1. 1

    An updated version presented at PLDI 2019 is also available. (Yes, it’s ACM, but it’s an open access article.)

      1. 8

        They could have responsibly disclosed instead of being an asshat, stealing information and posting a ton of github issues from a fresh account.

        1. 3

          stealing… information?

          1. 2

            I’m both supportive of and we participate in the responsible disclosure process for Xen, even those times we don’t make the cut for pre-disclosure. I’m sad someone would go to the effort they have here in a criminal manner when there is more [market] demand for the skillset on display here than I have ever seen before.

          2. 7

            Why the hell did github allow people to remove issues? This is annoying.

            1. 4

              It appears the issues were removed by GitHub when a third party reported the user that posted the issues.

              1. 2

                Unfortunate that GitHub was powerless to prevent nuking their account after being reported.

            2. 4

              I was telling a coworker about this and similar writeups and it turns out he wasn’t aware of the Hacking Team writeup from 2016. It’s detailled and very interesting. I would advise anyone to read it: https://pastebin.com/0SNSvyjJ .

              1. 1

                A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.

                thanks a lot, the whole walkthrough is quite amazing and insighful with a wide variety of tools used

              2. 3

                Did you get a copy of them? They’re deleted now :(

                1. 10

                  They’ve been reposted here: https://github.com/matrix-org/matrix.org/issues/371 (and this site has been archived here)

                  1. 2

                    Thanks!

                  2. 1

                    I think web archive has some of them. Maybe not every comments.

                  3. 1

                    Concerning #358, what is “Flywheel” in this context?

                    Side-note: I hate locked threads on free software projects.

                    Update: I think it’s a hostname of one of their machines?

                    1. 1

                      Seems like it’s the hostname of their jenkins build slave

                      1. 2

                        yup, it was the hostname of the jenkins build slave.

                      2. 1
                    1. 3

                      Now that Firefox 66 has been released, Nightly has been bumped to 68, but it seems to have introduced two bugs that annoy me:

                      1. 3

                        Ugh! They seem fixable fortunately. Thanks for using nightly!

                        1. 8

                          In the few hours since I made that comment, both tickets have been triaged, confirmed, and the commit that caused each regression isolated. I’m quite impressed, I hope the fixes are equally fast!

                          1. 2

                            Well, that was the easiest part :-) do you have bug numbers handy for everyone reading along?

                            1. 2

                              I, uh, linked them in my original post. :)

                              Both bugs now have patches attached!

                        2. 1

                          Can you comment on how well TST works for you? I found that it wasn’t really worth using anymore after the move to web extensions.

                          1. 4

                            The original, pre-WebExtension version of TST physically moved the tab-strip from the top to the left, and that’s just not possible with WebExtensions. Some people have gone to extraordinary lengths to recreate the original TST appearance, and while I agree that would be nice I haven’t bothered - as long as I have a scrollable, collapsible list of tabs with a big ol’ new-tab button in the lower-left corner, I’m quite happy.

                            Earlier versions of TST were a bit weird with the tab context menu, because sidebar extensions can’t draw anything outside the sidebar, so the context menu had to be faked up in HTML, which meant it didn’t include any context menu items from other extensions. However, TST’s author collaborated with Mozilla to add a “tab context menu” API, so an extension can ask Firefox to pop up the real context menu for any particular tab, so now it all works as expected.

                            The one wart I can think of with the current implementation is that if you drag a tab out of the sidebar, you might drag it onto the bookmarks bar to file it as a bookmark, or you might be dragging it out to create a new window, and WebExtensions can’t detect drop targets like that. Instead, there’s a little menu that appears when you hover over the left-hand end of the tab that presents the two options. It’s nice that it’s possible, but it’s definitely a bit clunky and I can imagine it would be annoying if you did either of those things on a regular basis. However, I don’t, so I don’t mind.

                            1. 2

                              Interesting to hear!

                              I really tried to accept the brokenness of vertical tabs in Firefox, but considering the sorry state I don’t feel to bad about switching to another browser.

                              For me to switch back to Firefox, would require Chrome to add vertical tabs.

                              Chrome doing something seems to be the only way any non-beginner problem gets recognized by Mozilla these days.

                            2. 1

                              TST works great for me. I use it every day and depend on it as a key part of my browsing experience. I find the WebExtension build quite good. The add-on author has even added quite a lot of features beyond what it had before the rewrite to WebExtensions.

                              I basically can’t use other browsers for an extended period at this point because I am quite dependent on TST.

                              1. 1

                                Thanks for the note. Vertical tabs are also a key part of my browsing experience, but since web extensions were introduced Firefox just didn’t cut it anymore for at least two reasons:

                                • That you can’t get rid of neither the horizontal tab nor the sidebar header feels like a cruel joke to me.

                                • The visual hierarchy (nav bar -> tab bar) is just wrong, it should be the other way around. I’m too tired to fight this fight again (remember how long it took to get the tab bar placed above the nav bar, instead of under it?).

                                So it’s interesting to hear that TST is still useful for some set of the original users of TST/Firefox.

                                1. 1

                                  That you can’t get rid of neither the horizontal tab nor the sidebar header

                                  You can in fact get rid of both, though it’s with a UI style override and thus somewhat inelegant. My chrome/userChrome.css file has the following to hide the default tabbar and the sidebar header for TST:

                                  /* Hide top tab bar */
                                  #main-window[tabsintitlebar="true"]:not([extradragspace="true"]) #TabsToolbar {
                                    opacity: 0;
                                    pointer-events: none;
                                  }
                                  #main-window:not([tabsintitlebar="true"]) #TabsToolbar {
                                    visibility: collapse !important;
                                  }
                                  /* Hide sidebar header */
                                  #sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
                                    display: none;
                                  }
                                  
                                  1. 1

                                    Yep, I’m using some CSS hacks in Vivaldi on top of its existing native support for vertical tabs, but I simply have not enough trust left in Mozilla to believe they aren’t itching to lock down the user chrome in the future.

                                    Nevertheless, I’ll give your CSS a go and report back! Thanks!

                                    Edit: I just did the comparison!

                                    How it needs to look (Vivaldi).

                                    How it looks (Firefox).

                                    I don’t think Firefox will ever be able to cross this gap, not even taking into account the lack of tab-previews, the lack of built-in mouse gestures, and the many other things that put Vivaldi ahead UX-wise for anyone who is using a browser for more than 5 minutes a day.

                                    1. 2

                                      anyone who is using a browser for more than 5 minutes a day

                                      I think it would help to clarify that all of these features are very opinionated, so I don’t think it’s helpful to generalize and assume “anyone” or even “most people” using a browser want these things… (IIRC a high number of browsing sessions never have more than a few tabs open, for example.)

                                      For myself, TST / a tree of tabs is important, but at the same time I don’t need mouse gestures or these other things you mention. It sounds like we are both quite set in our own way of using a browser, but I don’t think we should assume anyone else actually wants or should want the same. That’s the point of customizing: to find what works best for you.

                                      1. 1

                                        I think the core problem is that Firefox has become increasingly hostile to customization over the years – it’s either Firefox devs’ sacred idea of how the average user has to use their browser, or the highway.

                                        Nothing has changed much on my side in the last 15 years I used Firefox, except that Firefox has decided I’m not part of their target demographic anymore. That’s sad, but I think it’s best for me to move on.

                                  2. 1

                                    I am not bothered by the sidebar header or horizontal tab bar still being present. As mentioned by @whbboyd, you can customize userChrome.css if they bother you, but I don’t see a need to do so for my own use.

                                    The precise feature set and customization options of TST are more important to me, so as long as I can view the tree of tabs on the side with TST features, I find that good enough.

                            1. 2
                              1. 2

                                I would be okay with email notifications, but in the case of GitHub, there are many events that don’t trigger an email, so it doesn’t feel sufficiently “complete” to me. Until more email control is available, a specialized view built on the GH APIs (such as this tool) feels like a better way if you really want to stay on top of every event.

                              1. 2

                                Wow, this is exactly what I’ve been looking for! I had even started to make notes of how I’d build something like this myself. Very impressed!

                                1. 1

                                  @andrewnez, are there any plans to also track events that don’t come through the GH notifications API? For example, when an issue is cross-referenced elsewhere, when CI status updates, etc. I’d like to know when these events have happened as well.

                                  1. 1

                                    We’re already getting those extra events via the GitHub App webhook at the moment, fancy opening an issue with more details of how you’d like them displayed? https://github.com/octobox/octobox/issues/new

                                1. 9

                                  I used RSS to find this post, just like I do for (almost) every other article I read… so it is very much alive for me. (Usually it is an evolved form like Atom these days, but the concept is the same.)

                                  1. 1

                                    The technology in upcoming Firefox versions looks increasingly great.

                                    I would switch back in a heart beat if it wasn’t for the lack of vertical tabs. But it seems like Chrome is working on them, so Firefox might add them too.

                                    1. 5

                                      There are several add-ons for vertical tabs in Firefox, including Tab Center Redux and Tree Style Tab.

                                      1. 2

                                        Yes, I left Firefox after more than 15 years of usage after seeing these abominations. If these are the best option Mozilla allows, I’ll look elsewhere for a browser.

                                        1. 1

                                          Which browser have you found that has vertical tabs done better?

                                          1. 1

                                            I’m pretty happy with Vivaldi (it’s one of the first questions they ask on first startup – where the tabs should be placed). Here is how it looks: https://i.imgur.com/DzoJ8d9.png

                                          2. 1

                                            Haha, well, to each their own… I happily use Tree Style Tab everyday myself. I am not sure how to browse the web without it anymore… (All of these add-ons have been (re)implemented to use WebExtension APIs that isolate the browser and add-ons from each other in the last year or so… perhaps they are quite different from the last time you checked them, depending on when that was.)

                                            1. 1

                                              Yeah, I used Tree Style Tabs, too. Since Mozilla broke the old APIs without replacement, all the reimplemented extensions are an utter disappointment.

                                              I looked at different extensions right now, and I love how all extension authors carefully crop their screenshots to hide the fact that they can’t get rid of

                                              • the horizontal tab bar
                                              • the sidebar header

                                              thanks to Mozilla’s “mom knows best!” approach, which makes their extensions rather pointless.

                                              I’m so glad Mozilla isn’t in charge of an IDE/editor, because otherwise we all could start preparing to develop without syntax highlighting, because “Mozilla UX team decided it’s unnecessary”.

                                        2. 1

                                          Every time I see something like this quoted as a reason to switch browsers I’m amazed how deep control-freakery is rooted in all of us :-)

                                          1. 1

                                            Stuff like mass-market browsers are designed for the lowest common denominator of user behavior.

                                            It shouldn’t be surprising that more and more people fall outside Mozilla’s supported use cases, as Mozilla keeps pushing “our way or the highway” on how their users have to use their browser.

                                          2. 1

                                            I have been using tree tabs which works wonderfully. Even better than what I had before the web extensions migration.

                                            1. 1

                                              Just tried it, it’s rather embarrassing due to missing APIs Mozilla removed without replacement. It is pretty much the state when I left Firefox, no improvements visible.

                                          1. 1

                                            This seems like it would fit better at Barnacles instead of Lobsters.

                                            1. 1

                                              As another person that uses many tabs (308 tabs across 20 windows at the moment), I am quite happy to see these improvements.

                                              1. 12

                                                I am not surprised, since Firefox’ current mission seems to copy Chrome, throwing away all advantages that they had (like extensibility) to become a worse Chrome. Might as well switch to Chrome then.

                                                1. 13

                                                  Throwing away XUL is necessary, being a technical dead end preventing them from doing necessary refactors for e10s and such.

                                                  I agree it hurts a lot. They need to work a lot on WebExtensions to make it viable.

                                                  1. 7

                                                    XUL was an incredible piece of technology. Ten years ago I developed a cross-platform application with native look-and-feel and embedded data-visualizations in a couple of weeks. I don’t think there was anything else that would have allowed me to do that back then… and even now, that would be a challenge. I wish XUL had been blessed by W3C standardization.

                                                    1. 3

                                                      Maybe it was incredible technology, but I always wished for a firefox build using native widgets. Back in the day, just wiggling my mouse back and forth over the title bar (not over the page) in firefox used to nearly max out my cpu.

                                                      1. 1

                                                        There was Camino for Mac, and Galleon on Linux, but those are dead. There’s K-Meleon on Windows, but I’m unsure of its development state.

                                                    2. 0

                                                      Is electrolysis worth losing a ton of extensions and developers over?

                                                      Is electrolysis even a good thing? If I open facebook, twitter and youtube at the same time I can expect firefox to grind to a halt. With electrolysis, my whole PC will grind to a halt? I don’t buy better the security argument either - firefox is a reverse shell with or without electrolysis.

                                                      1. 12

                                                        E10S is required for shipping a sandbox for Firefox. I’m a bit biased, since I work on Firefox sandboxing, but I believe this is probably the single most important security project we have.

                                                        I’m not sure what you mean by “firefox is a reverse shell with or without electrolysis” - enabling the sandbox makes it so that any random memory corruption in the content process isn’t game over for security, which is a huge win.

                                                        1. 3

                                                          You don’t buy the “security argument” of process isolation and sandboxing? It’s fairly easy not to see the benefits of something if you deny the reality of the benefits it does provide.

                                                        2. 1

                                                          That’s my concern though - I don’t think they recognize how much people depend on their favorite extensions to make using Firefox a pleasant expeiernce. The impression I get is they’re basically gonna draw a line in the sand and switch whether or not the extension ecosystem comes with them.

                                                          I agree that it needs to happen, but were I them I’d be looking at the most popular extensions and ensuring that a transition plan exists. Their market share depends on it.

                                                          1. 4

                                                            I agree that it needs to happen, but were I them I’d be looking at the most popular extensions and ensuring that a transition plan exists. Their market share depends on it.

                                                            They are doing exactly that… they have many bugs filed that are “enable to be written as webext”. The core webext team is extremely smart and capable.

                                                            1. 1

                                                              That’s really fantastic to hear. I should get tuned into that effort to see if my favorite extensions are being represented :)

                                                          2. 1

                                                            So, I don’t doubt it, but why exactly? I’ve heard security cited, is that something inherent to XUL itself or merely an artifact of that particular subsystem being left to wither on the vine?

                                                          3. 4

                                                            Agreed. Throwing away XUIL extensions is going to totally cripple them. I don’t know what I’ll do at that point. IMO they’re what make Firefox a usable alternative, and there are a bunch of things you simply can’t do with the proposed Javascript extension standard (can’t think of the name).

                                                            It’s All Text comes to mind.

                                                            1. 3

                                                              I don’t know what I’ll do at that point.

                                                              Palemoon perchance?

                                                              1. 2

                                                                Palemoon

                                                                Maybe? No Mac support right now, which is a deal breaker for me. As I’ve posted about here before, Linux desktops have yet to come close to the accessibility features OSX provides. I’m partially blind, and ‘living’ on the Linux desktop was sheer agony.

                                                            2. 3

                                                              Might as well switch to Chrome then.

                                                              Look at the linked Mozilla blog post — they already did!

                                                              The head of Firefox marketing admits to using Chrome every day, for leisure.

                                                              1. 2

                                                                Yeah, I guess it has to get a lot worse before it gets better. As long as they are (so) dependent on income from advertisers (Yahoo?), they will not put the user first regarding privacy and security. For example why are the Tor Browser’s Firefox settings not the default in Firefox? Why is Privacy Badger or something similar not a default extension? Why are third party cookies still enabled by default?

                                                                I guess over time more and more stuff will break again with Firefox as also mentioned in the article, that making it a bit worse now by enabling the Tor settings and Privacy Badger won’t make much of a difference. At least you’d know Mozilla has your back, and Firefox may even gain some users by being privacy friendly by default. That is, for as long as it is relevant and “the web” is used by the average user.

                                                                1. 4

                                                                  Mozilla is actively working with the Tor project to upstream their Tor Browser patches and improve privacy defaults.

                                                                  1. 2

                                                                    Ah, I missed that it was also about changing the defaults! I thought it was just to get the (code) changes upstream, but not (necessarily) the defaults. If so, that is great news!

                                                                  2. 3

                                                                    Maybe it will get a lot worse before it gets even worse.

                                                                1. 4

                                                                  So this drives me nuts because if your Node project depends on dependency A, but dependency A lists a version range for dependency B, npm will update B to the latest version available when you rerun “npm install”, even if you have an exact version listed for A. You can solve this with shrinkwrap but in some cases you want to check you can blow away your shrinkwrap and reinstall and get the same file back out.

                                                                  We usually worked around this by forking A and locking down its dependencies.

                                                                  1. 4

                                                                    My understanding is that yarn and its lock file do a better job with this than npm shrinkwrap.

                                                                    1. 1

                                                                      That is actually the most compelling reason to use yarn, that it produces a sane lock file.

                                                                  1. 1
                                                                    1. 3

                                                                      I believe the main reason so many Firefox users run a 32 bit version is because of legacy browser plugins, some of which may never have been released in a 64 bit version. Since they are binary blobs, the browser ABI has to match the plugin’s ABI for the plugin to work.

                                                                      At any rate, many users should be able to switch these days. There is work scheduled to migrate Windows users with 32 bit Firefox to 64 bit Firefox (assuming they’re on 64 bit OS, of course).

                                                                    1. 2

                                                                      I have the 60" rectangular Jarvis that your coworker mentioned with the bamboo top. It’s a great choice all around. I’ve had it for about a year so far. I also agree with twelvebravo that the programmable controls are a key feature, so you don’t have to fiddle each time.

                                                                      1. 1

                                                                        Coworker just got it, so I’ve been hesitant about it. But it’s good to hear someone with it over a year. I might have to buy one.

                                                                      1. 1

                                                                        I would love to have the ability to save or favorite stories and comments. Right now the only way you can go back and find things to read is by commenting on a story.

                                                                        1. 2

                                                                          If you upvote a story, you can find it again at https://lobste.rs/upvoted which lists all your upvoted stories. Not sure what to suggest about comments, though.

                                                                        1. 5

                                                                          I do agree it’s a bit hard to follow how all the caching semantics work out in practice, especially once you start stacking various headers together in one response.

                                                                          Mark Nottingham (chair of the IETF HTTP working group) has a decent informational guide to HTTP caching for web developers.

                                                                          Jack Archibald (Chrome developer advocate) has a good collection of best practices for difference scenarios.

                                                                          1. 6

                                                                            I know others will disagree, but I find 500px unreadably narrow, and couldn’t find where to turn it off in the inspector.

                                                                            1. 4

                                                                              In the Chrom{e,ium} inspector, expand the body, click on the site-wrapper div then uncheck the width: 500px style, then expand the site-wrapper div and click on the core-content div and uncheck the width there too.

                                                                              1. 1

                                                                                These steps should work in inspector tool of any browser these days.

                                                                            1. 1

                                                                              Wow, this is like a time machine to my childhood. :) Thanks for posting!

                                                                              1. 2

                                                                                Yep, I’ve been posting a lot about this since I learned about the issue.

                                                                                There are really only two solutions:

                                                                                1) Use older x86 hardware. I’ve been playing with Libreboot on a Thinkpad X200.

                                                                                2) Use non-x86 hardware. I’d love to get my hands on an old SPARC server. There’s also the POWER8 TALOS Secure Workstation.

                                                                                1. 1

                                                                                  I’m also interested in the TALOS workstation project. Looking forward to their progress!

                                                                                1. 1

                                                                                  Where is the referenced NEWS to be found?

                                                                                  1. 1

                                                                                    At the linked URL, you just need to scroll a bit.

                                                                                    1. 1

                                                                                      Below comments? There’s nothing there, and then it’s the end of the page.

                                                                                      1. 2

                                                                                        The yellow block is actually a scrollable element… I was also confused.

                                                                                        1. 1

                                                                                          Wow.

                                                                                  1. 10

                                                                                    I was so distracted by the website that I didn’t even read what the project is about. What is with all the pointless animations and transitions? The “Zephyr” text in the upper left corner that transitions when you start scrolling to become… a slightly smaller “Zephyr” with a kite. The fade-in of the main body text, which then jumps out and becomes a whole point size larger when you mouse over it. The search bar that drops down and completely fades out the text you’re reading, so you can’t read something on the page and quickly search for it without copying the text first.

                                                                                    1. 5

                                                                                      Yeah, wow, that page is painful to read. This about doc seems like an easier to read summary:

                                                                                      https://www.zephyrproject.org/doc/about_zephyr.html