, but every time the support for multi-user didn’t cut it for me.

                                                                                      I maintain two profiles in Chrome, a professional and a personal one. I’ve tried to replicate it with Firefox profiles, then later with containers, but the UX is not fitting my use case.

                                                                                      1. 2

                                                                                        Firefox lacks Chrome’s --app switch for example. That launches a window without the tab bar and the URL bar (essentially, only a webview). It’s super-sweet. Firefox does not support it out of the box, and all solutions I found involved setting up a separate profile. Chrome allows me to have these “apps” in the same profile, so they have access to the same extensions, I can open tabs from them, in my main browser window.

                                                                                        It’s a stupidly powerful feature if you have a few webapps you want to treat as apps instead of tabs.

                                                                                        1. 12

                                                                                          That sounds like a very very specific feature though, that maybe 1% of the people might use.

                                                                                          For the rest, Firefox is a perfectly good browser which (so far) seems to follow better privacy practices than Chrome.

                                                                                          1. 2

                                                                                            That sounds like a very very specific feature though, that maybe 1% of the people might use.

                                                                                            You’d be surprised how many people use this. Makes it so much easier to use a website as an app, and unlike the common Electron apps, allows one to use extensions with it. But even if only 1% used it, for that 1%, Firefox is not quite there.

                                                                                            Also, Electron. Tons of stuff is built on it, and it uses Chrome under the hood.

                                                                                            Firefox is a perfectly good browser which (so far) seems to follow better privacy practices than Chrome.

                                                                                            Yeah, like those experiments, or DNS-over-HTTPS which sends all DNS requests to Cloudflare. Or the integrated Pocket. Those might spy on me less, but it’s only marginally better.

                                                                                            1. 2

                                                                                              I hope for your sake that it’s way more than 1% usage. Google has a history of removing features that not many people use [1].

                                                                                              [1] I still prefer using Google Maps over anyone else but over time, I’ve had features I use removed due to lack of utilization. It’s annoying. Second only to the UI constantly changing.

                                                                                              1. 1

                                                                                                I believe a place that chrome apps are more commonly used is enterprise. It basically gives an easy way to put your internal CRUD webapp on the start menu with an icon and if you use the extended support some additional features. I suspect this is what keeps –app alive more than the at-home users use of it.

                                                                                                I have seen orgs with 30+ “chrome apps” in the default image. Actually probably the biggest category of apps on those deploys. Nevermind of course Chromebooks.

                                                                                              2. 1

                                                                                                But even if only 1% used it, for that 1%, Firefox is not quite there.

                                                                                                That’s nonsense. 1% might use it, and that’s probably an overestimate. For how many of them is it a dealbreaker? Even fewer. Probably far fewer. It’s a really insignificant feature.

                                                                                                Yeah, like those experiments

                                                                                                I don’t know what this means, could you elaborate?

                                                                                                or DNS-over-HTTPS which sends all DNS requests to Cloudflare.

                                                                                                DNS-over-HTTPS does not send all DNS requests to Cloudflare, and even if it did it would still be more secure than insecure DNS which sends all DNS requests to anyone listening, including Cloudflare if they wanted to.

                                                                                                Or the integrated Pocket.

                                                                                                Don’t like it? Don’t use it. I fail to see how this is ‘spying’ on you.

                                                                                                1. 0

                                                                                                  It’s a really insignificant feature.

                                                                                                  For you, yes. For me, it is essential. It doesn’t matter how many use it, for those who do, Firefox is not quite there. For everyone else, it might be, good for them.

                                                                                                  I don’t know what this means, could you elaborate?

                                                                                                  Look for Firefox studies. Granted, you have to opt in to them right now (like you used to be able to opt in to logging into Chrome), but then you’re opting in to pretty much all studies. This is just a step away from what Chrome’s doing now, and sending your browsing data to third parties, disguised as studies is even less honest.

                                                                                                  DNS-over-HTTPS does not send all DNS requests to Cloudflare, and even if it did it would still be more secure than insecure DNS which sends all DNS requests to anyone listening, including Cloudflare if they wanted to.

                                                                                                  Err, yes, it does send all DNS requests originating from Firefox through Cloudflare. It does fall back to regular DNS, but if enabled, it first goes through them. Not saying I trust my ISPs DNS servers, but I do trust my ISP to be far less competent at mining my data than Cloudflare.

                                                                                                  1. 2

                                                                                                    Firefox studies are completely opt-in. They’re in an options window most people apparently never open. To compare this to Google forcing you to send them all your browsing data if you so much as log into GMail through their browser is ridiculous.

                                                                                                    DNS over HTTPS

                                                                                                    Doesn’t even look like this is out of nightly, it’s a feature you have to enable through the about:config page… I mean come on man, you cannot seriously be arguing this is a breach of privacy. They’re both completely opt-in.

                                                                                                    DNS over HTTPS sends your DNS traffic to a DNS-over-HTTPS provider. I’m sure it’s possible to change which provider it is. I wouldn’t be surprised if Google switched DNS in Chrome to go to 8.8.8.8 by default anyway. Certainly they widely encourage people to do so without telling them that this gives Google again all their browsing history, and more besides.

                                                                                                    1. 1
                                                                                                      1. 1

                                                                                                        Firefox studies are completely opt-in

                                                                                                        So was Chrome’s login until recently. I’m not going to trust a for-profit corporation to respect my privacy forever. Especially when those studies are marketed as harmless things, yet, send a whole lot of data to third parties (not even to Mozilla, but third parties).

                                                                                                        I’m sure it’s possible to change which provider it is

                                                                                                        It is, but there are currently two public DNS-over-HTTPS providers: Cloudflare and Google. Yay. You can run your own, yes, but not even 0.1% of users will ever do that. Besides you can also disable Chrome’s login thing if you really want to, with a flag: go to chrome://flags/#account-consistency, and set it to disabled.

                                                                                                        It’s an internal flag, and may or may not go away, but for the moment, it gets the job done, and I get to keep –app too.

                                                                                                        1. 1

                                                                                                          So was Chrome’s login until recently.

                                                                                                          It isn’t now. Now is what matters.

                                                                                                          I’m not going to trust a for-profit corporation to respect my privacy forever.

                                                                                                          Then why are you trusting Google to respect your privacy, given that they have never done so and Mozilla have nearly always done so. Mozilla has always acted in good faith wrt. privacy. Google has not. Yet you defend Google and attack Mozilla. Why?

                                                                                                          Especially when those studies are marketed as harmless things, yet, send a whole lot of data to third parties (not even to Mozilla, but third parties).

                                                                                                          So don’t enable them then. They’re completely optional and opt-in. I don’t understand why you think being able to opt into something is anywhere near comparable to being forced to give data.

                                                                                                          It is, but there are currently two public DNS-over-HTTPS providers: Cloudflare and Google. Yay. You can run your own, yes, but not even 0.1% of users will ever do that.

                                                                                                          So don’t enable it then. How is it Mozilla’s fault there aren’t more DNS-over-HTTPS providers? Get your ISP to provide it.

                                                                                                          Besides you can also disable Chrome’s login thing if you really want to, with a flag: go to chrome://flags/#account-consistency, and set it to disabled.

                                                                                                          It’s opt-out, in other words. Opt-out = might as well be mandatory for most users. On the other hand, opt-in = might as well not exist for most users. Most users are never ever going to enable anything opt-in and never ever going to disable anything opt-out.

                                                                                                          It’s an internal flag, and may or may not go away, but for the moment, it gets the job done, and I get to keep –app too.

                                                                                                          I’ve already explained how you can get the same functionality as --app in Firefox: go fullscreen, disable toolbars.

                                                                                                          1. 1

                                                                                                            Now is what matters.

                                                                                                            Now I can disable the sign-off in Chrome and Chromium. Chromium doesn’t send my data to Google. They both support the feature I want. If now is all that matters, then there is zero argument in favour of Firefox, as Chromium does precisely what I want, and am already using it.

                                                                                                            Thank you.

                                                                                              3. 3

                                                                                                Firefox and Chrome have different sets of features. They overlap significantly but not exactly. It’s easy to cherry-pick features either of them have that the other doesn’t. That doesn’t mean that Firefox isn’t a perfectly acceptable replacement for Chrome.

                                                                                                I have no clue why you’d want to launch a window without a tab bar and URL bar. Oh no, a couple of bars at the top of my screen, that’s far worse than sending all my browsing history to Google.

                                                                                                1. 1

                                                                                                  That doesn’t mean that Firefox isn’t a perfectly acceptable replacement for Chrome.

                                                                                                  It is, if you don’t need the features it does not have. If you do, it is a deal breaker. (No size fits all and all that)

                                                                                                  I have no clue why you’d want to launch a window without a tab bar and URL bar.

                                                                                                  And I have no clue why you’d want to launch more than one browser window with tab and URL bars. But, to illustrate: I have two screens, and on my secondary, I have Mastodon & Discord open, in a frame-less chrome window. Whatever link I click there, if it leads away from the domain, it opens in a new tab. I never leave the “app” itself. Why would I need a tab and an URL bar there? Those just make it too easy to navigate away. Not having them removes that problem, and also makes them look almost like a native app, which is great.

                                                                                                  Small thing, yes, but so convenient that I’d rather patch Chrome to remove the login requirement than to figure out how to do the same with firefox. The former is considerably easier.

                                                                                                  If you don’t need this feature, sure, use Firefox or whatever.

                                                                                                  (Note: I’m not saying Chrome is better. It isn’t. I’m saying Firefox lacks useful features Chrome has, and as such, is not quite there for those of us who want those features. I’d love to switch way from Chrome, but haven’t found a browser that supports the extensions I use, and app windows. As soon as I find one, I’ll be jumping ship. I’m pretty sure it won’t be Firefox though.)

                                                                                                  1. 2

                                                                                                    FF actually had the “apps” feature before Chrome even was released.

                                                                                                    Sadly it was killed off.

                                                                                                    1. 1

                                                                                                      Yeah, I remembered Firefox having it, and arrived at the same page, and was even more disappointed :/

                                                                                                      Mind you, Prism isn’t the same - it’s separate from the main browser, chrome’s –app is not (and that’s the great thing about it; I can get the separate think with Firefox with a kiosk add-on, but that’s not what I’m aiming for).

                                                                                                      1. 1

                                                                                                        It actually felt very similar, I would go so far as to say most of the way Chrome’s –app was inspired by the Prism extension. It used the same core in a different XULrunner and could be created just like you do in Chrome from the menu. Created desktop icons, had unique window idents, the whole deal. It had to be a bit more separate because back then there wasn’t process isolation per tab in FF, and one of prisms major goals was to avoid crashing the main browser.

                                                                                                    2. 0

                                                                                                      In Firefox in full screen mode you can hide toolbars (includes URL bar and tab bar). I use this to watch full screen videos sometimes. You don’t have to have it actually covering your full screen either, if you use a proper window manager like dwm that can resize windows that ask to be fullscreen.

                                                                                                      I really mean no offence when I say this, but your argument is bad. You can’t have everything you want. If you prioritise ‘app windows’ over security and privacy that’s your call, of course, but it’s a bad argument to claim that Firefox isn’t a satisfactory replacement for Chrome because it doesn’t have ‘app windows’. By that logic, Chrome is a wholly unsatisfactory replacement for Firefox, for the reason that it’s insecure crap that gives all my browsing data to Google…

                                                                                                      1. 1

                                                                                                        You just said they made a bad argument… then in literally the next sentence admitted that for their requirements it was a good argument… they DO prioritize ‘app windows’.

                                                                                                        Their argument was simply that it isn’t a “perfectly acceptable replacement” within the requirements they laid forth of “having app window support”. This makes their argument well reasoned and coherent. If you want to attack one of their premises, you can do that – but that is another argument.

                                                                                                        You then go on to attack the premise and claim their requirement is not an actual requirement, and can be replaced with some set of outside tooling. I don’t believe you proved your case on that front based on the short point you made about dwn. They referenced other features as well.

                                                                                                        I personally have unsuccessfully tried to replace chrome apps a number of times with FF or even other browsers. I never got it working the way I wanted it – window identification issues mostly, and in a few cases webapps not playing well with being forcefully resized. So currently I use chrome only for these “apps” and I use FF as my primary browser.

                                                                                                        As for Chrome not being a satisfactory replacement for FF for you – that also seems to be true. With your implied premise of being opposed to Google’s data collection practices, obviously Chrome is unacceptable for you. That argument is also coherent with those premises. I won’t say you have a “bad argument” because within the premises you implied, it is a good one. You value different things – neither argument is bad or wrong.

                                                                                                        1. 1

                                                                                                          In short: their argument was a response to a question asking why Firefox was not generally suitable as a replacement for Chrome. In that context it’s bad.

                                                                                                          1. 0

                                                                                                            That doesn’t mean that Firefox isn’t a perfectly acceptable replacement for Chrome.

                                                                                                            Your high bar of “perfectly acceptable” was simply not met. It lacks features the poster needs. If you claim features don’t matter then what does exactly?

                                                                                                            1. 1

                                                                                                              In short: their argument was a response to a question asking why Firefox was not generally suitable as a replacement for Chrome. In that context it’s bad.

                                                                                                        2. 1

                                                                                                          But I don’t run those windows full screen - they’re clamped to a screen half, so fullscreen is not an option. Been there, tried it. I could change my WM, but that’s another workaround that doesn’t work, because then I’d have to switch to one that can resize fullscreen apps, and still do everything my current one does. No thanks. I’ll patch the login stuff out of Chrome instead.

                                                                                                          And yes, Chrome is crap. But I can work around its most recent stupid far more easily than I can add app windows to Firefox. So Chrome is still a better browser for me, unfortunately.

                                                                                                          Again, I’m not saying Firefox is not a satisfactory replacement for most people. I’m saying it is not suitable for me, that there are things in Chrome that Firefox does not have, yet, people depend on, and for those people, Firefox is not quite there yet.

                                                                                                          1. 0

                                                                                                            But I don’t run those windows full screen - they’re clamped to a screen half, so fullscreen is not an option. Been there, tried it. I could change my WM, but that’s another workaround that doesn’t work, because then I’d have to switch to one that can resize fullscreen apps, and still do everything my current one does. No thanks. I’ll patch the login stuff out of Chrome instead.

                                                                                                            So in other words the problem is that you’re using a crap window manager. How is that Firefox’s fault? You choose to use a crap WM, that’s fine, but don’t go around threads about browsers crapping on Firefox just because you make poor choices elsewhere in your setup.

                                                                                                            You can’t patch anything out of Chrome. Doesn’t work like that. You can patch Chromium, but Chromium isn’t Chrome.

                                                                                                            And yes, Chrome is crap. But I can work around its most recent stupid far more easily than I can add app windows to Firefox. So Chrome is still a better browser for me, unfortunately.

                                                                                                            No, you cannot work around Chrome sending all your browsing data to Google. Chrome is built from the ground up to send your browsing data to Google. It’s untrusted proprietary software. You cannot work around that.

                                                                                                            Again, I’m not saying Firefox is not a satisfactory replacement for most people. I’m saying it is not suitable for me, that there are things in Chrome that Firefox does not have, yet, people depend on, and for those people, Firefox is not quite there yet.

                                                                                                            You were defending the comment that said ‘It’s all easy to tell people to switch from X to Y (browser, OS, antivirus, etc.) but you can’t just go preaching when the alternatives aren’t quite the same. Sure you have Firefox (or any other flavour) and while I’d love to fully switch, it isn’t quite there yet.’ I’m sorry, but that’s a broad statement about Firefox that suggests it’s missing important core browsing features. Not that it’s missing some tiny obscure feature you personally use but which most people have never heard of and wouldn’t want anyway.

                                                                                                            (and which you can emulate in Firefox if you use a decent window manager)

                                                                                                            1. 2

                                                                                                              So in other words the problem is that you’re using a crap window manager.

                                                                                                              No, my problem is that Firefox does not implement a feature I use. My window manager is fine, thank you very much. That fact that the only way to make an app emulate a feature I use is to work it around in WM, by ignoring a full screen request and doing something else is not a solution. That is a crude hack.

                                                                                                              You can’t just go around telling people “Go use a different browser and a different WM”. That’s about the same level of good advice as “Tired of systemd? Just go use OpenBSD!”. It doesn’t work like that.

                                                                                                              You can patch Chromium, but Chromium isn’t Chrome.

                                                                                                              Yeah, but I can patch it out from Chromium. Or disable with a flag. And still keep –app, and won’t have to switch to a whole new WM. If I used firefox, my task would be a whole lot harder.

                                                                                                              You were defending the comment that said ‘It’s all easy to tell people to switch from X to Y (browser, OS, antivirus, etc.) but you can’t just go preaching when the alternatives aren’t quite the same. Sure you have Firefox (or any other flavour) and while I’d love to fully switch, it isn’t quite there yet.’

                                                                                                              And I stand by my defense: you can’t tell people to change, when the alternatives lack important features. It just happens YOU don’t consider the same features important. I’ll give you an analogy:

                                                                                                              • I’m tired of systemd, for reason X.
                                                                                                              • Use OpenBSD.
                                                                                                              • But OpenBSD does not support my hardware.
                                                                                                              • It is your fault for making poor hardware choices, it is easy to run OpenBSD on proper hardware.

                                                                                                              That’s how you sound like now.

                                                                                                              1. 2

                                                                                                                No, my problem is that Firefox does not implement a feature I use. My window manager is fine, thank you very much. That fact that the only way to make an app emulate a feature I use is to work it around in WM, by ignoring a full screen request and doing something else is not a solution. That is a crude hack.

                                                                                                                It’s not a crude hack. It’s a normal expected feature of any window manager: to be able to resize windows.

                                                                                                                1. 1

                                                                                                                  It’s not a crude hack. It’s a normal expected feature of any window manager: to be able to resize windows.

                                                                                                                  Not fullscreen ones. Very few can resize those.

                                                                                                                  1. 1

                                                                                                                    Most window managers are bad, I guess. Most things are bad.

                                                                                                    3. 1

                                                                                                      How do you use this feature? It sounds interesting, but it’s never occurred to me. When you say ‘webapps’, do you mean browser extensions or things that would ordinarily be packaged as android/iOS apps? Or something else entirely?

                                                                                                      1. 4

                                                                                                        It is even simpler than you are thinking. Basically when you create a “app” out of a website what happens is you get a shortcut that does the following:

                                                                                                        • opens a browser instance with no browser ui components, it is just the page loaded in a window.
                                                                                                        • gives that window a custom id (so your window manager can tell it apart from other windows for rules and such)
                                                                                                        • gives it a taskbar entry
                                                                                                        • gives it an icon
                                                                                                        • puts a link to it in your menu system if supported
                                                                                                        • puts a link to it on your desktop if supported

                                                                                                        I use a ton of them, right now I am running in “app” mode:

                                                                                                        • IRCCloud
                                                                                                        • WhatsApp Web
                                                                                                        • Google Keep
                                                                                                        • Google Music
                                                                                                        • Fastmail Inbox
                                                                                                        • Pocketcasts
                                                                                                        • Todoist
                                                                                                        • Trello
                                                                                                        • Tweetdeck
                                                                                                        • Dungeon Crawl Web Tiles
                                                                                                        • Youtube.TV

                                                                                                        I run these as “apps” because I have rules that put them on certain desktops or monitors, and I like them having their own taskbar entries.


                                                                                                        I actually use Firefox as my main browser – and one of my annoyances with you these chrome “apps” is that if I click a link from like IRCCloud – it always opens in chrome because well – it is already IN chrome. I wish I could set them up to use the system default browser.

                                                                                                        1. 2

                                                                                                          The latter, things that would be packaged as android/ios/electron apps. I use slack, discord, mastodon like this, because I want them always-on, without accidentally navigating away, but links still opening in my main window (on another screen), and with my extensions available so I can tweak my experience, block trackers, and so on. Since I want these always on, and separate from my main browser, there is zero purpose for a tab or url bar on them. They feel much more like an app than a browser window would, yet, I have more control than if I ran a (non-free, usually) native app.

                                                                                                          1. 1

                                                                                                            I segregate websites that are not good actors but that I still use (Facebook, LinkedIn, Instagram) using single-site browsers, via Fluid. Fluid uses a completely different local storage instance for every “app” you create, so you don’t have to worry about being tracked around. This allows me to ratchet up the level of privacy I ask for from my browser without worrying about breaking functionality on those web “apps” I use.

                                                                                                            As much as I despise it, this is also why I use the Electron versions of Spotify and Slack.

                                                                                                        2. 1

                                                                                                          I was going to say the memory footprint and its overall smoothness but I don’t have data to back that up, so it’s just a feeling.

                                                                                                          I try to go back to FF out of principle but I guess there is something in Chrome which keeps winning me over.

                                                                                                        3. 1

                                                                                                          Of course Firefox is “there”; it’s been “there” for longer than Chrome’s even existed.

                                                                                                          1. 1

                                                                                                            make better alternatives to cover the general use case and people WILL switch (because their “techy” friend installs it for them)

                                                                                                            This strategy has never worked.

                                                                                                          1. 8

                                                                                                            Turn off JS then? Isn’t this what a modern browser is by definition? A tool that executes arbitrary code from URLs I throw at it?

                                                                                                            1. 7

                                                                                                              I am one of those developers whom surfs the web with “javascript.options.wasm = false” and NoScript to block just about 99% of all websites from running any Javascript on my home-machine unless I explicitly turn it on. I’ve also worked on various networks where Javascript is just plain turned off and can’t be turned on by regular users. I’ve heard some, sadly confidential, war-stories that have led to these policies. They are similar in nature to what the author states in his Medium-post.

                                                                                                              If you want to run something, run it on your servers and get off my laptop, phone, tv or even production-machines. Those are mine and if your website can’t handle it, then your website is simply terrible from a user experience viewpoint, dreadfully inefficient and doomed to come back hunting you when you are already in a bind because of an entirely different customer or issue. As a consequence of this way of thinking, a few web-driven systems I wrote more than a decade ago, are still live and going strong without a single security incident and without any performance issues while at the same time reaping the benefits of the better hardware they’ve been migrated to over the years.

                                                                                                              Therefore it is still my firm belief that a browser is primarily a tool to display content from random URLs I throw at it and not an application platform which executes code from the URLs thrown at it.

                                                                                                              1. 3

                                                                                                                That’s a fine and valid viewpoint to have, and you are more than welcome to disable JS. But as a person who wants to use the web as an application platform, are you suggesting that browsers should neglect people like myself? I don’t really understand what your complaint is.

                                                                                                                1. 2

                                                                                                                  But as a person who wants to use the web as an application platform, are you suggesting that browsers should neglect people like myself?

                                                                                                                  I don’t think so. But using Web Applications should be opt-in, not opt-out.

                                                                                                                  1. 3

                                                                                                                    Exactly.

                                                                                                                    There are just to many issues with JavaScript-based web-applications. For example: Performance (technical and non-technical). Accessibility (blind people perceive your site through a 1x40 or 2x80 Braille-character-display matrix, so essentially 1/2 or 2 lines on a terminal). Usability (see gmail’s pop-out feature which misses from by far most modern web-applications and you get it almost for free if you just see the web as a fancy document-delivery/viewing system). Our social status as developers as perceived by the masses: They think that everything is broken, slow and unstable, not because they can make a logical argument, but because they “feel” (in multiple ways) that it is so. And many more.

                                                                                                                    However the author’s focus is on security. I totally get where the author is coming from with his “The web is still a weapon”-posts. If I put off my developer-goggles and look through a user’s eyes it sure feels like it is all designed to be used as one. He can definitely state his case in a better way, although I think that showing that you can interact with an intranet through a third-party javascript makes the underlying problems, and therefore the message too, very clear.

                                                                                                                    It also aligns with the CIA’s Timeless tips for sabotage which you can read on that link.

                                                                                                                    We should think about this very carefully, despite the emotionally inflammatory speech which often accompanies these types of discussions.

                                                                                                                    1. 1

                                                                                                                      He can definitely state his case in a better way

                                                                                                                      I sincerely welcome suggestions.

                                                                                                                2. 1

                                                                                                                  by the same stretch of logic you could claim any limited subset of functionality is the only things computers should do in the name of varying forms of “security.”

                                                                                                                  perhaps something like: “The computer is a tool for doing computation not displaying things to me and potentially warping my view of reality with incorrect information or emotionally inflammatory speech. This is why I have removed any form of internet connectivity.”

                                                                                                                3. 7

                                                                                                                  This is not a bug and it’s not RCE. JavaScript and headers are red herrings here. If you request some URL from a server, you’re going to receive what that server chooses to send you, with or without a browser. There’s a risk in that to be sure, but it’s true by design.

                                                                                                                  1. 3

                                                                                                                    Turn off your network and you should eliminate the threat. Turn your computer off completely for a safer mitigation.

                                                                                                                  1. 3

                                                                                                                    We use Taskcluster, a home developed CI system. It supports both per-checkin and cron-like tasks. We use it because it was becoming increasingly clear that our previous buildbot based CI was a major productivity bottleneck, and other off the shelf solutions couldn’t handle the scale and complexity we needed.

                                                                                                                    While possibly a case of not-invented-here syndrome, I’d argue the decision to build from scratch was the right one. We are now in a very good spot where developers can self-serve their own tasks simply by adding some in-tree configuration. The tasks can run on a wide variety of platforms including AWS, Azure, physical machines in our data centre and more.

                                                                                                                    The taskcluster team has been working to make it easier for other organizations to run their own instances.

                                                                                                                    1. 2

                                                                                                                      Does anyone here use Bitwarden? I didn’t know about it, but it looks really attractive.

                                                                                                                      1. 3

                                                                                                                        Yes, it’s awesome. It’s also the only password manager that has a Firefox for Android extension (to my knowledge).

                                                                                                                        1. 3

                                                                                                                          Yes. It has some rough edges – I wish syncing was better – but it’s working great.

                                                                                                                          My syncing issue has to do with the fact that everything has its own copy the data: desktop app, mobile app, browser plugins, etc. When you make a change they do not sync between them all immediately. You can have a Bitwarden app or plugin that is days behind so you have to go to settings and do a manual sync. Very annoying, but not a deal breaker.

                                                                                                                          1. 2

                                                                                                                            I use the venerable pass. It has none of this mobile mumbojumbo or autosync frills the kids today are talking about.

                                                                                                                            It’s so simple and lean, I never thought pass git pull would be annoying.

                                                                                                                            I would appreciate a mobile UI sometimes, though. A Sailfish client. But that’s not a dealbreaker either.

                                                                                                                            Maybe I could hook the missus up with Rubywarden, though. Pass would be too much for her.

                                                                                                                            Addendum: There appears to be a QML frontend on OpenRepos. Found through storeman. Not a complete client but have to give it a spin :)

                                                                                                                            1. 1

                                                                                                                              There is definitely a pass app for android. I’m not sure about iOS.

                                                                                                                              1. 1

                                                                                                                                As someone who uses a mobile and two desktops, having passwords being synced across devices is a must-have. It’s just too much of a pain to remember to copy new passwords from my phone to machine A, then B, and vice-versa.

                                                                                                                                1. 1

                                                                                                                                  Home desktop, work desktop, work laptop, work macOS laptop and hopefully soon two Sailfish mobiles running pass.

                                                                                                                                  Made git pull a habit, not a chore, but ymmv.

                                                                                                                            2. 2

                                                                                                                              yeah, it’s open source and possible to run self-hosted as well.

                                                                                                                              check out the discussion from a topic from a few days ago, id just be copying from there:

                                                                                                                            1. 2

                                                                                                                              I can’t decide if Let’s Encrypt is a godsend or a threat.

                                                                                                                              On one hand, it let you support HTTPS for free.
                                                                                                                              On the other, they collect an enourmous power worldwide.

                                                                                                                              1. 8

                                                                                                                                Agreed, they are quickly becoming the only game in town worth playing with when it comes to TLS certs. Luckily they are a non-profit, so they have more transparency than say Google, who took over our email.

                                                                                                                                It’s awesome that we have easy, free TLS certs, but there shouldn’t be a single provider for such things.

                                                                                                                                1. 3

                                                                                                                                  Is there anything preventing another (or another ten) free CAs from existing? Let’s Encrypt just showed everyone how, and their protocol isn’t a secret.

                                                                                                                                  1. 6

                                                                                                                                    OpenCA tried for a long time, and I think now has pretty much given up: https://www.openca.org/ and just exist in their own little bubble now.

                                                                                                                                    Basically nobody wants to certify you unless you are willing to pay out the nose and are considered friendly to the way of doing things. LE bought their way in I’m sure, to get their cert cross-signed, which is how they managed so “quickly” and it still took YEARS.

                                                                                                                                    1. 1

                                                                                                                                      Have you ever tried to create a CA?

                                                                                                                                      1. 3

                                                                                                                                        I’ve created lots of CAs, trusted by at most 250 people. :)

                                                                                                                                        Of course it’s not easy to make a new generally-trusted CA — nor would I want it to be. It’s a big complicated expensive thing to do properly. But if you’re willing to do the work, and can arrange the funding, is anything stopping you? I don’t know that browser vendors are against the idea of multiple free CAs.

                                                                                                                                        1. 3

                                                                                                                                          Obviously I was not talking about the technical stuffs.

                                                                                                                                          One of my previous boss explored the matter. He had the technical staff already but he wanted to become an official authority. It was more or less 2005.

                                                                                                                                          After a few time (and a lot of money spent in legal consulting) he gave up.

                                                                                                                                          He said: “it’s easier to open a bank”.

                                                                                                                                          In a sense, it’s reasonable, as the European laws want to protect citizens from unsafe organisations.

                                                                                                                                          But, it’s definitely not a technical problem.

                                                                                                                                    2. 1

                                                                                                                                      Luckily they are a non-profit

                                                                                                                                      Linux Foundation is a 501(c)(6) organization, a business league that is not organized for profit and no part of the net earnings goes to the benefit of any private shareholder or individual.
                                                                                                                                      The fact all shareholders benefit from its work without a direct economical gain, doesn’t means it has the public good at heart. Even less the public good of the whole world.

                                                                                                                                      It sound a lot like another attempt to centralize the Internet, always around the same center.

                                                                                                                                      It’s awesome that we have easy, free TLS certs, but there shouldn’t be a single provider for such things.

                                                                                                                                      And such certificates protect people from a lot of relatively cheap attacks. That’s why I’m in doubt.

                                                                                                                                      Probably, issuing TLS certificates should be a public service free for each citizen of a state.

                                                                                                                                      1. 3

                                                                                                                                        Oh Jeez. Thanks, I didn’t realize it was not a 501c3, When LE was first coming around they talked about being a non-profit and I just assumed. That’s what happens when I assume.

                                                                                                                                        Proof, so we aren’t just taking @Shamar’s word for it:

                                                                                                                                        Linux Foundation Bylaws: https://www.linuxfoundation.org/bylaws/

                                                                                                                                        Section 2.1 states the 501(c)(6) designation with the IRS.

                                                                                                                                        My point stands, that we do get more transparency this way than we would if they were a private for-profit company, but I agree it’s definitely not ideal.

                                                                                                                                        So you think local cities, counties, states and countries should get in the TLS cert business? That would be interesting.

                                                                                                                                        1. 5

                                                                                                                                          It’s true the Linux Foundation isn’t a 501(c)(3) but the Linux Foundation doesn’t control Let’s Encrypt, the Internet Security Research Group does. And the ISRG is a 501(c)(3).

                                                                                                                                          So your initial post is correct and Shamar is mistaken.

                                                                                                                                          1. 1

                                                                                                                                            The Linux Foundation will provide general and administrative support services, as well as services related to fundraising, financial management, contract and vendor management, and human resources.

                                                                                                                                            This is from the page linked by @philpennock.

                                                                                                                                            I wonder what is left to do for the Let’s Encrypt staff! :-)

                                                                                                                                            I’m amused by how easily people forget that organisations are composed by people.

                                                                                                                                            What if Linux Foundation decides to drop its support?
                                                                                                                                            No funds. No finance. No contracts. No human resources.
                                                                                                                                            Oh and no hosting, too.

                                                                                                                                            But hey! I’m mistaken! ;-)

                                                                                                                                            1. 2

                                                                                                                                              Unless you have inside information on the contract, saying LE depends on the Linux Foundation is pure speculation.

                                                                                                                                              I can speculate too. Should the Linux Foundation withdraw support there are plenty of companies and organisations that have a vested interest in keeping LetsEncrypt afloat. They’ll be fine.

                                                                                                                                              1. 1

                                                                                                                                                Agreed.

                                                                                                                                                Feel free to think that it’s a philanthropic endeavour!
                                                                                                                                                I will continue to think it’s a political one.

                                                                                                                                                The point (and as I said I cannot answer yet) is if the global risk of a single US organisation being able to break most of HTTPS traffic world wide is worth the benefit of free certificates.

                                                                                                                                                1. 3

                                                                                                                                                  Any trusted CA can MITM, though, not just the one that issued the certificate. So the problem is (and always has been) much, much worse than that.

                                                                                                                                                  1. 1

                                                                                                                                                    Good point! I stand corrected. :-)

                                                                                                                                                    Still note how it’s easier for the certificate issuer to go unnoticed.

                                                                                                                                        2. 4

                                                                                                                                          What’s Linux Foundation got to do with it? Let’s Encrypt is run by ISRG, Internet Security Research Group, an organization from the IAB/IETF family if memory serves.

                                                                                                                                          They’re a 501(c)(3).

                                                                                                                                          1. 2

                                                                                                                                            LF provide hosting and support services, yes. Much as I pay AWS to run some things for me, which doesn’t lead to Amazon being in charge. https://letsencrypt.org/2015/04/09/isrg-lf-collaboration.html explains the connection.

                                                                                                                                            1. 1

                                                                                                                                              Look at the home page, top-right.

                                                                                                                                              1. 2

                                                                                                                                                The Linux Foundation provides hosting, fundraising and other services. LetsEncrypt collaborates with them but is run by the ISRG:

                                                                                                                                                Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

                                                                                                                                      1. 35

                                                                                                                                        A few months ago I upgraded my Linux system and Firefox stopped using my dark GTK theme and fell back to the default “adwaita” theme. Firefox tries to avoid dark themes, with special settings in about:config and even env vars to control whether it should allow them. I tried enabling all of these to no avail (I later figured out the problem was due to the GTK/XDG directory paths being wrong)

                                                                                                                                        When I asked in #firefox in IRC I was advised to install the Stylish extension and pick a dark theme for it. I pointed out that it seemed like overkill, since it would be adding theme engines on top of theme engines, but tried it anyway. When the extension asked for permission to access all of the information from every page I visit, I promptly deleted it, went back to IRC and pointed out that I’d rather have ugly widgets than leak so much info to a purely cosmetic extension. I was told that it’s fine, I should just click “accept” since loads of people use it, etc.

                                                                                                                                        I feel vindicated now :)

                                                                                                                                        1. 5

                                                                                                                                          Was this the one on freenode? If so I’m pretty sure that’s unaffiliated with Mozilla and you’ll get better advice asking on a topical channel from irc.mozilla.org.

                                                                                                                                          1. 2

                                                                                                                                            Can’t remember, but yeah I was aware it was enthusiastic volunteer users (I’ve often played that role) rather than anything official.

                                                                                                                                        1. 1

                                                                                                                                          I get the author’s point about the Z component being broken. If the library behaves incorrectly but the dependent program uses the incorrect behavior to get functionality, once the incorrect behavior is fixed in the library, the program will stop working. But the library will now be working correctly!

                                                                                                                                          I think semver is not able to solve this issue, but it can mitigate against it: thorough testing and quality analysis before a 1.0.0 release is made is necessary, and careful review of anything that comes afterward.

                                                                                                                                          1. 1

                                                                                                                                            If strictly adhering to SemVer, wouldn’t the correct approach be to change the default behaviour, while still providing a fallback for the old incorrect behaviour? You could then provide a deprecation notice and actually remove the old incorrect behaviour with the next major version.

                                                                                                                                            I think the problem is that libraries rarely do this (especially for “trivial” fixes) because it’s a PITA. But that’s not really SemVer’s fault.

                                                                                                                                            1. 1

                                                                                                                                              But that doesn’t solve the problem: dependents upgrade to Z+1 and their stuff breaks, which is expressly not what should happen when doing that under semver. Semver in this case tells you to bump the major version. I don’t mind, it works and it does satisfy the semver specification. I don’t have a problem with stupidly high major versions, since it’s all meaningless anyway, only the differentials are meaningful. Fundamentally going from 98 to 101 is the same as going from major version 3 to 6.

                                                                                                                                              1. 1

                                                                                                                                                Yeah, I think we’re on the same page. Either you figure out a way to fix the bug in a manner that’s backwards compatible, or you bump the major version. In practice people rarely do this for Z level fixes, but that’s more of a problem with how people interpret SemVer than with the philosophy itself.

                                                                                                                                          1. -1

                                                                                                                                            I disagree with Stallman here.

                                                                                                                                            If you surrender your data, then you do not have any right over them. If you upload your photos to facebook, then facebook has them.

                                                                                                                                            For public utility, it is fine to restrict the collection and usage of personal data. But for private corporations, the private individuals should be able to decide for themselves if giving a corporation access to your entire search history for wifi access at the coffee shop is worth it.

                                                                                                                                            1. 25

                                                                                                                                              More and more we are getting forced to use services that spy on us. Cash is being phased out for credit cards and mobile payments. I can’t even pay for parking at my uni without installing their mobile app. We need laws to protect us from these companies because they are impossible to 100% avoid.

                                                                                                                                              1. 5

                                                                                                                                                For public utility, it is fine to restrict the collection and usage of personal data. But for private corporations, the private individuals should be able to decide for themselves if giving a corporation access to your entire search history for wifi access at the coffee shop is worth it.

                                                                                                                                                But that’s precisely what fails when dealing with Facebook et al, isn’t it?

                                                                                                                                                No matter how assiduously you or I might refuse to sign up for Facebook and its ilk, block their tracking scripts, refuse to upload our photos, our text messages, our data – other people sign up for these things, and give these services permission to index their photos and text message logs etc, and Facebook builds a comprehensive shadow profile of you and I anyways.

                                                                                                                                                There is no avoiding or opting out of this short of opting out of all human contact, at this point, and the “simple”-sounding solution of “let every individual decide for themselves!” completely fails to engage with the collective consequences that everyone is losing privacy regardless of what decision they make individually.

                                                                                                                                                When your solution doesn’t engage with reality, it’s not useful.

                                                                                                                                                1. 4

                                                                                                                                                  But for private corporations, the private individuals should be able to decide for themselves if giving a corporation access

                                                                                                                                                  This will be true when everybody will be able to program and administrate a networking system.

                                                                                                                                                  That’s the only way people can understand what they are giving and for what.

                                                                                                                                                  Till then, you must protect them from people who use their ignorance against them.

                                                                                                                                                  1. 1

                                                                                                                                                    You can’t protect people from their own ignorance, long-term, except by education.

                                                                                                                                                    1. 3

                                                                                                                                                      You have to. No citizen can foresee the effects of all their actions. The technology we use today is too complicated to understand all of it.

                                                                                                                                                      That’s why generally everything needs to be safe by default.

                                                                                                                                                      1. 3

                                                                                                                                                        The technology we use today is too complicated to understand all of it.

                                                                                                                                                        The entire field of engineering is predicated on being able to do things without understanding how they work. Ditto beer brewing, baking, cooking, and so forth.

                                                                                                                                                        That’s why generally everything needs to be safe by default.

                                                                                                                                                        Bathtubs are not safe by default. Kitchen knives are not safe by default. Fire is not safe by default. Even childbirth isn’t safe by default, and you’d think that would’ve been solved generations ago by evolution.

                                                                                                                                                        No citizen can foresee the effects of all their actions.

                                                                                                                                                        Then why would we trust policies enacted by a handful of citizens deemed able to create laws any more than individual citizens making their own decisions? That’s a far riskier proposition.

                                                                                                                                                        ~

                                                                                                                                                        We can’t make the world safe for people that won’t learn how to be safe, and efforts to do so harm and inhibit everybody else.

                                                                                                                                                        1. 6

                                                                                                                                                          The entire field of engineering is predicated on being able to do things without understanding how they work. Ditto beer brewing, baking, cooking, and so forth. … You can’t protect people from their own ignorance, long-term, except by education.

                                                                                                                                                          Try buying an oven that will spontaneously catch fire just by being on. It’s going to be complicated, because there are mandatory standards. And it’s a good thing they are this reliable, right? Leaves us time to concentrate on our work.

                                                                                                                                                          Then why would we trust policies enacted by a handful of citizens deemed able to create laws any more than individual citizens making their own decisions? That’s a far riskier proposition.

                                                                                                                                                          Because a lot of shouting from many sides went into the discussions before the laws were enacted. Much like you discuss your network infrastructure policies with your colleagues instead of just rewiring the DC as you see fit every once in a while.

                                                                                                                                                          1. 3

                                                                                                                                                            The entire field of engineering is predicated on being able to do things without understanding how they work. Ditto beer brewing, baking, cooking, and so forth.

                                                                                                                                                            No.

                                                                                                                                                            Engineering is about finding solutions by using every bit of knowledge available.

                                                                                                                                                            Ignorance is an enemy to fight or work around, but for sure it’s not something to embrace!

                                                                                                                                                            That’s why generally everything needs to be safe by default.

                                                                                                                                                            Bathtubs are not safe by default. Kitchen knives are not safe by default. Fire is not safe by default. Even childbirth isn’t safe by default, and you’d think that would’ve been solved generations ago by evolution.

                                                                                                                                                            I agree that we should work to make programming a common knowledge, like reading and writing so that everyone can build his computing environment as she like.

                                                                                                                                                            And to those who say it’s impossible I’m used to object that they can read, write and count just because someone else, centuries before, said “no, it’s possible to spread this knowledge and we have the moral duty do spread it”.

                                                                                                                                                            But all your example are wrong.

                                                                                                                                                            They are ancient technologies and techniques that are way simpler than programming: humans have learnt to master them and teach each generation how to do so.

                                                                                                                                                            We have to protect people.

                                                                                                                                                            The states and laws can help, but the first shield of the people against the abusive use of technology are hackers.

                                                                                                                                                            We must spread our knowledge and ethics, not exploit the ignorance of others for a profit.

                                                                                                                                                    1. 2

                                                                                                                                                      You can edit user.js which has the same format. Modifications to prefs.js will be overwritten.

                                                                                                                                                      1. 1

                                                                                                                                                        Oh right :)

                                                                                                                                                    1. 7

                                                                                                                                                      One wonders why not just, say, use JSON for this.

                                                                                                                                                      1. 24

                                                                                                                                                        I believe the prefs format predates JSON (or at least JSON’s popularity), and changing it now is a non-starter as it would break everyone’s user preferences. Even this changeset whose only backwards incompatible changes were fixing some glaringly obvious bugs caused some reports of failing CI around the web.

                                                                                                                                                        We could try to migrate prefs files to a new format, but that would be a high risk/low reward operation.

                                                                                                                                                        1. 5

                                                                                                                                                          We could try to migrate prefs files to a new format, but that would be a high risk/low reward operation.

                                                                                                                                                          I wish you folks would do that. :(

                                                                                                                                                          1. 19

                                                                                                                                                            Would you volunteer to respond to all the breakage reports it might cause?

                                                                                                                                                            I may sound bitter now, but when a maintainer says something is too hard/risky, and a random user replies with “yeah, you should do it anyway” disregarding who is it that’s going to deal with problems, it’s just utterly disrespectful.

                                                                                                                                                            1. 17

                                                                                                                                                              Respect doesn’t enter into it–hell, I even agree with the assessment that the work is high-risk/low-reward…then again, I feel the proposed fix has some of the same issues. Like, the parser has worked well-enough that refactoring is maybe not a good use of time.

                                                                                                                                                              If the decision is made “We must refactor it”, then it makes sense to go one step further and fix the underlying file format anyways. Then again, Mozilla has a history of derping on file formats.

                                                                                                                                                              As for “all of the breakage reports it might cause”, given that the docs themselves discourage direct editing of files, it would seem that there probably isn’t a huge amount of breakage to be concerned about. Further, if the folks are clever enough to write a neat parser for the existing format, I’m quite sure they’re clever enough to write a tool that can correctly convert legacy config files into a new thing.

                                                                                                                                                              (And again, it’s common advice that there are no user-servicable parts inside good chunks of it, because it’s a derpy file format.)

                                                                                                                                                              Like, just to hammer this home, here is the format of a prefs.js file:

                                                                                                                                                              # Mozilla User Preferences
                                                                                                                                                              
                                                                                                                                                              /* Do not edit this file.
                                                                                                                                                               *
                                                                                                                                                               * If you make changes to this file while the application is running,
                                                                                                                                                               * the changes will be overwritten when the application exits.
                                                                                                                                                               *
                                                                                                                                                               * To make a manual change to preferences, you can visit the URL about:config
                                                                                                                                                               */
                                                                                                                                                              
                                                                                                                                                              user_pref("accessibility.typeaheadfind.flashBar", 0);
                                                                                                                                                              user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1520626265);
                                                                                                                                                              user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1520626385);
                                                                                                                                                              user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1520640065);
                                                                                                                                                              user_pref("app.update.lastUpdateTime.experiments-update-timer", 1520626145);
                                                                                                                                                              user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1520626025);
                                                                                                                                                              user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1520625785);
                                                                                                                                                              user_pref("app.update.lastUpdateTime.telemetry_modules_ping", 1520625905);
                                                                                                                                                              user_pref("app.update.lastUpdateTime.xpi-signature-verification", 1520626505);
                                                                                                                                                              
                                                                                                                                                              <snip>
                                                                                                                                                              

                                                                                                                                                              There is no reason that this shouldn’t be in a sane file format (read: JSON). This could be accomplished with a conversion tool, and gracefully deprecated.

                                                                                                                                                              Edit:

                                                                                                                                                              It even already contains JSON!

                                                                                                                                                              user_pref("browser.onboarding.tour.onboarding-tour-performance.completed", true);
                                                                                                                                                              user_pref("browser.pageActions.persistedActions", "{\"version\":1,\"ids\":[\"bookmark\",\"bookmarkSeparator\",\"copyURL\",\"emailLink\",\"sendToDevice\",\"pocket\",\"screenshots\"],\"idsInUrlbar\":[\"pocket\",\"bookmark\"]}");
                                                                                                                                                              user_pref("browser.pagethumbnails.storage_version", 3);
                                                                                                                                                              
                                                                                                                                                              1. 7

                                                                                                                                                                No disrespect taken :)

                                                                                                                                                                For the record, I agree a standard format would be better. Also for the record I’ve never even looked at the prefs code before, so my statement was coming more from experience knowing how much the tiniest changes can blow up on the scale of the web.

                                                                                                                                                                You never know, maybe we’ll support JSON and the legacy format at some point, but that smells like it might be unnecessary complexity to me.

                                                                                                                                                                1. 2

                                                                                                                                                                  You said unnecessary complexity. Normally, I’d either say that’s a good thing or suggest a simple subset if it’s something like JSON. If Firefox already supports JSON, wouldn’t there already be a component included that could be called to handle it? Is that inaccessible? Or does it suck so much it’s worth rolling and including ones’ own parser that’s not a cleaned-up, subset of JSON? Just curious given Firefox is an older, big project.

                                                                                                                                                                  1. 5

                                                                                                                                                                    The pref parser is a small isolated module, so I don’t think it would be technically difficult to implement (bear in mind I’m not familiar with it at all).

                                                                                                                                                                    The complexity I’m referring to was more around ux, maintenance, and support, that come with providing two different ways of doing the same thing.

                                                                                                                                                              2. 2

                                                                                                                                                                ““yeah, you should do it anyway” disregarding who is it that’s going to deal with problems, it’s just utterly disrespectful.”

                                                                                                                                                                Bringing up respect and morals when a FOSS project uses non-standard formats instead of standard ones that already existed with tooling people could’ve used? And that definitely would need extra work or fixes later? I doubt they were thinking of morality when they did it. More like “Let’s implement this feature the way I feel like doing it with my preferences and constraints right now.” Kind of a similar mindset to many people asking them for changes.

                                                                                                                                                                A better question would be, “Is replacing non-standard stuff in the browser with well-supported, standardized stuff worth the effort to fix the breakage?” In this case, I’m not sure without knowing more specifics. The general answer for file formats is “Yes wherever possible for interoperability and ecosystem benefits.”

                                                                                                                                                                1. 6

                                                                                                                                                                  non-standard formats instead of standard ones that already existed with tooling people could’ve used

                                                                                                                                                                  That’s untrue, the grandparent comment mentions this probably predates JSON’s popularity.

                                                                                                                                                                  Edit: Yeah, the bug itself is 17 years old, and the prefs format is probably older. Wikipedia says “Douglas Crockford originally specified the JSON format in the early 2000s;”, which means that at best the prefs format came around the same time Crockford first specified it, and at worst it probably came into being a couple eyears earlier.

                                                                                                                                                                  1. 1

                                                                                                                                                                    Good thinking on the history. I did say “standard formats,” not JSON. Before JSON, the formats I used included LISP-style sexprs for easy parsing, Sun’s XDR, ASN.1, and XML. I also hoped simpler ones gaining popularity would lead to secure or verified implementations. That was effortless for LISP-based syntax with Galois doing a verified ASN.1 later. Most went with the overcomplicated formats or hand-rolled their own each with problems. For XML, I found I could just use a subset of it close to basic HTML tags that made it easier for someone to convert later with standard or customer tooling.

                                                                                                                                                                    So, those were among alternative approaches back in those days that many projects were taking. Except LISP syntax which only LISPers were using. ;)

                                                                                                                                                          2. 3

                                                                                                                                                            Or Toml, since that’s Rust’s go-to data markup language.

                                                                                                                                                            1. 4

                                                                                                                                                              That’d be just a little too cute.

                                                                                                                                                          1. 23

                                                                                                                                                            GitHub URLs are pretty badly designed.

                                                                                                                                                            For example, /contact is their contact page, and /contactt is a user profile.

                                                                                                                                                            Apparently, there’s a hardcoded list of ”reserved words” in the code, and when someone adds a new feature, they add the word/path segment there and check that it’s not taken by a user.

                                                                                                                                                            So it could perhaps be the case that they’re adding some feature related to malware?

                                                                                                                                                            1. 13

                                                                                                                                                              That could very well be the case – and I’d be totally fine with that. I understand being coded into a corner, and wanting to fix things for the greater good at the expense of a few users.

                                                                                                                                                              I just can’t figure out why, for the sake of “privacy and security”, they don’t want to tell me.

                                                                                                                                                              1. 16

                                                                                                                                                                I think this is absurd behavior on GitHub’s part, and you’re right to be upset by it.

                                                                                                                                                                Since you do seem curious, I have a guess why they’re being so evasive, and it’s pretty simple: They’re a large organization. The person you’re talking to would probably need to get approval from both legal and PR teams to tell you about their product plan before it’s launched. I have no information on how busy GitHub’s lawyers and PR people are, but I would expect an approval like that to take a few weeks. Based on what they told you about the timeframe, it sounds like they want to launch their feature sooner than that.

                                                                                                                                                                What I’d really like to know is whether this is a one-off, or whether they’ve done it to other people before. It seems like their URL scheme will require it pretty frequently…

                                                                                                                                                                1. 7

                                                                                                                                                                  The person you’re talking to would probably need to get approval from both legal and PR teams to tell you about their product plan before it’s launched.

                                                                                                                                                                  Which is why I didn’t single out the support representative that contacted me; they clearly were not in the decision process for any of this, and I don’t want to cause them any undue grief/trouble past my first email reply asking for clarification.

                                                                                                                                                                  To be clear: I don’t really care about the malware username, other than it’s a pretty cool name. I’m more interested in the reason behind why the forced rename.

                                                                                                                                                                  Lots of people (read: salty News of Hacker commenters) say it’s obvious (wanting to reserve the /malware top level URL) and call me dumb for even asking, but no one has given me any evidence other than theories and suppositions. Which is great! I love thinking and hypothesizing.

                                                                                                                                                                  1. 5

                                                                                                                                                                    I don’t have any documented evidence other than anecdotal, but when I worked at a similar company with an almost identical URL structure this was one of the hardest parts of launching a new top level feature. It turns out recognizable words make for good usernames… so it’s almost impossible to find one that’s still available when working on a new feature. The choice ends up being between picking a horrible URL or displacing one user to make it easier to find.

                                                                                                                                                                    It’s also worth noting that GitHub has a habit of being very secretive about what they’re working on - it’s almost impossible to get information about known bugs which have been reported before, let alone information about a potential new feature.

                                                                                                                                                                    I would be willing to bet that this is being done for something we’ll hear about in the next year or two.

                                                                                                                                                              2. 11

                                                                                                                                                                We made a team that was just the unicode pi symbol and GitHub assigned us the url /team/team.

                                                                                                                                                                1. 4

                                                                                                                                                                  That’s a great unicode hack.

                                                                                                                                                                2. 11

                                                                                                                                                                  The curse of mounting user paths directly to /. When in doubt, always put a namespace route on it.

                                                                                                                                                                  1. 6

                                                                                                                                                                    That was my thought as well. I would imagine they want it as a landing page for some new feature or product.

                                                                                                                                                                  1. 3

                                                                                                                                                                    This is such a crucial plugin. I absolutely hate reading through all the cruft just to get the recipe. Its a shame I don’t use Chrome as my daily driver but I do appreciate you for making this.

                                                                                                                                                                    1. 3

                                                                                                                                                                      What browser are you using most often to look at recipes? I was thinking about porting to FF if there’s traction on this one.

                                                                                                                                                                      edit: ok fellas, you talked me into it, I’ll work on a FF plugin this weekend

                                                                                                                                                                      1. 4

                                                                                                                                                                        I’ll add a second request for FF support, it’s easier than ever these days as they both use web extensions: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Porting_a_Google_Chrome_extension

                                                                                                                                                                        1. 3

                                                                                                                                                                          Yep, I’m a Firefox user. I think there’s enough of us now to make it worth your while. I would offer a helping hand but I have never made a browser extension so I don’t think I’d be much help.

                                                                                                                                                                          1. 2

                                                                                                                                                                            I also use firefox and would be interested in this extension.