Julien Vehent: On endpoint security, vendors and root access. |
Endpoint security typically comes in two flavors: with or without a local agent. They both do the same thing - reach out to your endpoints and run a bunch of tests - but one will reach out to your systems over SSH, while the other will require a local agent to be deployed on all endpoints. Both approaches often share the same flaw: the servers that operate the security solution have the keys to become root on all your endpoints. These servers become targets of choice: take control of them, and you are root across the infrastructure.
I have evaluated many endpoint security solutions over the past few years, and I too often run into this broken approach to access control. In extreme cases, vendors are even bold enough to sell hosted services that require their customers to grant root accesses to SaaS operating as blackboxes. These vendors are successful, so I imagine they find customers who think sharing root accesses that way is acceptable. I am not one of them.
For some, trust is a commodity that should be outsource-able. They see trust as something you can write into a contract, and not worry about it afterward. To some extend, contracting does help with trust. More often than not, however, trust is earned over time, and contracts only seal the trust relationship both parties have already established.
I trust AWS because they have a proven track record of doing things securely. I did not use to, but time and experience have changed my mind. You, however, young startup that freshly released a fancy new security product I am about to evaluate, I do not yet trust you. You will have to earn that trust over time, and I won't make it easy.
This is where my issue with most endpoint security solutions lies: I do not want to trust random security vendors with root accesses to my servers. Mistakes happen, they will get hacked some day, or leak their password in a git commit or a pastebin, and I do not wish my organization to be a collateral damage of their operational deficiencies.
Endpoint security without blindly trusting the security platform is doable. MIG is designed around the concept of non-trustable infrastructure. This is achieved by requiring all actions sent to MIG agents to be signed using keys that are not stored on the MIG servers, but on the laptops of investigators, the same way SSH keys are managed. If the MIG servers get hacked, some data may leak, but no access will be compromised.
Another aspect that we included in MIG is the notion that endpoint security can be done without arbitrary remote code exception. Most solutions will happily run code that come from the trusted central platform, effectively opening a backdoor into the infrastructure. MIG does not allow this. Agents will only run specific investigative tasks that have been pre-compiled into modules. There is no vector for remote code execution, such that an investigator's key leaking would not allow an attacker to elevate access to being root on endpoints. This approach does limit the capabilities of the platform - we can only investigate what MIG supports - but if remote code execution is really what you need, you probably should be looking into a provisioning tool, or pssh, but not an endpoint security solution.
While I do take MIG as an example, I am not advocating it as a better solution to all things. Rather, I am advocating for proper access controls in endpoint security solutions. Any security product that has the potential to compromise your entire infrastructure if taken over is bad, and should not be trusted. Even if it brings some security benefits. You should not have to compromise on this. Vendors should not ask customers to accept that risk, and just trust them to keep their servers secure. Doing endpoint security the safe way is possible, it's just a matter of engineering it right.
|
|
Michael Kohler: Mozilla Tech Weekend in Berlin – November 28th & 29th |
The Berlin Mozilla Community would like to invite all of you to the Mozilla Tech Weekend on November 28th 2015. There will be tech talks on Saturday and workshops on Sunday.
Location:
Kulturkantine
Saarbr"ucker Str. 24, Haus C, Berlin
http://www.kuka-berlin.de/lageskizze/
Sign up for free at http://www.meetup.com/Berlin-Mozilla-Meetup/events/226461969/
Schedule for Saturday 28th November:
After the talks there will be some food and time to get in touch with developers and each other.
On Sunday there will be workshops on similar topics to follow up or get you all set up if you would like to start contributing to Mozilla projects. Sign-up for the workshops will be on-site on Saturday.
Cheers,
The Berlin Mozilla Community
https://lists.mozilla.org/listinfo/community-berlin
https://michaelkohler.info/2015/mozilla-tech-weekend-in-berlin-november-28th-29th
|
|
Julien Pag`es: mozregression – new way for handling merges |
I am currently investigating how we can make mozregression smarter to handle merges, and I will explain how in this post.
Problem
While bisecting builds with mozregression on mozilla-central, we often end up with a merge commit. These commits often incorporate many individual changes, consider for example this url for a merge commit. A regression will be hard to find inside such a large range of commits.
How mozregression currently works
Once we reach a one day range by bisecting mozilla-central or a release branch, we keep the most recent commit tested, and we use that for the end of a new range to bisect mozilla-inbound (or another integration branch, depending on the application) The beginning of that mozilla-inbound range is determined by one commit found 4 days preceding the date of the push of the commit (date pushed on mozilla-central) to be sure we won’t miss any commit in mozilla-central.
But there are multiple problems. First, it is not always the case that the offending commit really comes from m-i. It could be from any other integration branch (fx-team, b2g-inbound, etc). Second, bisecting over a 4 days range in mozilla-inbound may involve testing a lot of builds, with some that are useless to test.
Another approach
How can we improve this ? As just stated, there are two points that can be improved:
So, how can this be achieved ? Here is my current approach (technical):
Let’s take an example:
mozregression -g 2015-09-20 -b 2015-10-10
We are bisecting firefox, on mozilla-central. Let’s say we end up with a range 2015-10-01 – 2015-10-02. This is how the pushlog will looks like at the end, 4 pushes and more than 250 changesets.
Now mozregression will automatically reduce the range (still on mozilla-central) by asking you good/bad for those remaining pushes. So, we would end up with two pushes – one we know is good because we tested the top most commit, and the other we know is bad for the same reason. Look at the following pushlog, showing what is still untested (except for the merge commit itself) – 96 commits, coming from m-i.
And then mozregression will detect that it is a merge push from m-i, so automatically it will let you bisect this range of pushes from m-i. That is, our 96 changesets from m-c now converted to testable pushes in m-i. And we will end with a smaller range, for example this one where it will be easy to find our regression because this is one push without any merge.
Comparison
Note that both methods for the example above would have worked. Mainly because we are ending in commits originated from m-i. I tried with another bisection, this time trying to find a commit in fx-team – in that case, current mozregression is simply out – but with the new method it was handled well.
Also using the current method, it would have required around 7 steps after reducing to the one day range for the example above. The new approach can achieve the same with around 5 steps.
Last but not least, this new flow is much more cleaner:
Is this applicable ?
Well, it relies on two things. The first one (and we already rely on that a bit currently) is that a merged commit can be found in the branch where it comes from, using the changeset. I have to ask vcs gurus to know if that is reliable, but from my tests this is working well.
Second thing it that we need to detect a merge commit – and from which branch commits comes from. Thanks to the consistency of the sheriffs in their commit messages, this is easy.
Even if it is not applicable everywhere for some reason, it appears that it often works. Using this technique would result in a more accurate and helpful bisection, with speed gain and increased chances to find the root cause of a regression.
This need some more thinking and testing, to determine the limits (what if this doesn’t work ? Should we/can we use the old method in that case ?) but this is definitely something I will explore more to improve the usefulness of mozregression.
https://parkouss.wordpress.com/2015/11/14/mozregression-new-way-for-handling-merges/
|
|
Emma Irwin: #MyMozfest 2015 |
The Mozilla Festival took place this last past weekend! Mozfest is the first of three Global Leadership events we’re leveraging to empower a cohort of Participation Leaders in their goals for 2016. This first group of 30 represents those whose goals strongly focused on developing and delivering programs that build skills (leadership and otherwise) of Mozillians.
Some sweets from @mozillaro ! Find them at the #participationspace museum! #mozfest pic.twitter.com/k4qNJ6vF80
— Ioana Chiorean (@ioana_cis) November 7, 2015
Mozfest is the perfect place to meet kindred spirits, make new and valuable connections, and to experiment and get feedback in real time. Everything including sessions themselves, lend to hackability and spontaneous invention, the environment encourages a bravery to reach inside ourselves, and to recognize our potential to be the change we want to see in the world .
It was very very exciting to be a part of designing an experience for this group that included pre-event coaching, facilitator training, and leadership workshops led by George Roter. We also hosted the first ever ‘Participation Space’ at Mozfest which was filled with sessions and activities the entire weekend. I wanted to share a few moments that stood out for me, with a sneak peek into what’s next.
As the ‘space wrangler’ for Participation, I didn’t get out much :) but still managed these inspiring moments. Looking forward to reading the blog posts of our entire cohort on their Mozfest moments. Here are more photos of our caped cohort!
Next up, we’ll be holding our first call for those who attend Mozfest, and launching connective efforts to bring in those who have yet to attend an event, or who sadly missed this one because of Visa issues. Lots of goodness ahead!
|
|
Pascal Chevrel: Follow-up to my current migration to Atom Editor |
After my recent blog post announcing that I was transisionning from Sublime Text to Atom, I got a couple of nice surprises from the community that fix some of the annoyances I have with Atom or that will just make it better.
Just click on the 'Edit/Open your Keymap' menu item and put that line at the bottom:
'.platform-linux atom-text-editor': 'ctrl-:': 'editor:toggle-line-comments'
That will make the shortcut work along with the keyboard localization package installed for French (and Belgian French too). If you are on Windows, use the selector .platform-win32 (I don't know what the MacOS one is).
Install the Project Manager package (thanks to Giorgio Maone, mozilla Add-on dev for the tip), it's roughly equivalent in functionnality to Sublime's built-in project manager and it seems good enough to me. One caveat is that switching from one project to another is a bit slow.
This is a nice gift from my colleague Francesco Lodolo, he made a syntax highlighter for the DotLang localization text format we use for mozilla.org and other sites for which we need fast translations for, this will be useful to me but also to Mozilla localizers that could want to use Atom to edit their translations, here is the package:
DotLang language support in Atom
And a screenshot to give you an idea of the end result.
This is always nice to have, I like new stuff 
Here is their blog post about it: Atom 1.2
There is a series of packages called php-integrator-* (base, autocomplete plus, tooltips, annotations...) that are supposedly providing the equivalent services as Codeintel but after indexing a single project for an hour (bringing my computer to its knees), I couldn't make it work. On a couple of occasions I saw a nice tooltip for a method indexed, but I don't know how I triggered it and I don't get any autocompletion of classes while typing. I guess it's still pretty much alpha stuff but hopefully that will work some day. Also I suspect it tried to index all of my dependencies in the vendor directory… I only need my own code to be indexed, not the external dependencies or a whole framework. The good news I guess is that something is developped and I might get that feature one day.
Another nice surprise from the community, looks like Julien Bianchi, one of Atoum developers is working on a package to get Atoum in Atom following my request on Twitter:
Many many thanks to him, I am always amazed at how nice the people in the Atoum project are with their users
UPDATE: here is the Atoum plugin and a video demoing it
My transition is going well and progressing quickly, today I coded exclusively in Atom, I found some small bugs and needed to get my marks in the new environment but it's not a revolution compared to Sublime and so far I felt rather productive. Most of the problems I have really are in the realm of polishing and finding where an option is set up or what a new shortcut is, that said, the experience is satisfying and I probably didn't get today more headaches than I had when I switched from Geany to Sublime a couple of years ago. So far, so good
http://www.chevrel.org/carnet/?post/2015/11/11/Follow-up-to-my-current-migration-to-Atom-Editor
|
|
Francois Marier: How Tracking Protection works in Firefox |
Firefox 42, which was released last week, introduced a new feature in its Private Browsing mode: tracking protection.
If you are interested in how this list is put together and then used in Firefox, this post is for you.
There are many possible ways to download URL lists to the browser and check against that list before loading anything. One of those is already implemented as part of our malware and phishing protection. It uses the Safe Browsing v2.2 protocol.
In a nutshell, the way that this works is that each URL on the block list is
hashed (using SHA-256) and then that list of hashes is
downloaded by Firefox and stored into a data structure on disk:
~/.cache/mozilla/firefox/XXXX/safebrowsing/mozstd-track* on Linux~/Library/Caches/Firefox/Profiles/XXXX/safebrowsing/mozstd-track* on MacC:\Users\XXXX\AppData\Local\mozilla\firefox\profiles\XXXX\safebrowsing\mozstd-track* on WindowsThis sbdbdump script can be used to extract the hashes contained in these files and will output something like this:
$ ~/sbdbdump/dump.py -v .
- Reading sbstore: mozstd-track-digest256
[mozstd-track-digest256] magic 1231AF3B Version 3 NumAddChunk: 1 NumSubChunk: 0 NumAddPrefix: 0 NumSubPrefix: 0 NumAddComplete: 1696 NumSubComplete: 0
[mozstd-track-digest256] AddChunks: 1445465225
[mozstd-track-digest256] SubChunks:
...
[mozstd-track-digest256] addComplete[chunk:1445465225] e48768b0ce59561e5bc141a52061dd45524e75b66cad7d59dd92e4307625bdc5
...
[mozstd-track-digest256] MD5: 81a8becb0903de19351427b24921a772
The name of the blocklist being dumped here (mozstd-track-digest256) is set in the urlclassifier.trackingTable preference which you can find in about:config. The most important part of the output shown above is the addComplete line which contains a hash that we will see again in a later section.
Once it's time to load a resource, Firefox hashes the URL, as well as a few variations of it, and then looks for it in the local lists.
If there's no match, then the load proceeds. If there's a match, then we do an additional check against a pairwise allowlist.
The pairwise allowlist (hardcoded in the urlclassifier.trackingWhitelistTable pref)
is designed to encode what we call "entity relationships". The list groups related domains together for
the purpose of checking whether a load is first or third party (e.g. twitter.com and
twimg.com both belong to the same entity).
Entries on this list (named mozstd-trackwhite-digest256) look like this:
twitter.com/?resource=twimg.com
which translates to "if you're on the twitter.com site, then don't block
resources from twimg.com.
If there's a match on the second list, we don't block the load. It's only when we get a match on the first list and not the second one that we go ahead and cancel the network load.
If you visit our test page, you will see tracking protection in action with a shield icon in the URL bar. Opening the developer tool console will expose the URL of the resource that was blocked:
The resource at "https://trackertest.org/tracker.js" was blocked because tracking protection is enabled.
The blocklist is created by Disconnect according to their definition of tracking.
The Disconnect list is on their Github page, but the copy we use in Firefox is the copy we have in our own repository. Similarly the Disconnect entity list is from here but our copy is in our repository. Should you wish to be notified of any changes to the lists, you can simply subscribe to this Atom feed.
To convert this JSON-formatted list into the binary format needed by the Safe Browsing code, we run a custom list generation script whenever the list changes on GitHub.
If you run that script locally using the same configuration as our server stack, you can see the conversion from the original list to the binary hashes.
Here's a sample entry from the mozstd-track-digest256.log file:
[m] twimg.com >> twimg.com/
[canonicalized] twimg.com/
[hash] e48768b0ce59561e5bc141a52061dd45524e75b66cad7d59dd92e4307625bdc5
and one from mozstd-trackwhite-digest256.log:
[entity] Twitter >> (canonicalized) twitter.com/?resource=twimg.com, hash a8e9e3456f46dbe49551c7da3860f64393d8f9d96f42b5ae86927722467577df
This in combination with the sbdbdump script mentioned earlier, will allow you to
audit the contents of the local lists.
The way that the binary lists are served to Firefox is through a custom server component written by Mozilla: shavar.
Every hour, Firefox requests updates from shavar.services.mozilla.com. If new data is available, then the whole list is downloaded again. Otherwise, all it receives in return is an empty 204 response.
Should you want to play with it and run your own server, follow the
installation
instructions
and then go into about:config to change these preferences to point to
your own instance:
browser.trackingprotection.gethashURL
browser.trackingprotection.updateURL
Note that on Firefox 43 and later, these prefs have been renamed to:
browser.safebrowsing.provider.mozilla.gethashURL
browser.safebrowsing.provider.mozilla.updateURL
If you want to learn more about how tracking protection works in Firefox, you can find all of the technical details on the Mozilla wiki or you can ask questions on our mailing list.
Thanks to Tanvi Vyas for reviewing a draft of this post.
http://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
|
|
Mozilla Release Management Team: Firefox 43 beta2 to beta3 |
Some EME fixes, more telemetry in this beta. The rest of the changes are in diverse components.
| Extension | Occurrences |
| cpp | 26 |
| html | 17 |
| h | 11 |
| jsm | 5 |
| java | 5 |
| js | 4 |
| idl | 3 |
| webidl | 2 |
| xml | 1 |
| txt | 1 |
| py | 1 |
| list | 1 |
| json | 1 |
| ini | 1 |
| hgtags | 1 |
| Module | Occurrences |
| dom | 26 |
| layout | 14 |
| docshell | 10 |
| toolkit | 8 |
| widget | 5 |
| mobile | 5 |
| testing | 3 |
| netwerk | 3 |
| js | 3 |
| gfx | 1 |
| browser | 1 |
List of changesets:
| Andreas Pehrson | Bug 1103188 - Keep track of capture stop only in gUM stream listener. r=jib a=lizzard - b199ea9f265c |
| Andreas Pehrson | Bug 1103188 - Keep track of stopped tracks in gUM stream listener. r=jib a=lizzard - 1babaebeccc6 |
| Jan-Ivar Bruaroey | Bug 1210852 - do SelectSettings of device capabilities on media thread. a=lizzard - c458ad434a12 |
| Andreas Pehrson | Bug 1070216 - Properly manage lifetime of allocated CaptureDevices. r=jib a=lizzard - 3705005d2190 |
| Wes Kocher | Backed out 4 changesets (Bug 1210852, Bug 1103188, Bug 1070216) for various crashes with mediamanager.cpp assertions a=backout - 4e86a0d1261a |
| Paolo Amadini | Bug 1207089 - Telemetry for permission notifications. r=MattN, r=vladan, a=Sylvestre - 0b662011620c |
| Mark Finkle | Bug 1219895 - Cleanup the 'share.1' telemetry probes by adding extra context. r=margaret, a=sylvestre - 4640472b4c72 |
| Mark Finkle | Bug 1219895 - Build bustage - Remove unwanted param. r=me, a=bustage - 74993763ef07 |
| Chris Pearce | Bug 1193610 - Also use SystemParametersInfo to block screen saver on Windows, so it works on WinXP and Vista. r=jimm,a=lizzard - fabe9ce33dc2 |
| Robert O'Callahan | Bug 1209994 - Fix a couple of issues that make the percentage-height-calculation.html test unreliable. r=bz, a=sylvestre - 26ef30e81468 |
| Robert O'Callahan | Bug 1209994 - Take block-wrapper path only for blocks that are wrappers. r=bz, a=sylvestre - 278b5140a696 |
| Jonas Sicking | Bug 1213646 - Allow URI_IS_UI_RESOURCE and safe about: URIs when SEC_ALLOW_CHROME is set. r=bz a=ritu, a=lizzard - 7d24cb4584fc |
| Cameron McCormack | Bug 1222226 - Don't return eRestyleResult_StopWithStyleChange if the old style context is shared. r=dbaron, a=lizzard - 5ff2e264e7ff |
| Jonas Sicking | Bug 1211000 - Move CORS preflight logic from nsCORSListenerProxy to nsCORSPreflightListener. r=ehsan, a=lizzard - 9576cf65c2b5 |
| Alessio Placitelli | Bug 1174674 - Clear out all pending pings when FHR is deactived. r=gfritzsche, a=lizzard - e7f899e48fc6 |
| Jim Chen | Bug 1209465 - Work around TextComposition workaround. r=esawin, a=lizzard - 5ffeff840220 |
| Dragana Damjanovic | Bug 1185256 - Save originURI to the history. r=bz ba=lizzard, a=lizzard - 8b8a66145292 |
| Dragana Damjanovic | Bug 1211269 - Store the information whether the channel is LOAD_REPLACE into history entry. r=bz ba=lizzard, a=lizzard - 23d25d9a94d7 |
| Dragana Damjanovic | Bug 1213267 - Fix view-source address. r=bz ba=lizzard, a=lizzard - d8c7509ddad0 |
| Nick Thomas | Bug 1220641 - Push to mirrors prefix is too greedy. r=rail, a=release-automation DONTBUILD - 9669bc030ba7 |
| Jan de Mooij | Bug 1218111 - Fix property enumeration order of unboxed objects with expando properties. r=bhackett, a=lizzard - 842a741af958 |
| Chris Pearce | Bug 1207019 - Remove WMF availability check in MediaKeySystemAccess requests. r=edwin,a=lizzard - 45f9754edccf |
| Chris Pearce | Bug 1207019 - Make EME mochitests specify mime types for video in MediaKeys request videoTypes, ditto for audio. r=gerald,a=lizzard - d7438e734352 |
| Chris Pearce | Bug 1189196 - Rename MediaKeySystemOptions to MediaKeySystemConfiguration and update WebIDL. r=bz,a=lizzard - 0851006030fe |
| Chris Pearce | Bug 1189196 - Process MediaKeySystemConfiguration in navigator.requestMediaKeySystemAccess. r=jwwang,a=lizzard - 0c3338032dc3 |
| Chris Pearce | Bug 1189196 - Clean up logging of navigator.requestMediaKeySystemAccess. r=jwwang,a=lizzard - 83b2962d6861 |
| Chris Pearce | Bug 1189196 - Update EME mochitest to use new navigator.requestMediaKeySystemAccess. r=jwwang,a=lizzard - ba6b7797e925 |
| Jean-Yves Avenard | Bug 1220033 - Fix HTMLMediaElement::seekable attribute for Mediasource. r=gerald, a=lizzard - 84b0b59ed1d2 |
| Robert O'Callahan | Bug 1222308 - Assume frames that are very old will never be composited. r=nical, a=lizzard - 8c199302644e |
| Karl Tomlinson | Bug 1221855 - null-check mInputBuffer in SizeOfExcludingThis(). r=padenot, a=lizzard - 9fbc92fa9e4b |
| Karl Tomlinson | Bug 1221855 - test Web Audio memory reporting r=erahm, a=lizzard - decfff8497ce |
| Mats Palmgren | Bug 1092626 - Don't try to restore the scroll position if the frame is still dirty or has dirty children. r=roc a=lizzard - c580b1ad0f23 |
| Martin Stransky | Bug 1219717 - Derive text color/background from GtkTextView. r=karlt a=lizzard - a59d9d8978ad |
| Andrew Comminos | Bug 1209774 - Transform from GDK coords to layout device pixels before calling DispatchEvent. r=karlt a=lizzard - 26f64ca8f630 |
| Wes Kocher | Backed out changeset decfff8497ce (Bug 1221855) for adding a broken test a=backout - e4629e309487 |
http://release.mozilla.org/statistics/43/2015/11/13/fx-43-b2-to-b3.html
|
|
Mozilla Release Management Team: Firefox 43 beta1 to beta2 |
For this second beta of the cycle, some telemetry changes for Fennec, some videos improvements and releng fixes.
| Extension | Occurrences |
| cpp | 16 |
| java | 7 |
| h | 6 |
| py | 3 |
| js | 3 |
| jsm | 2 |
| html | 2 |
| xml | 1 |
| txt | 1 |
| rst | 1 |
| rdf | 1 |
| json | 1 |
| ini | 1 |
| dtd | 1 |
| Module | Occurrences |
| dom | 13 |
| mobile | 10 |
| layout | 8 |
| toolkit | 7 |
| testing | 3 |
| browser | 2 |
| security | 1 |
| netwerk | 1 |
| image | 1 |
List of changesets:
| Jordan Lund | Bug 1220765 - 43.0b1 build1 fennec repacks failing to upload and submit to taskcluster, DONTBUILD r=rail, a=releases - 6e78daec52af |
| Nick Thomas | Bug 1221386, checksums failing in 43.0b1, r=jlund a=automation DONTBUILD - 9211dd55954e |
| Rail Aliiev | Bug 1218763 - Antivirus should retry on SSLError, r=nthomas, a=lizzard DONTBUILD - 40ae04af867c |
| Rail Aliiev | Bug 1218763 - Antivirus should retry on SSLError. r=nthomas a=lizzard DONTBUILD - f2f176ef9b45 |
| Rail Aliiev | Bug 1220641 - Push to mirrors prefix is too greedy. r=Callek,a=ritu DONTBUILD - 6a65996ee241 |
| Dave Townsend | Bug 1220198 - Never appDisable experiments if they don't have the right app compatibility information available. r=rhelmer, a=lizzard - b87f9e2d6355 |
| Margaret Leibovic | Bug 1218858 - Update tracking protection language in about:privatebrowsing (string change for en-US uplift only). r=mfinkle, L10n=flod, a=lizzard - eb3dd7f7d487 |
| Jean-Yves Avenard | Bug 1217170: P1. Rename functions to explicitly reflect what they are doing. r=kentuckyfriedtakahe a=lizzard - 0e749793c4c6 |
| Jean-Yves Avenard | Bug 1217170: [MSE] P2. Enable WebM/MSE on systems with no MP4/H264 support. r=kentuckyfriedtakahe a=lizzard - 75d6468d0be1 |
| Alessio Placitelli | Bug 1211404 - Limit the length of addon description (& other text fields) in Telemetry. r=gfritzsche, a=sylvestre - e31f1aa9d84d |
| Jim Chen | Bug 1199658 - Add test for text duplication when JS resets input value; r=esawin, a=lizzard - eae5e25b18b5 |
| Jim Chen | Bug 1199658 - Don't commit Java composition when Gecko side commits its composition; r=esawin, a=lizzard - 6a0b1216e1a5 |
| Mark Finkle | Bug 1219447 - Add a UI Telemetry probe for the 'Add to Reading List' web context menu. r=margaret, a=sylvestre - e728e4f632e5 |
| Mark Finkle | Bug 1219882 - Add a 'save.1' probe for the 'Bookmark Link' web context menu. r=margaret, a=sylvestre - a54630b3ac76 |
| Andreas Pehrson | Bug 1216417 - Make sure audio output streams are created after adding an audio output. r=baku, r=roc, a=ritu, a=sylvestre - 37d6cc360023 |
| Andreas Pehrson | Bug 1216417 - Add logging for audio and video output changes in MSG. r=roc, a=ritu, a=sylvestre - 09bdeec1b65c |
| Timothy Nikkel | Bug 1219501 - In imagelib, initialize the number of cores to at least 1 in case of error. r=seth, a=ritu - 412a3f1e075f |
| Timothy Nikkel | Bug 1219501 - Limit total number of image decoding threads to 32 regardless of number asked for. r=seth, a=ritu - c26f56bea5e9 |
| Sebastian Kaspari | Bug 1182918 - Tab Queue: Add telemetry for double tap action. r=mfinkle, a=sylvestre - ee8a828b4974 |
| Jim Chen | Bug 1213888 - Block LayerView descendants from interfering with focus. r=kats, a=ritu, a=sylvestre - 90cae878a97e |
| Jed Davis | Bug 1207790 - Fix sandbox build for older Linux distributions. r=gdestuynder, a=sylvestre - 89e3c373b3a4 |
| Kyle Machulis | Bug 1218952 - Add support for object tags to youtube telemetry tracking; r=cpeterson, a=sylvestre - be9dcc3b97b3 |
| JW Wang | Bug 1220551. Part 1 - fix the parameters passed to mBufferedState->NotifyDataArrived(). r=jya, a=sylvestre - 9eb17d1e915c |
| Gijs Kruitbosch | Bug 1221444, r=bz, a=sylvestre - 1692a311615d |
| Mason Chang | Bug 1220699 - Add telemetry probe to measure vsync latency in the refresh driver in chrome process. r=avih, a=sylvestre - d681ec6fe6b2 |
| Jim Chen | Bug 1219833 - Respect composition underline color; r=masayuki, a=sylvestre - cd32550ec7fe |
| Neil Rashbrook | Bug 1211708 - Allow themes to specify XBL bindings even in unprivileged documents. r=sicking, a=sylvestre - 1a56a93a6292 |
| Karl Tomlinson | Bug 1220037 - pack and unpack Nyquist for MOZ_LIBAV_FFT. r=padenot, a=sylvestre - ab27c2db7e68 |
| Karl Tomlinson | Bug 1220037 - test convolution. r=padenot, a=sylvestre - d3b021968c63 |
| Jean-Yves Avenard | Bug 1219134: P1. Fix pts calculation in FFmpeg video decoder. r=edwin a=sylvestre - ce3f2c696251 |
| Jean-Yves Avenard | Bug 1219134: P2. Use LibAV/FFmpeg logic to detect invalid pts. r=edwin a=sylvestre - dc997e552ee6 |
| Jean-Yves Avenard | Bug 1219134: P3. Properly set the keyframe flag. r=edwin a=sylvestre - 93eddf049b08 |
| Jean-Yves Avenard | Bug 1219134: P4. Properly assign the decoded sample duration. r=edwin a=sylvestre - 0056c6a320b7 |
| Timothy Nikkel | Bug 1199131 - Crash when click on a SELECT wich has at least 1 OPTION with background-attachment:fixed and a background. r=mstange, a=lizzard - c6d927b2b229 |
http://release.mozilla.org/statistics/43/2015/11/13/fx-43-b1-to-b2.html
|
|
Daniel Pocock: How much video RAM for a 4k monitor? |
I previously wrote about my experience moving to a 4K monitor.
I've been relatively happy with it except for one thing: I found that 1GB video RAM simply isn't sufficient for a stable system. This wasn't immediately obvious as it appeared to work in the beginning, but over time I've observed that it was not sufficient.
I'm not using it for gaming or 3D rendering. My typical desktop involves several virtual workspaces with terminal windows, web browsers, a mail client, IRC and Eclipse. Sometimes I use vlc for playing media files.
Using the nvidia-settings tool, I observed that the Used Dedicated memory statistic would frequently reach the maximum, 1024MB. On a few occasions, X crashed with errors indicating it was out of memory.
After observing these problems, I put another card with 4GB video RAM into the system and I've observed it using between 1024 MB and 1300 MB at any one time. This leaves me feeling that people with only basic expectations for their desktop should aim for at least 2GB video RAM for 4k.
That said, I've continued to enjoy many benefits of computing with a 4K monitor. In addition to those mentioned in my previous blog, here are some things that were easier for me with 4K:
You can do much of this with a pair of monitors, but there is something quite nice about doing it all on a single 4K screen.
|
|
Chris Finke: A visual refresh for Reenact |
After I released Reenact (an app for reenacting photos) last week, Joen Asmussen graciously offered to provide some professional design guidance. I could never say no to design help, and in almost no time at all, Joen put together a new look for Reenact. I love it, and it has given me extra motivation to get working on Reenact for Android.
This new look is now live on the Firefox Marketplace and will hopefully be making an appearance on other platforms soon. Thanks, Joen!
http://www.chrisfinke.com/2015/11/13/a-visual-refresh-for-reenact/
|
|
Support.Mozilla.Org: What’s up with SUMO – 13th November |
Hello, SUMO Nation!
Eeeek! It’s Friday the 13th – now you know why we had to launch Firefox for iOS on the 12th ;-) Huge thanks to everyone who contributed to the launch in one of the many possible ways, everywhere around the world – you made it great!
We salute you!
https://blog.mozilla.org/sumo/2015/11/13/whats-up-with-sumo-13th-november/
|
|
Daniel Pocock: Building teams around SIP and XMPP in Debian and Fedora |
I've recently started a discussion on the Fedora devel mailing list about building a team to collaborate on RTC services (SIP, XMPP, TURN and WebRTC) for the Fedora community. We already started a similar team within Debian.
This isn't only for developers or package maintainers and virtually anybody with a keen interest in free software can help. Testing different softphones and putting screenshots on the wiki can help a lot (the Debian wiki already provides some examples). The FedRTC.org site is not intended to be an advertisement for my web design skills and anybody with expertise in design would be very welcome to contribute.
Teamwork in this endeavor can provide many benefits:
There are also many opportunities for project work that go beyond traditional packaging responsibilities. Wouldn't it be interesting to find ways to integrate the publish/subscribe capabilities of SIP and XMPP with the Fedmsg infrastructure?
We recently launched XMPP for debian.org and it would not be hard to replicate for FedoraProject.org users. Sure, some people are happy running their own XMPP servers. There are just as many people who prefer to focus on development and have something like XMPP provided for them.
With the strong emphasis on building a roster/buddy-list, XMPP can also help to facilitate long-term engagement in the community and users may identify more closely with the project.
I haven't offered XMPP on the FedRTC.org trial service because it would be inconvenient for people to migrate buddy lists to the FedoraProject.org domain when the service is officially adopted.
There are various other places where we can share knowledge between teams in different communities and people are invited to participate.
The Free-RTC mailing list is a great place to discuss free RTC strategies and initiatives.
The XMPP operators mailing list provides a forum to discuss operational issues in the XMPP space, such as keeping out the spammers.
Please consider joining some of the mailing lists I've mentioned, replying to the thread on the Fedora devel mailing list, volunteering for the Debian RTC team or emailing me personally.
http://danielpocock.com/building-teams-around-sip-and-xmpp-in-debian-and-fedora
|
|
Emma Irwin: Mozilla at Grace Hopper Open Source Day |
This past October, thanks to Larissa Shapiro, I had the incredible opportunity of teaching Open Source Participation at Grace Hopper Open Source Day.
In recent years, I would say the primary focus of my contribution to Mozilla has been an effort to create educational offerings and experiences with real world value, through open source participation. And this event proved that – not only do people really want learning opportunities like this, but we can make the world a better place, and tech a more diverse environment in the process.
Some highlights in our success on this day:
We had a group of incredible mentors – I would have been lost without them. Special mention to Paula (post main photo) who created virtual machine solution for those who struggled too long with their environments. Mentorship is absolutely key to an event like this, and the talented people that turned up has me dreaming of a mentorship team for all technical projects..
I chose the teach.mozilla.org website as a contribution project. Primarily because I had experience with the environment and codebase, and support from project team members: Mavis and Hannah who were kind enough to tag specific issues with ‘Grace Hopper’.
I also chose this project because I knew the technology was both easy to pickup, and had real world value in the job market. Finally, I knew the ‘Ready, Write, Participate’ message would resonate with a group of learners..learning to Participate :)
Our group was brilliant. I worried that some issues with environment (and we had quite a few) would dampen spirits, or result in people leaving. The opposite happened. Our group emerged in the very best way – a community and a team. When one woman overcame an issue with a node version, she rose to help others reach their own success as well. Experts in environments and issues emerged to mentor others, and by afternoon I had run out of ‘Grace Hopper’ tasks.
I had to remind at least one person to eat, and another woman in the last 15 minutes of the event, was on her feet trying to fix one last issue before submitting her pull request. I was proud, and honoured to be part of a group so diverse (including a male mentor), that there was really no majority in the room. That is an amazing feeling.
Our group demoed their work, and it was an zen moment, to see this group describe not only their work overcoming obstacles, but what they accomplished and why the project mattered. Hope to be back again next year!
|
|
Air Mozilla: Declarative mobile web applications: an alternate approach for building Firefox OS UI |
Watch Aubrey Anderson talk about “Declarative mobile web applications: an alternate approach for building Firefox OS UI.” Aubrey is the founder and CEO of mono.hm....
|
|
Air Mozilla: Participation Call, 12 Nov 2015 |
The Participation Call helps connect Mozillians who are thinking about how we can achieve crazy and ambitious goals by bringing new people into the project...
|
|
Air Mozilla: Web QA Weekly Meeting, 12 Nov 2015 |
This is our weekly gathering of Mozilla'a Web QA team filled with discussion on our current and future projects, ideas, demos, and fun facts.
|
|
Air Mozilla: Reps weekly, 12 Nov 2015 |
This is a weekly call with some of the Reps council members to discuss all matters Reps, share best practices and invite Reps to share...
|
|
Marco Zehe: Accessibility features in Firefox for iOS |
After ten months in development, Mozilla today released Firefox for iOS worldwide. Firefox for iOS is bringing your synchronized bookmarks, history and other information associated with your Firefox account to the iOS platform. Moreover, it is also going to record pages you visit in your history and sync these back to your Firefox on Windows, Linux, Mac, and even Android devices.
From the start, we also made sure that Firefox for iOS supports multiple features of the iOS platform. Here are some highlights:
Firefox for iOS supports VoiceOver. Since Apple’s app store rules force us to use the Safari rendering engine, that is accessible anyway. But we also made sure the browser’s UI, Settings views and other features all talk well with VoiceOver. Moreover, we also implemented audio cues to indicate page load progress and finish. Those of you using NVDA might feel a certain familiarity with these sounds.
https://www.marcozehe.de/2015/11/12/accessibility-features-in-firefox-for-ios/
|
|
Emily Dunham: Multiple languages on TravisCI |
Today I noticed an assumption which was making my life unnecessarily difficult: I assumed that if my .travis.yml said language: ruby on the first line, I was supposed to only run Ruby code from it.
Travis lets you run code much more arbitrary than that.
I did a bunch of tests on a toy repo to see what would happen if I ignored my preconceptions about how you can and can’t test stuff, and learned some interesting things:
This is especially useful when testing or deployment requires hitting an API whose libraries are most up to date in a language other than that of the project.
http://edunham.net/2015/11/12/multiple_languages_on_travisci.html
|
|
The Mozilla Blog: Firefox Users Can Now Choose Their Favorite Browser on iOS |
If you’re an iPhone, iPad, or iPod touch user you’ll be happy to learn that Firefox for iOS is now available in the App Store worldwide.
Firefox for iOS lets you take your favorite browser with you wherever you go with the Firefox features you already love including smart and flexible search, intuitive tab management, syncing with Firefox Accounts and Private Browsing.
You can use Firefox Accounts to sync your browsing history, tabs and passwords and bring bookmarks from your other devices to Firefox for iOS.
To make Firefox easy to reach on your iOS device you can add it to the dock on the bottom of your home screen.
I hope you enjoy the first ever release of Firefox for iOS, and expect to see much more from us soon as we are going full speed ahead on continuously delivering new features. I’m proud of the team for getting us to where we are today and excited about where we’ll be in the future.
Thanks for trying us out.
https://blog.mozilla.org/blog/2015/11/11/firefox-users-can-now-choose-their-favorite-browser-on-ios/
|
|