1. 81

    I beg all my fellow crustaceans to please, please use Firefox. Not because you think it’s better, but because it needs our support. Technology only gets better with investment, and if we don’t invest in Firefox, we will lose the web to chrome.

    1. 59

      Not because you think it’s better

      But that certainly helps too. It is a great browser.

      • privacy stuff — the cookie container API for things like Facebook Container, built-in tracker blocker, various anti-fingerprinting things they’re backporting from the Tor Browser
      • honestly just the UI and the visual design! I strongly dislike the latest Chrome redesign >_<
      • nice devtools things — e.g. the CSS Grid inspector
      • more WebExtension APIs (nice example: only on Firefox can Signed Pages actually prevent the page from even loading when the signature check fails)
      • the fastest (IIRC) WASM engine (+ now in Nightly behind a pref: even better codegen backend based on Cranelift)
      • ongoing but already usable Wayland implementation (directly in the official tree now, not as a fork)
      • WebRender!!!
      1. 7

        On the other hand, WebSocket debugging (mostly frame inspection) is impossible in Firefox without an extension. I try not to install any extensions that I don’t absolutely need and Chrome has been treating me just fine in this regard[1].

        Whether or not I agree with Google’s direction is now a moot point. I need Chrome to do what I do with extensions.

        As soon as Firefox supports WebSocket debugging natively, I will be perfectly happy to switch.

        [1] I mostly oppose extensions because of questionable maintenance cycles. I allow uBlock and aXe because they have large communities backing them.

        1. 3

          Axe (https://www.deque.com/axe/) seems amazing. I know it wasn’t the focus of your post – but I somehow missed this when debugging an accessibility issue just recently, I wish I had stumbled onto it. Thanks!

          1. 1

            You’re welcome!

            At $work, we used aXe and NVDA to make our webcomponents AA compliant with WCAG. aXe was invaluable for things like contrast and missing role attributes.

          2. 3

            WebSocket debugging (mostly frame inspection) is impossible in Firefox without an extension

            Is it possible with an extension? I can’t seem to find one.

            1. 1

              I have never needed to debug WebSockets and see no reason for that functionality to bloat the basic browser for everybody. Too many extensions might not be a good thing but if you need specific functionality, there’s no reason to hold back. If it really bothers you, run separate profiles for web development and browsing. I have somewhat more than two extensions and haven’t had any problems.

              1. 1

                I do understand your sentiment, but the only extension that I see these days is marked “Experimental”.

                On the other hand, I don’t see how it would “bloat” a browser very much. (Disclaimer: I have never written a browser or contributed to any. I am open to being proved wrong.) I have written a WebSockets library myself, and it’s not a complex protocol. It can’t be too expensive to update a UI element on every (websocket) frame.

            2. 5

              Yes! I don’t know about you, but I love the fact that Firefox uses so much less ram than chrome.

              1. 2

                This was one of the major reasons I stuck with FF for a long time. It is still a pronounced difference.

              2. 3

                honestly just the UI and the visual design! I strongly dislike the latest Chrome redesign >_<

                Yeah, what’s the deal with the latest version of Chrome? All those bubbly menus feel very mid-2000’s. Everything old is new again.

                1. 3

                  I found a way to go back to the old ui from https://www.c0ffee.net/blog/openbsd-on-a-laptop/ (it was posted here a few weeks ago):

                  Also, set the following in chrome://flags:

                  • Smooth Scrolling: (personal preference)
                  • UI Layout for the browser’s top chrome: set to “Normal” to get the classic Chromium look back
                  • Identity consistency between browser and cookie jar: set to “Disabled” to keep Google from hijacking any Google > - login to sign you into Chrome
                  • SafeSearch URLs reporting: disabled

                  (emphasis mine)

                2. 1

                  The Wayland implementation is not usable quite yet, though, but it is close. I tried it under Sway, but it was crashy.

                  1. -3

                    Not really. Not to mention Pocked integration and recent vpn advertisement. Ah, and they have removed RSS support.

                    It’s just another product made by a for-profit corporation.

                    I think web got over-complicated. There are none usable truly independent browsers and probably will never be. It’s a read-only “opensource”.

                    1. 16

                      It’s just another product made by a for-profit corporation.

                      They (Mozilla) are actually a non-profit.

                      1. 2

                        There is also Mozilla corporation.

                        1. 12

                          …which is 100% owned by the Mozilla Foundation, and:

                          The Mozilla Corporation reinvests all of its profits back into the Mozilla projects.

                          Forming for-profit corporations is not uncommon for NGOs, because NGOs in many countries are severely legally limited in the amount of commercial activities they’re able to do.

                          1. 3

                            Adding to that, funding FOSS software development is not considered 501(c)3-eligible in the US.

                      2. 5

                        I had the same impression with that over-complication of JS into ES6. CSS is also looking more like a programming language. HTTP/2 is now a binary protocol. So to have a modern web platform, you need to support all of these, and none are trivial anymore. On the other hand, I find it amazing to be able to do netwroking, audio, video, 3d and highly customizable user interfaces with (relatively) few efforts at a pretty good speed. As a platform for creativity and experimentation, it is without equivalent.

                        1. 2

                          without equivalent.

                          Java applets - done right?

                          1. 3

                            Or Flash/Shockwave done openly and right?

                            1. 4

                              Both Java applets and Flash were actually more like trojan horses. See how Flash ( very good scenegraph at the time) became Air (ie. a tentative to take over the Web like Java) and thankfully died because Apple killed it with the iPhone. The intention was to run programs within a walled garden, not to interoperate with the Web at large. At least that’s how I read it.

                              1. 4

                                Good point on long-term risk. Do note I said Flash/Shockwave the tech. That was made by Macromedia, not Adobe. Macromedia was a company whose pricey tech was kick-ass but no attempt to be open or interoperate past maybe Dreamweaver. Catchy name many lay people could spell, too.

                                I think Adobe acquiring them made me drop some F-bombs, sigh a bit, eye rolls, and so on. I knew there would be short-term improvements before the large company FUBARed its value over time. Apple’s position sealed its fate.

                                1. 2

                                  Indeed, Macromedia had a much better stewardship than Adobe in this respect. What I find really ironic is that before the acquisition, Adobe was pushing SVG and SVG animations as an alternative to Flash, embracing and pushing the web standards. After the acquisition, everything stalled and it’s only with Apple creating the Canvas API and standardizing it through the newly created WHATWG that we started to catch up and be able to do so fast interactive graphics on the Web. What we lost, though, is one of the best tool to create vector animations with programmatic behaviour. One step ahead, two steps back some might say.

                              2. 3

                                I think the difference is that aplets and flash were supposed to extend the web experience, new technologies are replacing it. It’s convenient but dangerous as it promotes monoculture. I don’t know if there is a safe middle ground.

                                1. 5

                                  There is a lot being lost with the death of Flash. It was amazingly lightweight when it started out. You can take that Homestar Runner e-mail and the original Flash, resize it to 4k, and it will still render correctly and sharply. You can’t do that when you export animation to YouTube at a set resolution. Not to mention all the games that were made in Flash that we’ll loose soon.

                                  Adobe really butchered all the Macromedia stuff when they acquired that company. It’s pretty sad.

                          2. 2

                            What does “removes RSS support” mean? Was it possible to use it as a feed reader before?

                            1. 3

                              Yeah, it was called “Live Bookmarks” and basically made your RSS feed subs show up in your bookmarks bar (or accessible from a page). It actually looked really neat, but I only found about it when/because they removed it.

                              1. 10

                                “Live Bookmarks” still exist, in Firefox 63.0.3 released on Nov 15th, 2018. I use them. Go to any RSS feed in FF and they will pop up. I use them for multiple Discourse forums.

                                  1. 1

                                    Ah, sad times, thanks for the link!

                              2. -1

                                Sure, using live bookmarks and integrated reader. But RSS collided with the their new commercial and closed product namely Pocket.

                                1. 4

                                  That’s not completely fair. I’m not sure if anything has happened yet, but Mozilla does have plans to open-source Pocket:

                                  As a result of this strategic acquisition, Pocket will become a wholly owned subsidiary of Mozilla Corporation and will become part of the Mozilla open source project.

                          3. 16

                            I switched to Firefox last year, and I have to say I don’t miss Chrome in the slightest.

                            1. 13

                              And those with a little financial liberty, consider donating to Mozilla. They do a lot of important work free a free and open web.

                              1. 10

                                I recently came back to Firefox from Vivaldi. That’s another Chromium/Webkit based browser and it’s closed source to boot.

                                Firefox has improved greatly in speed as of late and I feel like we’re back in the era of the mid-2000s, asking people to chose Firefox over Chrome this time instead of IE.

                                1. 2

                                  I’d love to switch from Vivaldi, but it’s simply not an option given the current (terrible) state of vertical tab support in Firefox.

                                  1. 2

                                    How is it terrible? The hiding of the regular tab bar is not an API yet and you have to use CSS for that, sure, but there are some very good tree style tab webextensions.

                                    1. 2

                                      The extensions are all terrible – but what’s more important is that I lost the belief that any kind of vertical tab functionality has any chance of long-term survival. Even if support was added now, it would be a constant battle to keep it and I’m frankly not interested in such fights anymore.

                                      Mozilla is chasing their idealized “average user” and is determined to push everyone into their one-size-fits-all idea of user interface design – anyone not happy with that can screw off, if it was for Mozilla.

                                      It’s 2018 – I don’t see why I even have to argue for vertical tabs and mouse gestures anymore. I just pick a browser vendor which hasn’t been asleep on the wheel for the last 5 years and ships with these features out of the box.

                                      And if the web in the future ends up as some proprietary API defined by whatever Google Chrome implements, because Firefox went down, Mozilla has only itself to blame.

                                      1. 2

                                        The extensions are all terrible – but what’s more important is that I lost the belief that any kind of vertical tab functionality has any chance of long-term survival. Even if support was added now, it would be a constant battle to keep it and I’m frankly not interested in such fights anymore. The whole point of moving to WebExtensions was long term support. They couldn’t make significant changes without breaking a lot of the old extensions. The whole point was to unhook extensions from the internals so they can refactor around them and keep supporting them.

                                        1. 0

                                          That’s like a car manufacturer removing all electronics from a car – sure it makes the car easier to support … but now the car doesn’t even turn on anymore!

                                          Considering that cars are usually used for transportation, not for having them sit in the garage, you shouldn’t be surprised that customers buy other cars in the future.

                                          (And no, blaming “car enthusiasts” for having unrealistic expectations, like it happens in the case of browser users, doesn’t cut it.)

                                          1. 3

                                            So you’d rather they didn’t improve it at all? Or would you rather they broke most extensions every release?

                                            1. 3

                                              I’m not @soc, but I wish Firefox had delayed their disabling of old-style extensions in Firefox 57 until they had replicated more of the old functionality with the WebExtensions API – mainly functionality related to interface customization, tabs, and sessions.

                                              Yes, during the time of that delay, old-style extensions would continue to break with each release, but the maintainers of Tree Style Tabs and other powerful extensions had already been keeping up with each release by releasing fixed versions. They probably could have continued updating their extensions until WebExtensions supported their required functionality. And some users might prefer to run slightly-buggy older extensions for a bit instead of switching to the feature-lacking new extensions straight away – they should have that choice.

                                              1. 1

                                                What’s the improvement? The new API was so bad that they literally had to pull the plug on the existing API to force extension authors to migrate. That just doesn’t happen in cases where the API is “good”, developers are usually eager to adopt them and migrate their code.

                                                Let’s not accuse people you disagree with that they are “against improvements” – it’s just that the improvements have to actually exist, and in this case the API clearly wasn’t ready. This whole fiasco feels like another instance of CADT-driven development and the failure of management to reign in on it.

                                                1. 3

                                                  The old extension API provided direct access to the JavaScript context of both the chrome and the tab within a single thread, so installing an XUL extension was disabling multiprocess mode. Multiprocess mode seems like an improvement; in old Firefox, a misbehaving piece of JavaScript would lock up the browser for about a second before eventually popping up a dialog offering to kill it, whereas in a multiprocess browser, it should be possible to switch and close tabs no matter what the web page inside does. The fact that nobody notices when it works correctly seems to make it the opposite of Attention-Deficient-Driven-Design; it’s the “focus on quality of implementation, even at the expense of features” design that we should be encouraging.

                                                  The logical alternative to “WebExtension For The Future(tm)” would’ve been to just expose all of the relevant threads of execution directly to the XUL extensions. run-this-in-the-chome.xul and run-this-in-every-tab.xul and message pass between them. But at that point, we’re talking about having three different extension APIs in Firefox.

                                                  Which isn’t to say that I think you’re against improvement. I am saying that you’re thinking too much like a developer, and not enough like the poor sod who has to do QA and Support triage.

                                                  1. 2

                                                    Improving the actual core of Firefox. They’re basically ripping out and replacing large components every other release. This would break large amount of plugins constantly. Hell, plugins wouldn’t even work in Nightly. I do agree with @roryokane that they should have tried to improve it before cutting support. The new API is definitely missing many things but it was the right decision to make for the long term stability of Firefox.

                                                    1. 1

                                                      They could have made the decision to ax the old API after extension authors adopted it. That adoption failed so hard that they had to force developers to use the new API speaks for itself.

                                                      I’d rather have extension that I have to fix from time to time, than no working extensions at all.

                                            2. 1

                                              Why should Mozilla care that much about your niche use case? They already have a ton of stuff to deal with and barely enough funding.

                                              It’s open source, make your own VerticalTabFox fork :)

                                              1. 3

                                                Eh … WAT? Mozilla went the extra mile with their recent extension API changes to make things – that worked before – impossible to implement with a recent Firefox version. The current state of tab extensions is this terrible, because Mozilla explicitly made it this way.

                                                I used Firefox for more than 15 years – the only thing I wanted was to be left alone.

                                                It’s open source, make your own VerticalTabFox fork :)

                                                Feel free to read my comment above to understand why that doesn’t cut it.

                                                Also, Stuff that works >> open source. Sincerely, a happy Vivaldi user.

                                                1. 2

                                                  It’s one of the laws of the internet at this point: Every thread about Firefox is always bound to attract someone complaining about WebExtensions not supporting their pet feature that was possible with the awful and insecure old extension system.

                                                  If you’re care about “non terrible” (whatever that means — Tree Style Tab looks perfect to me) vertical tabs more than anything — sure, use a browser that has them.

                                                  But you seem really convinced that Firefox could “go down” because of not supporting these relatively obscure power user features well?? The “average user” they’re “chasing” is not “idealized”. The actual vast majority of people do not choose browsers based on vertical tabs and mouse gestures. 50% of Firefox users do not have a single extension installed, according to telemetry. The majority of the other 50% probably only have an ad blocker.

                                                  1. 3

                                                    If you’re care about “non terrible” (whatever that means — Tree Style Tab looks perfect to me) vertical tabs more than anything — sure, use a browser that has them.

                                                    If you compare the current state of the art of vertical tabs extensions, even Mozilla thinks they suck – just compare them to their own Tab Center experiment: https://testpilot.firefox.com/static/images/experiments/tab-center/details/tab-center-1.1957e169.jpg

                                                    Picking just one example: Having the navigation bar at a higher level of the visual hierarchy is just wrong – the tab panel isn’t owned by the navigation bar, the navigation bar belongs to a specific tab! Needless to say, all of the vertical tab extensions are forced to be wrong, because they lack the API do implement the UI correctly.

                                                    This is how my browser currently looks like, for comparison: https://i.imgur.com/5dTX8Do.png

                                                    But you seem really convinced that Firefox could “go down” because of not supporting these relatively obscure power user features well?? The “average user” they’re “chasing” is not “idealized”. The actual vast majority of people do not choose browsers based on vertical tabs and mouse gestures. 50% of Firefox users do not have a single extension installed, according to telemetry. The majority of the other 50% probably only have an ad blocker.

                                                    You can only go so far alienating the most loyal users that use Firefox for specific purposes until the stop installing/recommending it to their less technically-inclined friends and relatives.

                                                    Mozilla is so busy chasing after Chrome that it doesn’t even realize that most Chrome users will never switch. They use Chrome because “the internet” (www.google.com) told them so. As long as Mozilla can’t make Google recommend Firefox on their frontpage, this will not change.

                                                    Discarding their most loyal users while trying to get people to adopt Firefox who simply aren’t interested – this is a recipe for disaster.

                                                2. 1

                                                  and barely enough funding

                                                  Last I checked they pulled in half a billion in revenue (2016). Do you believe this is barely enough?

                                                  1. 2

                                                    For hundreds of millions users?

                                                    Yeah.

                                              2. 1

                                                At least with multi-row tabs in CSS you can’t dragndrop tabs. That’s about as bad as it gets.

                                              3. 2

                                                Are vertical tabs so essential?

                                                1. 3

                                                  Considering the change in screen ratios over the past ten years (displays get shorter and wider), yes, it absolutely is.

                                                  With vertical tabs I can get almost 30 full-width tabs on screen, with horizontal tabs I can start fishing for the right tab after about 15, as the tab width gets increasingly smaller.

                                                  Additionally, vertical tabs reduce the way of travel substantially when selecting a different tab.

                                                  1. 1

                                                    I still miss them, didn’t cripple me, but really hurt. The other thing about Tree (not just vertical) tabs that FF used to have was that the subtree was contextual to the parent tree. So, when you opened a link in a background tab, it was opened in a new tab that was a child of your current tab. For doing like documentation hunting / research it was amazing and I still haven’t found its peer.

                                                2. 1

                                                  It’s at least partially open source. They provide tarballs.

                                                  1. 4

                                                    https://help.vivaldi.com/article/is-vivaldi-open-source/

                                                    The chromium part is legally required to be open, the rest of their code is like readable source, don’t get me wrong that’s way better than unreadable source but it’s also very wut.

                                                    1. 2

                                                      Very wut. It’s a weird uneasy mix.

                                                      1. 1

                                                        that’s way better than unreadable source but it’s also very wut.

                                                        I wouldn’t be sure of that. It makes it auditable, but has legal ramifications should you want to build something like vivaldi, but free.

                                                  2. 8

                                                    firefox does not get better with investment, it gets worse.

                                                    the real solution is to use netsurf or dillo or mothra, so that webmasters have to come to us and write websites that work with browsers that are simple enough to be independently maintained.

                                                    1. 9

                                                      Good luck getting more than 1‰ adoption 😉

                                                      1. 5

                                                        good luck achieving independence from Google by using a browser funded by Google

                                                        1. 1

                                                          I can achieve independence from Google without using netsurf, dillo, or mothra; to be quite honest, those will never catch on.

                                                          1. 2

                                                            can you achieve independence from google in a way that will catch on?

                                                            1. 1

                                                              I don’t think we’ll ever get the majority of browser share back into the hands of a (relatively) sane organization like Mozilla—but we can at least get enough people to make supporting alternative browsers a priority. On the other hand, the chances that web devs will ever feel pressured to support the browsers you mentioned, is close to nil. (No pun intended.)

                                                              1. 0

                                                                what is the value of having an alternative, if that alternative is funded by google and sends data to google by default?

                                                                1. 1

                                                                  what is the value of having an alternative

                                                                  What would you like me to say, that Firefox’s existence is worthless? This is an absurd thing to insinuate.

                                                                  funded by google

                                                                  No. I’m not sure whether you’re speaking in hyperbole, misunderstood what I was saying, and/or altogether skipped reading what I wrote. But this is just not correct. If Google really had Mozilla by the balls as you suggest, they would coerce them to stop adding privacy features to their browser that, e.g., block Google Analytics on all sites.

                                                                  sends data to google by default

                                                                  Yes, though it seems they’ve been as careful as one could be about this. Also to be fair, if you’re browsing with DNT off, you’re likely to get tracked by Google at some point anyway. But the fact that extensions can’t block this does have me worried.

                                                                  1. 1

                                                                    i’m sorry if i misread something you wrote. i’m just curious what benefit you expect to gain if more people start using firefox. if everyone switched to firefox, google could simply tighten their control over mozilla (continuing the trend of the past 10 years), and they would still have control over how people access the web.

                                                                    1. 1

                                                                      It seems you’re using “control” in a very abstract sense, and I’m having trouble following. Maybe I’m just missing some context, but what concrete actions have Google taken over the past decade to control the whole of Mozilla?

                                                                      1. 1

                                                                        Google has pushed through complex standards such as HTTP/2 and new rendering behaviors, which Mozilla implements in order to not “fall behind.” They are able implement and maintain such complexity due to funding they receive from Google, including their deal to make Google the default search engine in Firefox (as I said earlier, I couldn’t find any breakdown of what % of Mozilla’s funding comes from Google).

                                                                        For evidence of the influence this funding has, compare the existence of Mozilla’s Facebook Container to the non-existence of a Google Container.

                                                                        1. 1

                                                                          what % of Mozilla’s funding comes from Google

                                                                          No word on the exact breakdown. Visit their 2017 report and scroll all the way to the bottom, and you’ll get a couple of helpful links. One of them is to a wiki page that describes exactly what each search engine gets in return for their investment.

                                                                          I would also like to know the exact breakdown, but I’d expect all those companies would get a little testy if the exact amount were disclosed. And anyway, we know what the lump sum is (around half a billion), and we can assume that most of it comes from Google.

                                                                          the non-existence of a Google Container

                                                                          They certainly haven’t made one themselves, but there’s nothing stopping others from forking one off! And anyway, I think it’s more so fear on Mozilla’s part than any concrete warning from Google against doing so.

                                                                          Perhaps this is naïveté on my part, but I really do think Google just want their search engine to be the default for Firefox. In any case, if they really wanted to exert their dominance over the browser field, they could always just… you know… stop funding Mozilla. Remember: Google is in the “web market” first & the “software market” second. Having browser dominance is just one of many means to the same end. I believe their continued funding of Mozilla attests to that.

                                                                          1. 2

                                                                            It doesn’t have to be a direct threat from Google to make a difference. Direct threats are a very narrow way in which power operates and there’s no reason that should be the only type of control we care about.

                                                                            Yes Google’s goal of dominating the browser market is secondary to their goal of dominating the web. Then we agree that Google’s funding of Firefox is in keeping with their long-term goal of web dominance.

                                                                            if they really wanted to exert their dominance over the browser field, they could always just… you know… stop funding Mozilla.

                                                                            Likewise, if Firefox was a threat to their primary goal of web dominance, they could stop funding Mozilla. So doesn’t it stand to reason that using Firefox is not an effective way to resist Google’s web dominance? At least Google doesn’t think so.

                                                                            1. 1

                                                                              Likewise, if Firefox was a threat to their primary goal of web dominance, they could stop funding Mozilla. So doesn’t it stand to reason that using Firefox is not an effective way to resist Google’s web dominance?

                                                                              You make some good points, but you’re ultimately using the language of a “black or white” argument here. In my view, if Google were to stop funding Mozilla they would still have other sponsors. And that’s not to mention the huge wave this would make in the press—even if most people don’t use Firefox, they’re at least aware of it. In a strange sense, Google cannot afford to stop funding Mozilla. If they do, they lose their influence over the Firefox project and get huge backlash.

                                                                              I think this is something the Mozilla organization were well aware of when they made the decision to accept search engines as a funding source. They made themselves the center of attention, something to be competed over. And in so doing, they ensured their longevity, even as Google’s influence continued to grow.

                                                                              Of course this has negative side effects, such as companies like Google having influence over them. But in this day & age, the game is no longer to be free of influence from Google; that’s Round 2. Round 1 is to achieve enough usage to exert influence on what technologies are actually adopted. In that sense, Mozilla is at the discussion table, while netsurf, dillo, and mothra (as much as I’d love to love them) are not and likely never will be.

                                                        2. 3

                                                          Just switch to Gopher.

                                                          1. 5

                                                            Just switch to Gopher

                                                            I know you were joking, but I do feel like there is something to be said for the simplicity of systems like gopher. The web is so complicated nowadays that building a fully functional web browser requires software engineering on a grand scale.

                                                            1. 3

                                                              yeah. i miss when the web was simpler.

                                                              1. 1

                                                                I was partially joking. I know there are new ActivityPub tools like Pleroma that support Gopher and I’ve though about adding support to generate/server gopher content for my own blog. I realize it’s still kinda a joke within the community, but you’re right about there being something simple about just having content without all the noise.

                                                          2. 1

                                                            Unless more than (rounded) 0% of people use it for Facebook, it won’t make a large enough blip for people to care. Also this is how IE was dominant, because so much only worked for them.

                                                            1. 1

                                                              yes, it would require masses of people. and yes it won’t happen, which is why the web is lost.

                                                          3. 2

                                                            I’ve relatively recently switched to FF, but still use Chrome for web dev. The dev tools still seem quite more advanced and the browser is much less likely to lock up completely if I have a JS issue that’s chewing CPU.

                                                            1. 2

                                                              I tried to use Firefox on my desktop. It was okay, not any better or worse than Chrome for casual browsing apart from private browsing Not Working The Way It Should relative to Chrome (certain cookies didn’t work across tabs in the same Firefox private window). I’d actually want to use Firefox if this was my entire Firefox experience.

                                                              I tried to use Firefox on my laptop. Site icons from bookmarks don’t sync for whatever reason (I looked up the ticket and it seems to be a policy problem where the perfect is the enemy of the kinda good enough), but it’s just a minor annoyance. The laptop is also pretty old and for that or whatever reason has hardware accelerated video decoding blacklisted in Firefox with no way to turn it back on (it used to work a few years ago with Firefox until it didn’t), so I can’t even play 720p YouTube videos at an acceptable framerate and noise level.

                                                              I tried to use Firefox on my Android phone. Bookmarks were completely useless with no way to organize them. I couldn’t even organize on a desktop Firefox and sync them over to the phone since they just came out in some random order with no way to sort them alphabetically. There was also something buggy with the history where clearing history didn’t quite clear history (pages didn’t show up in history, but links remained colored as visited if I opened the page again) unless I also exited the app, but I don’t remember the details exactly. At least I could use UBO.

                                                              This was all within the last month. I used to use Firefox before I used Chrome, but Chrome just works right now.

                                                              1. 6

                                                                I definitely understand that Chrome works better for many users and you gave some good examples of where firefox fails. My point was that people need to use and support firefox despite it being worse than chrome in many ways. I’m asking people to make sacrifices by taking a principled position. I also recognize most users might not do that, but certainly, tech people might!? But maybe I’m wrong here, maybe the new kids don’t care about an open internet.

                                                            1. 14

                                                              I’ve seen a few things on the internet (including here at Lobsters) saying, essentially, “Please, use Firefox out of concern for the ecosystem, even if it’s worse than the alternatives at <thing you care about>.” I do use Firefox, and have for the last year, but this rankles me a bit. I realize that Mozilla is (partially) a non-profit, and that even a for-profit corporation can’t do everything, but if you visit Firefox’s Bugzilla you can find tickets for obvious features that have been open for years. Here’s one that’s been open since April 2013 and which is still unassigned.

                                                              Part of this is a PR/communication problem; Firefox is at a bit of a disadvantage in that we can all see a list of the things they are or aren’t working on right now. But every time Firefox gains a new feature that I don’t care about, I think about all of these tickets that have been open forever and have lots of comments and duplicates but which Mozilla has chosen not to work on.

                                                              1. 10

                                                                I know its a pain when your pet issue doesn’t get fixed but really, bookmarklets.. I have never heard anyone irl ever mention one. 99.9% of web users probably don’t know what they are so I am betting when a mozilla dev has to choose what issue to work on there will be a lot more high priority tasks than fixing bookmarklets. I have had some real blocking issues with some new web features not working exactly to spec in firefox and I have seen a lot of them get fixed in reasonable timeframes because they affect more users.

                                                                1. 8

                                                                  Yeah, but that’s not what they were doing. Mozilla invested all kinds of time into projects people weren’t demanding while not fixing problems their existing users were reporting. That’s not a good way to run a business if you have one product with serious competition. Gotta keep making that product the best it can be along every attribute.

                                                                2. 9

                                                                  Honestly, if we’re concerned about the web ecosystem, people should use Lynx more. The web would be better if most pages had to work in Lynx.

                                                                  Edit: Which, after checking, Lobste.rs is very readable on Lynx, and you can login just fine. Unfortunately, the reply/edit links don’t work.

                                                                  1. 4

                                                                    I do actually know people using the web with lynx frequently (It’s a very nice browser for blind people used to the command line).

                                                                    1. 1

                                                                      Just so people don’t get the wrong idea, I should mention that the majority of blind people who use computers have been productively using GUIs for a couple of decades now. Yes, there are blind people who are more comfortable with the command line and even screen-oriented terminal-based applications like Lynx, but they’re a small and shrinking minority of a minority, and I would guess that even they have given in and started using a JavaScript-capable browser when needed. There is certainly not an economic barrier anymore. So don’t feel that you need to accommodate them.

                                                                      1. 3

                                                                        So a blind person who uses lynx should not be accommodated, because the barriers to switching to GUIs are not economic? If it’s harder for them to learn to use a GUI than to keep using lynx, why shouldn’t they be accommodated?

                                                                    2. 3

                                                                      Yup. I read lobste.rs in links and have to pop over to Firefox to reply. You can post a new comment, though.

                                                                      1. 2

                                                                        Lynx (and Links in text mode) are great options. If you still want graphics, but not the latest JS / CSS fads, maybe try Dillo or NetSurf. All these have independent rendering engines. The parts of the web that don’t work in simple browsers are largely the ones I can do without.

                                                                      2. 6

                                                                        Heh, I should have guessed that was the bookmarklet bug. It is weird that a browser that supposedly empowers the user allows remote sites to dictate what code you’re allowed to run.

                                                                      1. 1

                                                                        Never miss a story from Ferdy Christant, when you sign up for Medium. Learn more

                                                                        can we block medium already

                                                                        1. 1

                                                                          This is off-topic. Are you complaining that medium has a banner in the footer?

                                                                          1. 1

                                                                            the thing i quoted was the most prominent text on the page that was linked to. i think the most prominent text on a page should be fair game for comments.

                                                                            1. 1

                                                                              No, it’s the annoying sign up messages on what is essentially a glorified pastebin.

                                                                          1. 12

                                                                            seems more like a front door to me.

                                                                            still nothing preventing microsoft from implementing a backdoor in a way you can’t detect.

                                                                            1. 3

                                                                              Hidden somewhere in a documentation page. The bloke who clicks together an ubuntu machine and follows the DO guide to install Wordpress probably won’t know,

                                                                              1. 1

                                                                                they also won’t know about all the other ways microsoft is probably tracking your usage, recording your root password, making their own snapshots, bundling up that data to send to the NSA, etc.

                                                                            1. 5

                                                                              As Linux gets more and more corporate and less targeted for the desktop, having a light-weight and responsive OS is enough to make it unique.

                                                                              I do patch my Linux with the MuQSS scheduler, the best thing for Linux responsiveness, but I was recently told the Haiku one is essentially the same. This is awesome to me.

                                                                              There is a lot and more in apps and hardware support that Heroku would need for me to switch over, but it seems like a cool project.

                                                                              Does it do virtual desktops, btw?

                                                                              1. 4

                                                                                MuQSS schedule

                                                                                I heard there was a better scheduler for desktop use. Didn’t know the name. Thanks for the tip.

                                                                                1. 3

                                                                                  Does it do virtual desktops, btw?

                                                                                  It does.

                                                                                  The things that it’s missing that I would need to make it my daily driver:

                                                                                  Minimum:

                                                                                  • Support for multiple monitors (was in the works at one point, may be there now)
                                                                                  • Support for videoconferencing and screen sharing in Google Meet (long shot because Google barely even supports Firefox there)
                                                                                  • Full disk encryption (there’s an encrypted block device driver in the tree but last I checked it was moribund)

                                                                                  Optimal:

                                                                                  • The ability to run virtual machines at full speed (there’s qemu but without OS support it’s doing true emulation and is unusably slow for my purposes)
                                                                                  • The ability to use Firefox Sync

                                                                                  I’d say BeOS is my favorite operating system of all time, but I can’t quite bring myself to say it since AmigaOS existed.

                                                                                  1. 3

                                                                                    I do patch my Linux with the MuQSS scheduler, the best thing for Linux responsiveness, but I was recently told the Haiku one is essentially the same. This is awesome to me.

                                                                                    I don’t know a lot about the MuQSS scheduler, but from reading over the introductory document, it indeed looks pretty similar to Haiku’s. (I wonder where you read this previously, though?)

                                                                                    There is a lot and more in apps and hardware support that Haiku would need for me to switch over, but it seems like a cool project.

                                                                                    What would those be? Most minor tools are easily ported at this point.

                                                                                    1. 3

                                                                                      IRC, oftc.net, can’t remember why I joined Con Kolivas’ channel #ck, but there. I consider him a friend after all this time and tested some of his prototypes way back.

                                                                                      The Godot engine would be one big thing.

                                                                                    2. 3

                                                                                      Virtual desktops: yes.

                                                                                      Linux gets more and more corporate and less targeted for the desktop

                                                                                      Let’s hope the competitors get better in quality. I doubt I will want change to Haiku unless something really bad happens in the nix world, but hopefully its presence will make everyone else better nonetheless.

                                                                                      1. 3

                                                                                        Disk encryption, does it have that? Password-protected screensaver?

                                                                                        1. 4

                                                                                          BeOS had a password-protected screensaver.

                                                                                      2. 2

                                                                                        How does mainstream GNU/Linux get worse?

                                                                                        1. 10

                                                                                          NB: this turned out to be a poettering rant.

                                                                                          adding ever more complicated layers onto complicated layers to reinvent the wheel. most things should be done a few layers down, not by adding a few layers on top. this while having the same functionality 10 years ago, which most of the time was working as good as today, only less complicated and prone to break. the sound stack is just horrible, the most sane thing would be to throw out alsa and pulseaudio and use oss4, which implements most of the features. session and login management is also insane, a mess of daemons connected via dbus of all things. systemd people constantly reinventing square wheels (resolved, really?). while i’m at it, ps found a now one i didn’t know about: “rtkit-daemon”, fixing problems i don’t have, running by default.

                                                                                          i know, it’s open source, i can write a patch.

                                                                                          1. 3

                                                                                            I’ve been geeking out on schedulers for a long, long time and every encounter with vanilla Linux on a heavily-loaded box has been awful. It might behave better now, but that would be by very complicated code and bizarre special-case settings.

                                                                                            As a simple user, I just use the -ck patch set and ignore the horrors of the sound stack, systemd, Linux Foundation’s corporate politics, cgroups and what have you.

                                                                                            I mean, it kinda still works, but sometimes it feels the best desktop-experience parity with Windows was reached 20 years ago, if you exclude hardware support and games, and or with gnome3-type shit and everything got worse.

                                                                                            I’m not positive the desktop experience is as good as it gets but I am positive it’s no one’s priority.

                                                                                            1. 4

                                                                                              I actually like Gnome 3 UI-wise, but the Linux scheduler seems to be more horrific than it used to be, and I remember it being bad a decade ago. I’ve had systems where X11 chugged hard and took 30 minutes to get to a vt when Firefox was stressing the system, when Windows on even more decrepit hardware was slow, but at least felt usable due to seemingly better scheduling - and it didn’t matter what WM you were using.

                                                                                          2. 1

                                                                                            I’m not seeing Linux move away from the desktop at all. In fact I’m seeing more investment in the LInux desktop than ever.

                                                                                            It’s just that they’re investing in the wrong (from my selfish stance :) desktop environment :)

                                                                                            1. 2

                                                                                              they’re moving away from the desktop and towards tablets, even though linux doesn’t run on any

                                                                                          1. -6

                                                                                            whats all this hate for dragonflybsd. next you’ll be telling me to stop using slackware to chat with my coworkers!

                                                                                            1. 7

                                                                                              Off-topic: is it just me or do all of the game screenshots look like they have a greyscale canvas filters applied?

                                                                                              1. 1

                                                                                                Yes. That’s the ‘style’ of my blog. ;)

                                                                                                1. 8

                                                                                                  Might confuse people when you talk about video games working on a specific OS. To me, it didn’t look like they were working correctly…

                                                                                                  1. 1

                                                                                                    If you’d like to dissuade people from gaming on FreeBSD I would leave it as-is.

                                                                                                  1. 15

                                                                                                    Q: is the HTTP protocol really the problem that needs fixing?

                                                                                                    I’m under the belief that if the HTTP overhead is causing you issues then there are many alternative ways to fix this that don’t require more complexity. A site doesn’t load slowly because of HTTP, it loads slowly because it’s poorly designed in other ways.

                                                                                                    I’m also suspicious by Google’s involvement. TCP HTTP 1.1 is very simple to debug and do by hand. Google seems to like closing or controlling open things (Google chat support for XMPP, Google AMP, etc). Extra complexity is something that should be avoided, especially for the open web.

                                                                                                    1. 10

                                                                                                      They have to do the fix on HTTP because massive ecosystems already depend on HTTP and browsers with no intent to switch. There’s billions of dollars riding on staying on that gravy train, too. It’s also worth noting lots of firewalls in big companies let HTTP traffic through but not better-designed protocols. The low-friction improvements get more uptake by IT departments.

                                                                                                      1. 7

                                                                                                        WAFs and the like barely support HTTP/2 tho; a friend gave a whole talk on bypasses and scanning for it, for example

                                                                                                        1. 6

                                                                                                          Thanks for feedback. I’m skimming the talk’s slides right now. So far, it looks like HTTP/2 got big adoption but WAF’s lagged behind. Probably just riding their cash cows minimizing further investment. I’m also sensing business opportunity if anyone wants to build a HTTP/2 and /3 WAF that works with independent testing showing nothing else or others didn’t. Might help bootstrap the company.

                                                                                                          1. 3

                                                                                                            ja, that’s exactly correct: lots of the big-name WAFs/NGFWs/&c. are missing support for HTTP/2 but many of the mainline servers support it, so we’ve definitely seen HTTP/2 as a technique to bypass things like SQLi detection, since they don’t bother parsing the protocol.

                                                                                                            I’ve also definitely considered doing something like CoreRuleSet atop HTTP/2; could be really interesting to release…

                                                                                                            1. 4

                                                                                                              so we’ve definitely seen HTTP/2 as a technique to bypass things like SQLi detection, since they don’t bother parsing the protocol.

                                                                                                              Unbelievable… That shit is why I’m not in the security industry. People mostly building and buying bullshit. There’s exceptions but usually setup to sell out later. Products based on dual-licensed code are about only thing immune to vendor risk. Seemingly. Still exploring hybrid models to root out this kind of BS or force it to change faster.

                                                                                                              “I’ve also definitely considered doing something like CoreRuleSet atop HTTP/2; could be really interesting to release…”

                                                                                                              Experiment however you like. I can’t imagine what you release being less effective than web firewalls that can’t even parse the web protocols. Haha.

                                                                                                              1. 5

                                                                                                                Products based on dual-licensed code

                                                                                                                We do this where I work, and it’s pretty nice, tho of course we have certain things that are completely closed source. We have a few competitors that use our products, so it’s been an interesting ecosystem to dive into for me…

                                                                                                                Experiment however you like. I can’t imagine what you release being less effective than web firewalls that can’t even parse the web protocols. Haha.

                                                                                                                pfff… there’s a “NGFW” vendor I know that…

                                                                                                                • when it sees a connection it doesn’t know, analyzes the first 5k bytes
                                                                                                                • this allows the connection to continue until the 5k+1 byte is met
                                                                                                                • subsequently, if your exfiltration process transfers data in packages of <= 5kB, you’re ok!

                                                                                                                we found this during an adversary simulation assessment (“red team”), and I think it’s one of the most asinine things I’ve seen in a while. The vendor closed it as works as expected

                                                                                                                edit fixed the work link as that’s a known issue.

                                                                                                                1. 3

                                                                                                                  BTW, Firefox complains when I go to https://trailofbits.com/ that the cert isn’t configured properly…

                                                                                                                  1. 2

                                                                                                                    hahaha Nick and I were just talking about that; its been reported before, I’ll kick it up the chain again. Thanks for that! I probably should edit my post for that…

                                                                                                                    1. 2

                                                                                                                      Adding another data point: latest iOS also complains about the cert

                                                                                                        2. 3

                                                                                                          They have to do the fix on HTTP

                                                                                                          What ‘fix’? Will this benefit anyone other than Google?

                                                                                                          I’m concerned that if this standard is not actually a worthwhile improvement for everyone else, then it won’t be adopted and IETF will lose respect. I’m running on the guess that’s it’s going to have even less adoption than HTTP2.

                                                                                                        3. 13

                                                                                                          I understand and sympathize with your criticism of Google, but it seems misplaced here. This isn’t happening behind closed doors. The IETF is an open forum.

                                                                                                          1. 6

                                                                                                            just because they do some subset of the decision making in the open shouldn’t exempt them from blame

                                                                                                            1. 3

                                                                                                              Feels like Google’s turned a lot public standards bodies into rubber stamps for pointless-at-best, dangerous-at-worst standards like WebUSB.

                                                                                                              1. 5

                                                                                                                Any browser vendor can ship what they want if they think that makes them more attractive to users or what not. Doesn’t mean it’s a standard. WebUSB has shipped in Chrome (and only in Chrome) more than a year ago. The WebUSB spec is still an Editor’s Draft and it seems unlikely to advance significantly along the standards track.

                                                                                                                The problem is not with the standards bodies, but with user choice, market incentive, blah blah.

                                                                                                                1. 3

                                                                                                                  Feels like Google’s turned a lot public standards bodies into rubber stamps for pointless-at-best, dangerous-at-worst standards like WebUSB.

                                                                                                                  “WebUSB”? It’s like kuru crossed with ebola. Where do I get off this train.

                                                                                                                2. 2

                                                                                                                  Google is incapable of doing bad things in an open forum? Open forums cannot be influenced in bad ways?

                                                                                                                  This does not displace my concerns :/ What do you mean exactly?

                                                                                                                  1. 4

                                                                                                                    If the majority of the IETF HTTP WG agrees, I find it rather unlikely that this is going according to a great plan towards “closed things”.

                                                                                                                    Your “things becoming closed-access” argument doesn’t hold, imho: While I have done lots of plain text debugging for HTTP, SMTP, POP and IRC, I can’t agree with it as a strong argument: Whenever debugging gets serious, I go back to writing a script anyway. Also, I really want the web to become encrypted by default (HTTPS). We need “plain text for easy debugging” to go away. The web needs to be great (secure, private, etc.) for users first - engineers second.

                                                                                                                    1. 2

                                                                                                                      That “users first-engineers second” mantra leads to things like Apple and Microsoft clamping down on the “general purpose computer”-think of the children the users! They can’t protect themselves. We’re facing this at work (“the network and computers need to be secure, private, etc) and it’s expected we won’t be able to do any development because of course, upper management doesn’t trust us mere engineers with “general purpose computers”. Why can’t it be for “everybody?” Engineers included?

                                                                                                                      1. 1

                                                                                                                        No, no, you misunderstand.

                                                                                                                        The users first / engineers second is not about the engineers as end users like in your desktop computer example.

                                                                                                                        what I mean derives from the W3C design principles. That is to say, we shouldn’t avoid significant positive change (e.g., HTTPS over HTTP) just because it’s a bit harder on the engineering end.

                                                                                                                        1. 6

                                                                                                                          Define “positive change.” Google shoved HTTP/2 down our throats because it serves their interests not ours. Google is shoving QUIC down our throats because again, it serves their interests not ours. That it coincides with your biases is good for you; others might feel differently. What “positive change” does running TCP over TCP give us (HTTP/2)? What “positive change” does a reimplementation of SCTP give us (QUIC)? I mean, other than NIH syndrome?

                                                                                                                          1. 3

                                                                                                                            Are you asking what how QUIC and H2 work or are you saying performance isn’t worth improving? If it’s the latter, I think we’ve figured out why we disagree here. If it’s the former, I kindly ask you to find out yourself before you enter this dispute.

                                                                                                                            1. 3

                                                                                                                              I know how they work. I’m asking, why are they reimplementing already implemented concepts? I’m sorry, but TCP over TCP (aka HTTP/2) is plain stupid—one lost packet and every stream on that connection hits a brick wall.

                                                                                                                              1. 1

                                                                                                                                SPDY and its descendants are designed to allow web pages with lots of resources (namely, images, stylesheets, and scripts) to load quickly. A sizable number of people think that web pages should just not have lots of resources.

                                                                                                                1. 3

                                                                                                                  Do you really need to have root privileges on your Google-free phones?

                                                                                                                  I would like to keep my phone as much secure as possible, and having root privileges enabled doesn’t seem like a smart choice if you have security in mind too.

                                                                                                                  1. 7

                                                                                                                    Yes. I’m the owner of the hardware, I want to be able to do whatever I want with it, including the things that not having root would prevent me from doing.

                                                                                                                    1. 3

                                                                                                                      The problem with this idea is that you are also allowing the possibility for any applications you install to also use root. Some ‘root access management’ apps will prompt you, etc, but then you’re just depending on them to not have any issues that would allow an app to circumvent their checks.

                                                                                                                      I am the owner of my hardware, and I choose to not allow applications to assume more permissions than the OS was designed to allow them to have.

                                                                                                                      1. 7

                                                                                                                        That just sounds like an argument for improving those components instead of giving up control altogether.

                                                                                                                        1. 8

                                                                                                                          Not at all what I intended. I’m merely pointing out the downfall in enabling root access on current mobile operating systems. I would use root in an OS which I could control, sadly there’s no longer any mobile device supporting one (RIP N900), but hopefully there will be a new one soon (Librem 5 cannot come fast enough).

                                                                                                                          1. 2

                                                                                                                            That makes sense.

                                                                                                                            1. 2

                                                                                                                              My N900 is still kicking, but yeah it’s not my daily driver because browser reasons :P

                                                                                                                              Besides Librem5, we’re also waiting on the Pyra. The Gemini is here today running Debian as an alternate. Also running ubports on a Nexus 5 can get you close.

                                                                                                                              1. 1

                                                                                                                                Of course! There’s also postmarketOS.

                                                                                                                          2. 3

                                                                                                                            There used to be a lot of good use cases for rooting an Android phone, because there were a lot of reasonable things you needed root to do (run VPNs, block ads, change DNS settings, put background apps to sleep) and a lot of the culture of that time has persisted in the Android modding community. But over time, most of the things you really needed root for have been either added to the base system (doze, night mode) or made available to a user-space API (VPNs) or developer settings. With Android 7 or later, the only thing you really would need root for is micro-tweaking kernel settings, and that’s really only useful when you’re trying to get the most out of older hardware. Now it’s worth the little bit of extra security to leave your phone/tablet unrooted.

                                                                                                                            1. 4

                                                                                                                              There used to be a lot of good use cases for rooting an Android phone

                                                                                                                              If you’re using a carrier-branded phone there are still reasons:

                                                                                                                              • Debloating/disabling undesirable preinstalled apps.
                                                                                                                              • Fine-grained app permissioning (xposed framework).
                                                                                                                              • App hibernation and background running control.
                                                                                                                              • DNS choice and filtering.
                                                                                                                              • Ad Blocking.
                                                                                                                              • Enabling hotspot support (varies with carrier).
                                                                                                                              1. 4

                                                                                                                                Some of those (DNS and ad blocking) no longer require root.

                                                                                                                                If you are able to unlock the bootloader and run something like LineageOS, then you effectively resolve the remaining issues without rooting the device.

                                                                                                                                1. 1

                                                                                                                                  Oof. Yeah, though to be totally pedantic, you could install an unrooted LineageOS on that phone (if it, or similar, is available), and get most of those. Blokada gives you DNS choice and filtering and ad blocking, and it doesn’t require root (it uses the VPN framework).

                                                                                                                                  1. 1

                                                                                                                                    Blokada

                                                                                                                                    I’ll give that try. I found DNS66 to cause long hangs and random lookup failures and, of course, AdAway requires root.

                                                                                                                          3. 4

                                                                                                                            The ‘root access’ moniker is a bit of a misnomer as it makes many people seem to think disabling it disables the root account. This is of course not what happens, Android being *nix underneath it by definition has a root account which is used to boot the device and run a host of services. Any bugs which would give rise to local root access still apply no matter whether a working su is installed or not. If the installed su app is working as it should the attack surface is only raised by so much as the user remains vigilant over granting root to specific apps. Any app which does get root can abuse it so this privilege should only be bestowed upon those bits which are ’ known to be trustworthy’. In other words, the security of a ‘rooted’ device depends for a large part on the judiciousness by which the user grants or denies root access, just like the security of a firearm depends on the hand wielding it.

                                                                                                                            1. 1

                                                                                                                              depends for a large part on the judiciousness by which the user grants or denies root access

                                                                                                                              Not entirely. It also depends extremely heavily on the mechanism used to manage root access (e.g. SuperSu). If that application has issues that can be exploited to go around the user intervention, then all bets are off. Suddenly your firearm is capable of firing without you touching it.

                                                                                                                              1. 1

                                                                                                                                If the installed su app is working as it should the attack surface is only raised by so much as the user remains vigilant over granting root to specific apps.

                                                                                                                                1. 1

                                                                                                                                  Ok, but my point is that’s a mighty big assumption to make.

                                                                                                                            2. 3

                                                                                                                              Like any decent system, every root requests are accepted (or rejected) by the user.

                                                                                                                              It’s not like you installed an app from the store and it uses root without you knowing.

                                                                                                                              1. 3

                                                                                                                                You’re assuming the root manager software (like Magisk, or SuperSU back in the days) has no security issues whatsoever.

                                                                                                                                Mind you, I’m not saying that commonly used root managers are compromised, but I believe that the current status of Android rooting management is inherently insecure because we rely on software not always audited. I prefer having a custom ROM (maybe even with a custom boot chain of trust!) without root rather than leaving such a wide attack surface available for an hypothetical rogue party.

                                                                                                                              2. 1

                                                                                                                                because if someone stole your phone and guessed your root password they could install whatever they want on it?

                                                                                                                                1. 1

                                                                                                                                  Is this an argument against my thought? If yes could you please elaborate more? I’m curious about your point of view, and I’m afraid my (lacking) knowledge of English didn’t help me understanding your reply.

                                                                                                                                  1. 2

                                                                                                                                    i’m confirming how having root access hurts security. which attacks can be carried out when your phone is rooted, which couldn’t be carried out if it weren’t rooted?

                                                                                                                                    1. 3

                                                                                                                                      An app with root access can read the private data of other apps, and can generally disregard the permissions system, so that’s two major classes of things there.

                                                                                                                                      1. 1

                                                                                                                                        but the user would be able to decide whether to run a program as root, wouldn’t they?

                                                                                                                                      2. 3

                                                                                                                                        One could trick the user into installing an app that bypasses root managers and gets root permissions directly. From there, the same rogue app could steal basically everything from the user’s phone without even noticing anything.

                                                                                                                                        1. 1

                                                                                                                                          why would the app be run as root? on linux i can build and run programs as my user account without giving the programs root permissions. i install programs with sudo, but then i’m running the package manager which is code i trust, not the programs i’m installing which i trust less. after installing a program, i still have to explicitly run it as root. does android work differently?

                                                                                                                                1. 12

                                                                                                                                  If you have to have a non-free firmware (and you do) I’d rather it be made by Apple instead of “Xiaomi”.

                                                                                                                                  Any layers of free software you add on top of that non-free foundation can never erase the fundamental truth that you don’t control your device and are therefore in the business of selecting a company to trust. And I don’t think there is much “carefully selecting a company to trust” going on here.

                                                                                                                                  I would love if things had gone a different way — I’d buy an iStallman phone in a heartbeat — but that’s water under the bridge.

                                                                                                                                  1. 10

                                                                                                                                    The firmware isn’t really made by Xiaomi. It’s all Qualcomm. I’m not sure if Qualcomm even shows their source code to the actual phone vendors.

                                                                                                                                    1. 4

                                                                                                                                      theres no good option for a cell phone to talk on, but there is this:

                                                                                                                                      https://pyra-handheld.com/boards/pages/pyra/

                                                                                                                                      1. 1

                                                                                                                                        Does it make sense for them to track at the firmware level, considering that the vast majority of their users is okay with having it in userspace?

                                                                                                                                        1. 1

                                                                                                                                          Not sure. Better question: Would you trust them not to if there was a profitable and/or convenient reason for doing so?

                                                                                                                                      1. 0

                                                                                                                                        OK? I mean, this is a drag for people who use Linux, and wanted Apple hardware, but I feel that the delta between Apple hardware and other OEM hardware is closer than it’s been in a very long time, and if you’re not buying to run OS X, why pay the delta?

                                                                                                                                        1. 2

                                                                                                                                          Funny, I think the delta is the largest it has ever been. IMO there’s simply no contest anymore, while back in the day Thinkpads were actually better.

                                                                                                                                          1. 3

                                                                                                                                            I don’t know. I was a Mac user for 7 years, until about two months ago when I bought a Matebook X Pro. Is the hardware as good as Apple? No, but it’s damn close for a computer that cost $1k less than the equivalent Macbook Pro. In fact, it wasn’t even cost, but rather the “innovative” features on the new Macbook Pros (the super low-profile keyboard and the useless touchbar) that pushed make the jump.

                                                                                                                                            Apple still has an edge, but it’s becoming smaller and smaller. I’d say that the biggest quality-of-life advantage Apple sill has is just how well integrated their OS and hardware is, even though Apple seems to be on a campaign to make OS X actively hostile to the very software engineers like me who used to choose the Mac because it was a “better POSIX experience”.

                                                                                                                                            1. 1

                                                                                                                                              New apple hardware is good? Or is the go-to macbook still the 2010-2012 models? IIRC those were the last to use 2.5” SATA drives and normal resolution screens. The retina macbooks lost that stuff but at least retained an okay keyboard. So I would be curious to hear what’s good about the new macbooks, if that’s indeed what you’re saying.

                                                                                                                                          1. 3

                                                                                                                                            i got into linux because it was easy to dual boot my macbook pro. looks like they’ve finally plugged that leak in their customer base.

                                                                                                                                            1. 3

                                                                                                                                              https://shop.jolla.com/ “Sorry, not available in your country.”

                                                                                                                                              I would love to support this effort, but I’m not sure how to start.

                                                                                                                                              1. 3

                                                                                                                                                I used a VPN to buy a license. My Sony Xperia X works perfectly fine in the US.

                                                                                                                                                1. 1

                                                                                                                                                  That is great news… but does Sony kick back any of that purchase price to Jolla? (I doubt it!)

                                                                                                                                                  I recall that they used to market their own hardware, and can’t blame them for not continuing with that business model. Curious about their prospective revenue streams.

                                                                                                                                                  1. 2

                                                                                                                                                    I Doubt it for many reasons - in the past they have been very open to approaching other software platforms, early in supporting device unlocking, upstream kernel mainlining projects etc. Alas it is not resulting in better sales, and the community reactions have been extremely fringe. They are posting heavy losses in the mobile sectors and have chased away a lot of their senior devs (me included) with aggressive cost savings and cancelling research related projects etc. reducing at least the .se DU to rubble over the last few years.

                                                                                                                                                    1. 1

                                                                                                                                                      Sorry to hear it. I’ve always been impressed with Sony’s product design quality, but they are definitely also-ran’s in the phone market to date. Not surprised that courting finicky FOSS hobbyists like myself hasn’t helped much.

                                                                                                                                                      I think I was mistaken about how the Jolla shop works, though. It’s a value-add model where you buy a device (presumably at some markup) with their OS preinstalled. Pretty sensible, but also probably not going to make them much money. I really hope their “strategic partnerships” work out. The mobile OS duopoly is bad for everybody, I think. Viable alternatives are cause for hope.

                                                                                                                                                      edit: I might spring for a Gemini PDA running Sailfish, to replace my now-unsupported Blackberry Q20.

                                                                                                                                                    2. 2

                                                                                                                                                      I think Jolla’s revenue comes from BRIC countries paying for licenses. I don’t think they make much money off direct consumer sales.

                                                                                                                                                    3. 1

                                                                                                                                                      so you bought a license for sailfish os, then installed it on your xperia x yourself?

                                                                                                                                                      if xperia x compact is an option i’m interested.

                                                                                                                                                      1. 1

                                                                                                                                                        I used a VPN to buy a license. My Sony Xperia X works perfectly fine in the US.

                                                                                                                                                        The website seems to indicate that this is illegal.

                                                                                                                                                        Availability: Sailfish X is currently available in the countries of the European Union, Norway and Switzerland (“Authorized Countries”) and the use of our website and services to purchase Sailfish X outside of the Authorized Countries is prohibited.

                                                                                                                                                        1. 3

                                                                                                                                                          Illegal? that’s a strong word. It’s the companies restriction, not anything else. It probably has to do with paying sales taxes and they wanted to limit which countries they pay taxes to (too many countries is an administrative headache). They got their money, the country got their tax payment, I got my license. Everyone is happy.

                                                                                                                                                    1. 9

                                                                                                                                                      I like the tendency by Go and now Rust of writing small utilities that are improvements of existing utilities.

                                                                                                                                                      Looks very cool!

                                                                                                                                                      But the name…. dup? Aside from that being a built-in in many versions of Forth like languages, it should be mnemonically associated with something that involves two of something.

                                                                                                                                                      1. 4

                                                                                                                                                        I agree. I didn’t really think long before naming this dup. The project has now been renamed to diskus (short for “disk usage”, also: a German word for the disc in Discus throw).

                                                                                                                                                        1. 2

                                                                                                                                                          Bless you!

                                                                                                                                                          I made the github issue thinking you might have had strong feelings, but you listened and came up with a much more appropiate name. If only all my interactions with other developers were so reasonable.

                                                                                                                                                        2. 3

                                                                                                                                                          maybe author didn’t care for the sound of dush

                                                                                                                                                          1. 3

                                                                                                                                                            i don’t get the point. if you want du to be faster, make it faster and upstream the changes. why add more baggage that i have to drag around whenever i’m at a new computer?

                                                                                                                                                            is this just people padding their githubs to impress employers?

                                                                                                                                                            1. 2

                                                                                                                                                              I guess duparallel? But yes, it sounds like something that would find duplicates instead of calculating directory sizes. Hardest thing in computer science?… :)

                                                                                                                                                            1. 10

                                                                                                                                                              This claims to be 5x faster than a non-parallel version, which strongly implies that du is somehow(?) limited by computation speed instead of by disk access time, which is making me question the very mature of the universe. Can anyone explain that?

                                                                                                                                                              1. 19

                                                                                                                                                                No, it’s limited by disk access time, but all the disk access is done sequentially in du. stat(), stat(), stat(), … Every call must complete before the next, so your queue depth to read disk is only 1. If a dozen threads issue stat() at the same time, the disk can issue multiple reads. An SSD has a latency somewhere around 10ms, but it can complete more than one request per 10ms given the opportunity.

                                                                                                                                                                1. 5

                                                                                                                                                                  Isn’t the solution then “make du parallel” instead of “rewrite du in a new language and introduce a second utility”?

                                                                                                                                                                  1. 9

                                                                                                                                                                    I predict people might ask if the performance of du is actually such a bottleneck to justify the complexity. If somebody posted a patch to pthread openbsd du, I wouldn’t immediately jump on board.

                                                                                                                                                                    You can sidestep such questions by dropping the code on github. Everybody says, wow, cool, that’s great, but nobody is required to make a decision to use or maintain such a tool.

                                                                                                                                                                    Maybe it’s good enough leave it alone holds us back. Maybe let’s change everything and hope it’s better keeps us going in circles.

                                                                                                                                                                    cc @caleb

                                                                                                                                                                    1. 2

                                                                                                                                                                      Relatively difficult call; the performance of du has definitely bothered me at times, but parallel c code is several kinds of hard-to-get-right.

                                                                                                                                                                  2. 0

                                                                                                                                                                    any reason du shouldn’t be modified to use this approach?

                                                                                                                                                                  3. 3

                                                                                                                                                                    It’s probably multi-faceted (as any benchmark data). I believe du (and dup probably) look at metadata to find file sizes, so I don’t think there is much bandwidth required. On top of that, if the benchmark is using NAND flash storage, the firmware driver may be able to parallelize read requests far better than a HDD. Even then, issuing multiple read requests to the HDD driver can allow it to optimize its read pattern to minimize seek distance for the head. I would comment on multi-platter HDDs, but I honestly know very little about the implementation of HDDs and SSDs, so someone please correct me if I’ve said anything too far from the truth.

                                                                                                                                                                    You can even see speed-up in multi-threaded writing, for example in asynchronous logging libraries: https://github.com/gabime/spdlog

                                                                                                                                                                    EDIT: in short, the speedup is probably from parallelizing the overhead of file system access

                                                                                                                                                                    EDIT2: The benchmarks on the spdlog readme are a bad example because it uses multiple threads to write to the same file, not multiple threads writing to separate independent files

                                                                                                                                                                  1. 33

                                                                                                                                                                    All this talk about ethics, open, and free brings another angle to mind: people pushing that with no-cost licenses are themselves misrepresenting what they are achieving in at least U.S.. I used to push for OSS/FOSS in the past. Now I’m switching to hybrids. The reason is that encouraging people to play “give it all away” or “use low-revenue models” in a capitalist country where opponents of freedom make billions of dollars for their software shifted all the money (and therefore power) to the latter. They then paid off politicians and used pricey lawyers to win more power against OSS/FOSS in ways they couldn’t fight against without piles of money. This includes ability to patent/copyright troll users of open/free software and especially Oracle’s API ruling which jeopardizes OSS/FOSS, backwards-compatible implementations of anything that had a proprietary API.

                                                                                                                                                                    From what I see, OSS/FOSS have done great things but are a fundamentally-flawed model in a capitalist country where money wins. As many as possible need to be charging by default both to support contributors and send money/power the other way. They and FOSS-using companies that don’t depend on patent/copyright money need to pool money together to fight legal advances of patent/copyright-trolling companies that want lock-in. Otherwise, in a game where only one side is playing for keeps, the OSS/FOSS groups keep losing by default software freedoms and ability to enforce their licenses while preaching that they’re maintaining them. Seems dishonest. Also, strange I almost never read about these issues in FOSS writers articles about business model and licensing recommendations.

                                                                                                                                                                    Far as hybrids, I can’t give you the answer yet since it’s too soon. For FOSS, I’m looking at Open Core and Dual-Licensing with strongest copyleft available. For non-FOSS, Source-available from public-benefit companies and nonprofits chartered to implement most software freedoms for customers on top of free for non-commercial or under certain use. These freedoms and justifications would also be in licenses and contracts with huge penalties for non-compliance for extra layers of defense. Maybe expire into FOSS after certain time passes or revenue threshold. We need more experimentation that lets companies currently supplying or later releasing as FOSS to get millions to hundreds of millions in revenue collectively to fight this battle. Again, it’s not optional: the other side is actively fighting to remove software freedom inch by inch. And mostly winning despite FOSS organizations’ little victories.

                                                                                                                                                                    1. 5

                                                                                                                                                                      Apologies if this is a threadjack, but I’m wrestling with these kinds of questions. I’ve been doing open source more or less my whole career, and usually in some form of hybrid.

                                                                                                                                                                      Now I’m going out on my own and am searching for a model that makes sense. I like the collaboration of open source, but I also very much want to make money, and don’t want to do that with hallucinogenic business models.

                                                                                                                                                                      I’m building a game that has a music synthesizer in it as a core mechanic. What I’m building has basically 3 layers - infrastructure for building such things in Rust, the synthesizer itself (with GUI), and the game logic on top. What I’m converging on is doing the first two layers as very much community open source with permissive licenses, and the third layer as just straight up proprietary software, no pretending to be anything else. There’s stuff to fine-tune around the edges, for example somebody brought up a delayed open release of the game source, after the monetization has run its course, but I don’t want to commit to that right now because it might constrain working with a commercial publisher. If I end up self-publishing, I’ll strongly consider that though, especially if people tell me it helps motivate their contribution.

                                                                                                                                                                      1. 3

                                                                                                                                                                        I think you should flip your plans on business models around this code - the infrastructure and synthesizer are the things that could have enough value to a business that you could do well selling them. The median game does not make a profit and, as entertainment, games are a hit-driven (usually-)one-time purchase not bought based on predictable need.

                                                                                                                                                                        1. 4

                                                                                                                                                                          I’ve certainly thought about it. But here’s my thinking. First, there’s currently no business for Rust infrastructure, the community is very much organized around permissive licenses. Second, the market for synthesizers and music plugins is pretty crowded, while games in this particular genre are, as far as I can tell, underserved. Third, I think the Switch is a promising platform, and it doesn’t really do free games. Fourth, if the game is a dud but the free music tools catch on, I can always do a pro version, and I get free marketing and market research. Lastly, the game is definitely riskier, but I’m at a point where I’m ok with that; if this stuff doesn’t monetize, I just go back to a corporate job.

                                                                                                                                                                        2. 1

                                                                                                                                                                          I think it’s pretty obvious that the ‘correct’ way of doing free software games without violating the freedom of users by making anything proprietary is to make all the code free software but not make the art/music/etc. free. After all, software freedom is about software, not about art or music.

                                                                                                                                                                          People can modify the software, they can use it as they see fit, but they can’t redistribute it along with the art and music. They can either come up with their own art and music or they can redistribute it without the art and music and it’ll be useful to others that already have the game (because they already have the art and music).

                                                                                                                                                                          1. 1

                                                                                                                                                                            Your model (bottom two free, top not) was exactly what first popped into my mind when I read the first couple of sentences of your comment, so you’re not the only one who thinks it makes sense, fwiw :-)

                                                                                                                                                                            By the way (off-topic question), as someone who has recently bought a midi controller (MPK261) and started playing around with some of the synths that I got free (Hybrid Air, Sonivox), and has a decent mathy ability to understand any given synthesis concept, but absolutely no intuition for what changes will sound like… is your game aimed at me? :-)

                                                                                                                                                                            1. 2

                                                                                                                                                                              Yes, it’s made for exactly you :) I’ll put you on my list for beta testing.

                                                                                                                                                                              1. 1

                                                                                                                                                                                OMG that’s fantastic!

                                                                                                                                                                            2. -1

                                                                                                                                                                              why don’t you want to deal LSD

                                                                                                                                                                              1. 1

                                                                                                                                                                                Beg your pardon?

                                                                                                                                                                                1. 3

                                                                                                                                                                                  hallucinogenic business models

                                                                                                                                                                                  1. 4

                                                                                                                                                                                    Ah, right, right. Basically I want to create value honestly and do a reasonable job of recovering revenue from the value I create, rather than playing these games that seem to increasingly substitute for that these days.

                                                                                                                                                                                    1. 1

                                                                                                                                                                                      what games are you referring to?

                                                                                                                                                                                      1. 2

                                                                                                                                                                                        Financial engineering in general, more specifically the kinds of things that startups do when they’re looking for an exit or when their purpose is to burn through VC money rather than make a business. MoviePass, Juicero, that kind of thing.

                                                                                                                                                                                        1. 1

                                                                                                                                                                                          ah okay. in reading your original comment i thought you were saying it’s hallucinogenic to think you could make a living writing free software.

                                                                                                                                                                            3. -5

                                                                                                                                                                              This would make sense if these ‘attacks on free software’ actually existed, but they don’t. They literally don’t exist.

                                                                                                                                                                              Source available is a violation of user freedom. It’s unacceptable. That’s all there is to it, if you care about user freedom. If you don’t then I feel sorry for you.

                                                                                                                                                                              FLOSS doesn’t need ‘hundreds of millions in revenue’ to fight any battle because there is no battle. I don’t know what it is, but there seems to be a recurring thread I see on forums a lot recently: everything is framed as a battle. For an unrelated example, if a game developer makes an unpopular change to their game? It’s a WAR to get them to fix it. No it isn’t. I see the term ‘culture war’ thrown around too. There’s no such thing. Not everything in life is a war or a battle.

                                                                                                                                                                              People and groups of people that produce non-free software aren’t at war with people that do.

                                                                                                                                                                              1. 7

                                                                                                                                                                                “This would make sense if these ‘attacks on free software’ actually existed, but they don’t. They literally don’t exist.” “FLOSS doesn’t need ‘hundreds of millions in revenue’ to fight any battle because there is no battle.”

                                                                                                                                                                                You missed the war on open source software by Microsoft et al… thwarted largely by IBM saying it will drop a fortune defending Linux which fits my comment… the DMCA attacks, the patent trolling (Android vendors alone pay billions), the copyright ruling from an expensive case that applies to API’s FOSS often depends on, and so on. Hell, a patent defense alone facing one of these big companies gets quoted as about $200,000 on average from expensive, law firms. You bet FOSS folks need a fortune if one of these companies wants to use a legal team to destroy them.

                                                                                                                                                                                You really don’t see such things much, though. You wonder why if there’s a threat as I claim. They mostly ignore FOSS developers since they’re (a) free labor that the big companies are monetizing or (b) penniless opponents with weak or non-existent marketing to big spenders. For (b), the common MO is to hit companies building on the product, FOSS or not, for royalties once they’re financially successful. They parasite off them instead of destroy while using a slice of that money investing in lobbyists and courts to ensure they can continue. Alternatively, they use a combo of the lure of money with the threat of market destruction (patent or otherwise) to pressure them to sell the company. Microsoft and IBM have taken entire markets using their dominant positions, patent portfolios, and large[-for-small-player] offerings to get acquisitions. It’s rare for someone to stare at both that kind of money and corporate threat telling them to get lost. So…

                                                                                                                                                                                “People and groups of people that produce non-free software aren’t at war with people that do.”

                                                                                                                                                                                …the big players wanting to dominate markets, maximize profits from locked-in customers, and eliminate disruptive competition are always at war with folks producing anything that threatens that. Always. It’s never changed since they have people on top whose bonuses depend on this shit. They’ll also remember companies that were sent to non-existence or limbo from new stuff they didn’t stamp out when they had a chance. Just because you or many FOSS folks aren’t playing doesn’t mean they aren’t. They certainly are. They even have people working 24/7 on Capitol Hill to screw people over. Not just here in states: they’re represented in international, treaty negotiations as well under the I.P. agreements. And if you think copyright enforcement isn’t war or this is just U.S., just look at the nice, unarmed, law-abiding people that came after Kim Dotcom over U.S.-generated complaints. Those situations illustrates the heights things can go to when it matters to those in power. Better to be the ones with power.

                                                                                                                                                                                1. -5

                                                                                                                                                                                  You missed the war on open source software by Microsoft et al…

                                                                                                                                                                                  Yes, we get it. This happened. A long time ago, now, but it happened. Okay, move on. It’s no longer relevant. The corporate world has long since embraced free software.

                                                                                                                                                                                  the DMCA attacks, the patent trolling (Android vendors alone pay billions), the copyright ruling from an expensive case that applies to API’s FOSS often depends on, and so on.

                                                                                                                                                                                  Patent trolling is something very specific. All companies that own patents and enforce them are not automatically patent trolls.

                                                                                                                                                                                  Also patent trolls target companies that produce proprietary software just as much as they target companies that produce free software. It has nothing to do with free or proprietary software. They target both, because they target software in general.

                                                                                                                                                                                  …the big players wanting to dominate markets, maximize profits from locked-in customers, and eliminate disruptive competition are always at war with folks producing anything that threatens that.

                                                                                                                                                                                  No they aren’t.

                                                                                                                                                                                  just look at the nice, unarmed, law-abiding people that came after Kim Dotcom

                                                                                                                                                                                  If you think Kim Dotcom was law-abiding you have another thing coming mate.

                                                                                                                                                                                  1. 7

                                                                                                                                                                                    You are very wrong.

                                                                                                                                                                                    I am trying to bring some more floss to the public sector and the resistance from the entrenched vendors is a thing.

                                                                                                                                                                                    Straight up bribes are manageable, but lobbying and regulatory capture is the true evil. We actually need floss lobbyists of our own.

                                                                                                                                                                                    1. 6

                                                                                                                                                                                      You are twisting @nickpsecurity’s words and I do not understand why you are doing this.

                                                                                                                                                                                      1. 1

                                                                                                                                                                                        No I am not.

                                                                                                                                                                                  2. 3

                                                                                                                                                                                    You’re right that there isn’t a war as such, but there is definitely a certain kind of dynamic. I think @nickpsecurity is also pointing out (quite correctly) the wider implications of the wealth concentration resulting from the free work that goes into producing free software.

                                                                                                                                                                                    One of the issues is that the companies that use free software don’t always comply with the terms of the licence. There are many examples:

                                                                                                                                                                                    The problems are obvious unless you stick to a very narrow and dogmatic view. Consequences matter. Just like the ill-considered, short-sighted, damn-the-consequences technological “disruption”, free software is an idea that produced a lot of unintended side effects (and in fact, contributed to the aforementioned “disruption”).

                                                                                                                                                                                1. 2

                                                                                                                                                                                  I have a friend that works at IBM. She’s said that her team uses Red Hat systems on a daily basis and it would be counter intuitive to ruin it.

                                                                                                                                                                                  I’m skeptical though.

                                                                                                                                                                                  1. 7

                                                                                                                                                                                    Individual rationality often appears to have no bearing on corporate level actions at all.

                                                                                                                                                                                    1. 1

                                                                                                                                                                                      Exactly, that’s what I said to her.

                                                                                                                                                                                      1. 1

                                                                                                                                                                                        But bringing important parts of your supply chain in house does make sense, and you don’t destroy your supplier when you do that

                                                                                                                                                                                      2. 2

                                                                                                                                                                                        It’s always counter intuitive to ruin things. But the innovation doesn’t stop.

                                                                                                                                                                                      1. 29

                                                                                                                                                                                        I have friends who work for Red Hat who are Not Happy about this.

                                                                                                                                                                                        My speculation is that clients of Red Hat will see at most slow change. IBM’s not going to toss the cash cow RHEL, and the various cloud software offerings are what they apparently bought it for. However, internally I think we’ll see a massive diaspora of talent as Red Hat becomes IBM-ified. (All claims to the contrary from either company’s PR are of course to be ignored completely. They have to say that, to stave off the employee flight as long as possible.)

                                                                                                                                                                                        Hot take: I wonder what this will mean for SystemD? ;)

                                                                                                                                                                                        1. 8

                                                                                                                                                                                          I’m unfamiliar with IBM’s Linux strategy; why would this mean anything wrt systemd specifically?

                                                                                                                                                                                          1. 5

                                                                                                                                                                                            Nothing, it’s just a play on the (IMHO very wrong) meme that systemd is only as successful as it is because it had RedHat backing.

                                                                                                                                                                                            IBM probably doesn’t even know what systemd is on the “we’re buying a huge company for 20 billion” plane.

                                                                                                                                                                                          2. 6

                                                                                                                                                                                            Employees are rarely excited about being acquired, and let’s face it, history has shown that’s it’s been bad for both customers and employees unless the company being acquired is going out of business.

                                                                                                                                                                                            1. 12

                                                                                                                                                                                              Hot take: I wonder what this will mean for SystemD?

                                                                                                                                                                                              Can it be a hot take if it’s not even a take? This is inquisitive (not argumentative), which is good for discussion but probably bad if your goal was to have an opinion.

                                                                                                                                                                                              1. 3

                                                                                                                                                                                                hot question

                                                                                                                                                                                              2. 5

                                                                                                                                                                                                I’m out of the loop. Could you explain the systemd comment?

                                                                                                                                                                                                1. 14

                                                                                                                                                                                                  systemd was originally written by Lennart Poettering and Kay Sievers who work at Red Hat.

                                                                                                                                                                                                  1. 3

                                                                                                                                                                                                    Is it still maintained by them as part of their jobs at Red Hat?

                                                                                                                                                                                                    1. 5

                                                                                                                                                                                                      Yes

                                                                                                                                                                                                      1. 3

                                                                                                                                                                                                        Lennart Poettering on Twitter this morning (:

                                                                                                                                                                                                        As you all know we never have been fans of portability. It will come at no surprise that in light of the recent developments we will discontinue all non-S/390 ports of systemd very soon now. Please make sure to upgrade to an S/390 system soon. Thank you for understanding.

                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                          Even POWER? ;)

                                                                                                                                                                                                2. 3

                                                                                                                                                                                                  Hot take: I wonder what this will mean for SystemD? ;)

                                                                                                                                                                                                  I’m pretty sure Facebook will keep developing it if nobody else does:

                                                                                                                                                                                                  https://media.ccc.de/v/ASG2018-192-state_of_systemd_facebook

                                                                                                                                                                                                  (disclaimer: I work there, though not on the team that works most with systemd – and this is of course my personal opinion)

                                                                                                                                                                                                1. 27

                                                                                                                                                                                                  Takes us back to the days when we had more trust that the NSA and other institutions were genuinely working to keep America safe. We don’t seem to have that anymore. Were they always doing creepily over-broad surveillance? Are they actually worse now than they were then? Or is it just our trust that’s changed, and they’re still mostly the good guys? Maybe all three are true, I don’t know.

                                                                                                                                                                                                  1. 17

                                                                                                                                                                                                    I mean, yes, they always were doing creepily over-broad surveillance. Many of the old allegations about them have since been confirmed by declassified documents. Long after anyone would care, of course…

                                                                                                                                                                                                    When there’s an alleged abuse of power, though, in general I don’t think it’s all that useful to ask, did this specific set of events happen. Instead, a much better question is: What would stop that from happening? What controls are built into the system to make those actions difficult or impossible? Very often, the answer turns out to be that people are nice and wouldn’t do that. When that’s the answer, I think there’s a problem that needs to be addressed, regardless of what can proximately be proven.

                                                                                                                                                                                                    1. 11

                                                                                                                                                                                                      the “good old days” of trusting the intelligence community were artificially extended because watergate dominated the new cycles when COINTELPRO came out.

                                                                                                                                                                                                      1. 13

                                                                                                                                                                                                        Were they always doing creepily over-broad surveillance?

                                                                                                                                                                                                        They also installed brutal dictators throughout the world.

                                                                                                                                                                                                        1. 2

                                                                                                                                                                                                          To be fair, that’s mostly been the CIA’s wheelhouse. Different office.

                                                                                                                                                                                                        2. 6

                                                                                                                                                                                                          Takes us back to the days

                                                                                                                                                                                                          The good old days fallacy; longing for a better time that never really existed.

                                                                                                                                                                                                          1. 1

                                                                                                                                                                                                            I’d strongly suggest (re-)watching “The Good American” documentary to understand the impact that 9/11 had on ethics and priorities at the NSA.

                                                                                                                                                                                                          1. 9

                                                                                                                                                                                                            Contrary to the comments at Reddit, I’m pretty sure Apple cannot do this unless you have installed a MDM profile…

                                                                                                                                                                                                            Locking, remote wipe, etc are limited to your iCloud account. There is no equivalent to “Google Play Services”. APNS has no control; it only handles push notifications.

                                                                                                                                                                                                            1. 15

                                                                                                                                                                                                              Contrary to the comments at Reddit, I’m pretty sure Apple cannot do this unless you have installed a MDM profile…

                                                                                                                                                                                                              When the OS is closed source how would you know?

                                                                                                                                                                                                              1. 12

                                                                                                                                                                                                                If you think Apple has a gaping backdoor in all of their phones which violates the mission of their product line, then please prove me wrong. In fact, take this opportunity to short their stock and prove it to the world. You could make yourself really rich really fast.

                                                                                                                                                                                                                Nobody else has done it, and everything Apple has done with their product line has been to constantly increase user security, not install backdoors for remote control and spying.

                                                                                                                                                                                                                I do not think they are perfect, but this would be a huge blow to their public perception and would certainly tarnish their brand for years to come.

                                                                                                                                                                                                                1. 7

                                                                                                                                                                                                                  Objectively, I think that u/user545 has a valid point. When proprietary software is in place there is no way to verify that such software does what the user expects it to do, and nothing more. Just because Apple has said it doesn’t spy on its users, doesn’t mean such a statement is true; and we cannot trust them, because we don’t know what the program does in the inside.

                                                                                                                                                                                                                  1. 9

                                                                                                                                                                                                                    Perhaps it’s not as severe as user545 says.

                                                                                                                                                                                                                    I think the argument can be transposed to anything done by anyone else:

                                                                                                                                                                                                                    • I didn’t see how cars were built. So I have to assume the worst.
                                                                                                                                                                                                                    • I didn’t see how roads were built. So I have to assume the worst.
                                                                                                                                                                                                                    • I didn’t audit this open source project’s source code myself. So I have to assume the worst.
                                                                                                                                                                                                                      • Or I only heard from someone that this source code checks out. But I don’t know that person, so I have to assume the worst (that they’re lying to me).
                                                                                                                                                                                                                      • I didn’t audit the crypto algorithms. So I have to assume the worst.
                                                                                                                                                                                                                      • I didn’t compile it myself. So I have to assume the worst.
                                                                                                                                                                                                                      • I didn’t compile my compiler myself. So I have to assume the worst.
                                                                                                                                                                                                                      • I didn’t compile my operating system myself with my own compiler. So I have to assume the worst.
                                                                                                                                                                                                                      • I didn’t mine and process the raw resources to create my computer. So I have to assume the worst.

                                                                                                                                                                                                                    Sure I can assume the worst, but then I probably wouldn’t live in a society.

                                                                                                                                                                                                                    “Assume the worst” feels like an impractical rule to follow. Instead, it’s a practical tradeoff of efficiency (of my time) and likelihood I need to “assume the worst”. I’m not discounting the valuable effort that security researchers do to audit and break into these systems. Especially if they take this approach, that’s great. But they’re way more qualified and have more resources (eg - time, money) than me to do it. I’m not going to blindly assume the worst that these security researchers are out to trick me.

                                                                                                                                                                                                                    I agree with feld. Apple isn’t perfect. They may change in the future. But Apple seem less likely than Google to implement a backdoor like this based on the way they position themselves in the market right now.

                                                                                                                                                                                                                    1. 5

                                                                                                                                                                                                                      You’re missing two things:

                                                                                                                                                                                                                      1. “They’re usually defective since suppliers dont care or have liability.”

                                                                                                                                                                                                                      2. “Intelligence agencies and law enforcement are threatening fines or jail for not putting secret backdoors in. The coercive groups also have legal immunity. Their targets can do 15 years if they talk.”

                                                                                                                                                                                                                      No 1 also applies to FOSS. With those premises, I definitely cant trust closed-source software to not have incidental or intentional vulnerabilities. Now, we’re back to thorough design and review by parties we trust. Multiple, skilled, mutually-suspicious groups.

                                                                                                                                                                                                                      1. 2

                                                                                                                                                                                                                        Thanks,

                                                                                                                                                                                                                        I agree with you on #1, including that it applies to FOSS. I may argue that a supplier has more incentive to fix it if you’re a potentially influential customer over a FOSS that has a disinterested maintainer (making you fall back to build-it-yourself or audit yourself. And to be clear, FOSS is definitely a better option than if the non-cooperative supplier is a monopoly). But I’d admit only be able to back up anecdotally, which isn’t a strong case.

                                                                                                                                                                                                                        For #2, couldn’t that also apply to key maintainers in FOSS if they are contributing to the same project? I’d take a random guess that governments may find it impossible to coerce a small set of individuals. 15 years would equality scare FOSS maintainers as well. Sure, a geographical barrier may make that more difficult, but I’d guess that human-based intelligence agencies like the CIA probably have some related experience in this. I agree that FOSS makes it harder to sneak one by reviewers, but maybe there’s not many people needed to coerce to get the backdoor in a release.

                                                                                                                                                                                                                        I only tangentially review security topics, so I’m not sure if that’s a realistic threat or just a tinfoil haty thought <:-).

                                                                                                                                                                                                                        I guess I’m putting more emphasis from the perspective of typical (non-technical) user of software to:

                                                                                                                                                                                                                        1. care more about security / privacy
                                                                                                                                                                                                                        2. pressure companies they support to have better security/privacy practices

                                                                                                                                                                                                                        Over distrusting all companies and have a significantly worse user experience of using software in general. Non-technical users generally like the fallback of technical support over just “figure it out yourself” or “you lost all your data because you couldn’t manage your secrets”.

                                                                                                                                                                                                                        I’m curious, if a company allowed you to audit their source code before you approved/used it, would that significantly minimize the advantages FOSS software have over proprietary software for you?

                                                                                                                                                                                                                        1. 2

                                                                                                                                                                                                                          I may argue that a supplier has more incentive to fix it if you’re a potentially influential customer over a FOSS that has a disinterested maintainer

                                                                                                                                                                                                                          This hasn’t been the case at all in the mobile space. The supplier has an incentive to not fix things so you buy a new device where as FOSS maintainers want your device to last as long as possible.

                                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                                            I’d agree the motivation for some suppliers to upsell to newer devices, although I don’t really understand motivation for FOSS maintainers to want you to use your device as long as possible. As a one who maintained iOS libraries, there’s strong motivation to deprecate older devices/platforms since it’s a maintenance burden that sometimes hinders new feature work (and typically the most active contributors use the latest stuff). And when pitted against supporting the latest devices vs the older devices, chances are the newer stuff will win in those debates.

                                                                                                                                                                                                                            Thinking through the supplier stuff a bit more doesn’t make that much difference though. Sure, it doesn’t feel like a great business practice for a company to upsell. But it’s also how those companies stay in business. It could be viewed similarly to a maintenance support fee for existing devices. If suppliers offered the a retainer fee, it would effectively be the same thing then?

                                                                                                                                                                                                                            1. 2

                                                                                                                                                                                                                              The lineageOS team does amazing work keeping old Android devices on the latest release. Also means app devs don’t have to worry because these old devices support all the new apis and features.

                                                                                                                                                                                                                          2. 2

                                                                                                                                                                                                                            “For #2, couldn’t that also apply to key maintainers in FOSS if they are contributing to the same project?”

                                                                                                                                                                                                                            That’s a great observation. I held off mentioning it since people often say, “That’s speculation or conspiracy. Prove it with examples.” And the examples would have secrecy orders so… I just dropped the examples where they can find proof it happened. There very well could be coercive action against FOSS maintainers. Both Truecrypt developers and someone doing crypto on Linux filesystems kind of disappeared out of nowhere not talking about the project any longer. Now we’re into heresay and guesswork, though. Also, they might be able to SIGINT FOSS with a secrecy order. We might be able to counter that having people in foreign countries looking for the problem, submitting a fix, and the rule is to always take a fix. They have to spot the problem that might be out of their domain expertise, though.

                                                                                                                                                                                                                            Plenty of possibilities. I just don’t have anything concrete on mandated, FOSS subversion. I will say one of the reasons I’d never publish crypto under my own name or take money for it is this threat. I think it’s very realistic. I think we haven’t seen it play out since the popular libraries for crypto were so buggy that they didn’t need such a setup. If they did, they’d use it sparingly. Those also ran on systems that were themselves ridden with preventable 0-days.

                                                                                                                                                                                                                            Far as open vs closed with review, I wrote an essay on that here.

                                                                                                                                                                                                                            1. 2

                                                                                                                                                                                                                              Thanks for that essay, that was insightful.

                                                                                                                                                                                                                              I’m roughly remember the Truecrypt incident and that was suspect, although never came across the linux file system crypto circumstance. Was it similar to Truecrypt? Was that developer already known. My googling didn’t seem to show up any mention of that at all.

                                                                                                                                                                                                                          3. 1

                                                                                                                                                                                                                            There is one thing I am wondering about. Government agencies require backdoors but I would think they also require backdoors that are kept secret. How does that work with FOSS software? Alright yes they could sneek it in the compiled version maybe but distros are all moving to reproducible builds so that would be detected.

                                                                                                                                                                                                                            1. 2

                                                                                                                                                                                                                              Ignore the Karger/Thompdon attack: only happened twice that I know of. The nation-state attackers will go for low-hanging fruit like other black hats. They also need deniability. So, they’re most likely to either (a) use all bug hunting tools to find what’s already there and (b) introduce the kinds of defects people already do by accident. With (b), discoveries might not even burn the source if they otherwise do good work.

                                                                                                                                                                                                                              For FOSS, they’ll slip the vulnerability into a worthwhile contribution. It can be either in that component or be an interaction between it and others. Error-handling code of a complex component is a particularly-good spot since they often have errors.

                                                                                                                                                                                                                      2. 11

                                                                                                                                                                                                                        They are able to push updates over the internet and the whole thing is proprietary. I am unable to tell you what the system does because I cant see it. And at any time apple can push arbitrary code which could add a back door without anyone knowing.

                                                                                                                                                                                                                        When you can’t see what is going on you have to assume the worst.

                                                                                                                                                                                                                        1. 5

                                                                                                                                                                                                                          I can’t tell whether this is 1. a defense of open-source in general and android in particular or 2. a critique of apple.

                                                                                                                                                                                                                          Neither works.

                                                                                                                                                                                                                          1. See example of what just happened. or the firefox/mr robot partnership recently. open source does not automatically confer transparent privacy.

                                                                                                                                                                                                                          2. Apple has, in fact, emerged as a staunch defender of user privacy. There are many many examples of apple defending users against law enforcement.

                                                                                                                                                                                                                          You can’t wish Apple to be terrible about privacy and use that as the argument.

                                                                                                                                                                                                                          1. 3

                                                                                                                                                                                                                            Sure you can. They could take money to secretly backdoor the phone for NSA and use lawyers to tell FBI to get loss for image reasons. The better image on privcy leads to more sales. The deal with NSA puts upper bound on what FBI will do to them since they might just get data from NSA.

                                                                                                                                                                                                                            If that sounds far fetched, remember two things:

                                                                                                                                                                                                                            1. The telecoms were taking around $100 million each from NSA to give them data that they sometimes passed onto feds to use with parallel construction. Publicly they said they gave it out only with warrants. RSA went further to say they encrypted the data but weakened the crypto for $30 mil. The Core Secrets leak also said FBI could “compel” this.

                                                                                                                                                                                                                            2. In Lavabit trial, Feds argued he wouldnt have losses if customers didnt know he gave Feds the master key. He was supposed to do it under court order and then lie about it.

                                                                                                                                                                                                                            Given those two, I dont trust any profit-motivated company in US to not hand over data. Except maybe Lavabit in the past. Any of them could be doing it in secret for money that they take or get fines/jail.

                                                                                                                                                                                                                            1. 3

                                                                                                                                                                                                                              I would say Apple is more comparable to Lavabit than the others – they’re actively and publicly taking steps to protect their users’ privacy.

                                                                                                                                                                                                                              I wouldn’t argue that they will never do it, but to paint Apple and Google with the same brush on user privacy is silly and irresponsible.

                                                                                                                                                                                                                              1. 2

                                                                                                                                                                                                                                Well, we know that the secret, court meeting was going to put him in contempt or else. He had to shut the business down to avoid it. Apple may have been able to do more due to both size and making case public debate. Then again, that may have been a one-time victory followed by a secret loss. You can’t know if there’s two legal systems in operation side by side, one public and one secret. I assume the worst if the secret system is aggressively after something.

                                                                                                                                                                                                                                “I wouldn’t argue that they will never do it, but to paint Apple and Google with the same brush on user privacy is silly and irresponsible.”

                                                                                                                                                                                                                                I agree with this. Apple is a product company. Google is a full-on, surveillance company. Google is both riskier for their users now and more over time as they collect more which more parties get in various ways.

                                                                                                                                                                                                                            2. 3

                                                                                                                                                                                                                              I am not defending android at all. As you can see in the OP post android is absolutely horrible for privacy and control. I also agree that open source is not flawless of course but open source enables us to have the opportunity to inspect the programs we use (usually while contributing features) from what I understand the firerfox event was pushed through a beta/testing channel and not through the FF source. I would hope all linux distros have this feature turned off when packaging FF.

                                                                                                                                                                                                                              The OP comment was asking me to prove that Apple is able to change user settings over the network and I think that is an unreasonable statement to make when the software is closed source. I also mentioned that it is possible as apple is able to push new updates at any time with arbitrary code. So they have the capability of doing anything that is possible hardware wise.

                                                                                                                                                                                                                              1. 2

                                                                                                                                                                                                                                Fair on your 2nd point of responding to the OP and I don’t know whether they have the capability. However, they seem, at least at the moment, disinterested in taking random liberties with their users’ privacy.

                                                                                                                                                                                                                                1. 3

                                                                                                                                                                                                                                  disinterested in taking random liberties with their users’ privacy.

                                                                                                                                                                                                                                  I think that’s probably true but no one in this thread actually knows and one day its quite likely that the US government will force them to backdoor devices if they haven’t already.

                                                                                                                                                                                                                              2. 1

                                                                                                                                                                                                                                Apple has, in fact, emerged as a staunch defender of user privacy.

                                                                                                                                                                                                                                this has to be a joke

                                                                                                                                                                                                                              3. 1

                                                                                                                                                                                                                                How do you know they are able to do that then?

                                                                                                                                                                                                                                Because all system updates that got installed on my phone came only after I manually approved them. Unless I am not aware of some previously demonstrated capability this sounds like exactly the same kind of unsubstantiated argument you are arguing against.

                                                                                                                                                                                                                                1. 1

                                                                                                                                                                                                                                  What criteria do you use for approving or denying updates and how would that be able to stop a backdoor being installed?

                                                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                                                    It doesn’t matter since the original argument was that Apple can do the same thing (automatically install/change software on your device) which they cannot. You have to assent to the installation (of updates, backdoor or whatever). May not be a difference you care about, but I do.

                                                                                                                                                                                                                                    I agree that black box software makes it impossible to know if software can be trusted, but binary package of an open source software is also just a black box if I am not able to generate the same hash when compiling myself which in my admittedly not recent experience happened a lot.

                                                                                                                                                                                                                                    1. 1

                                                                                                                                                                                                                                      “You have to assent to the installation “

                                                                                                                                                                                                                                      You would need a copy of source for all priveleged hardware and software on their platform to even begin to prove that. You dont have that. So, you don’t know. You’re acting on faith in a profit-motivated, company’s promises.

                                                                                                                                                                                                                                      I’ll also add one that has enough money to do a secure rewrite or mod of their OS but doesnt intentionaly. They don’t care that much. They’re barely even investing into Mac OS X from what its users say. Whereas, Sun invested almost $300 million into redoing Solaris for version 10. That brought us things like ZFS.

                                                                                                                                                                                                                                      A company with around a $100 billion that cares less about QA than smaller businesses shouldnt be trusted at all. They’ve already signalled that wealth accumulation was more important.

                                                                                                                                                                                                                                      Meanwhile, tiny OK Labs cranked out mobile sandboxing good enough that General Dynamics bet piles of money on them for Defense use. Several other companies cranked out security-enhanced CPU’s, network stacks, DNS, end-to-end messaging, and so on. Quite a few were for sale, esp those nearing bankruptcy. Shows Apple had plenty of opportunities to do the same or buy them. Didnt care. They’ll make billions anyway.

                                                                                                                                                                                                                                      1. 2

                                                                                                                                                                                                                                        I agree with pretty much everything you say and while interesting, I am not sure how it is relevant to what I said.

                                                                                                                                                                                                                                        I did not argue that one should trust Apple (even though I do think iPhone has a better track record than Android). My point was simply that all other things being equal I prefer platforms that don’t suddenly change on some company’s whim and let me decide when or if I want to perform an update and that AFAICT Apple does not push those updates without user’s consent.

                                                                                                                                                                                                                                        I assume your argument is that consenting is meaningless as I cannot perform any reasonable security analysis of what I will receive. True that I can’t, but I also value predictability and speaking from a personal experience I feel I lose some of it with auto-updates.

                                                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                                                          I assume your argument is that consenting is meaningless as I cannot perform any reasonable security analysis of what I will receive. True that I can’t, but I also value predictability and speaking from a personal experience I feel I lose some of it with auto-updates.

                                                                                                                                                                                                                                          I think you are missing the point. Your iPhone has convinced you that it would only ever install an update if you approved it, but you have no way of knowing that there isn’t already a way for Apple to push software without your consent, in a way that you wouldn’t detect.

                                                                                                                                                                                                                                          I’m sure if you looked at the EULA that you agree to when you use an iPhone, Apple has every legal right to do this even if they try to create an image of a company that wouldn’t.

                                                                                                                                                                                                                            3. 4

                                                                                                                                                                                                                              objdump -d

                                                                                                                                                                                                                              1. 3

                                                                                                                                                                                                                                When the OS is open source how would you know? Have you personally audited all of linux? How do you know you can trust third-party audits? I don’t think “it’s open source” provides much in terms of security all things considered.

                                                                                                                                                                                                                              2. 3

                                                                                                                                                                                                                                how do you know, what APNS does.