Air Mozilla: Rust and the Future of Systems Programming | Mozilla |
|
|
Firefox Nightly: These Weeks in Firefox: Issue 5 |
Here are the raw meeting notes that were used to derive this list.
Want to help us build Firefox? Get started here!
Here’s a tool to find some mentored, good first bugs to hack on.
https://blog.nightly.mozilla.org/2016/11/16/these-weeks-in-firefox-issue-5/
|
|
Air Mozilla: Weekly SUMO Community Meeting Nov. 16, 2016 |
This is the sumo weekly call
https://air.mozilla.org/weekly-sumo-community-meeting-nov-16-2016/
|
|
Mozilla Reps Community: New Reps Council members – Autumn 2016 |
We are happy to announce that the 4 new council members are fully on-boarded and already taken responsibilities to move the program forward.
A warm welcome to Flore, Alex, Adriano and Michael
https://blog.mozilla.org/mozillareps/2016/11/16/new-reps-council-members-autumn-2016/
|
|
Mozilla Addons Blog: Add-ons Update – 2016/11 |
Here’s the state of the add-ons world this month.
In the past month, 1,732 listed add-on submissions were reviewed:
There are 220 listed add-ons awaiting review.
If you’re an add-on developer and are looking for contribution opportunities, please consider joining us. Add-on reviewers are critical for our success, and can earn cool gear for their work. Visit our wiki page for more information.
The compatibility blog post for Firefox 51 is up, and the bulk validation should be run in the coming weeks. It’s worth pointing out that the Firefox 50 cycle will be twice as long, so 51 won’t be released until January 24th, 2017.
Multiprocess Firefox is now enabled for users without add-ons, and add-ons will be gradually phased in, so make sure you’ve tested your add-on and either use WebExtensions or set the multiprocess compatible flag in your add-on manifest.
As always, we recommend that you test your add-ons on Beta and Firefox Developer Edition to make sure that they continue to work correctly. End users can install the Add-on Compatibility Reporter to identify and report any add-ons that aren’t working anymore.
We would like to thank Andr'e Bargull, Meet Mangukiya, Jostein Kjonigsen, euleram, saintsebastian, Rob Wu , Andrew Terranova, Prasanth P, and Venkat Ganesan for their recent contributions to the add-ons world. You can read more about their work in our recognition page.
https://blog.mozilla.org/addons/2016/11/15/add-ons-update-89/
|
|
Mark Mayo: Three good name suggestions came in: 1) Browser Architectures Group — The BAG. |
We’re going with the BFG, for now. Post updated accordingly. :)
|
|
Project Tofino: Engineering update on Tofino |
We’ve spent several months testing UI concepts, understanding Electron’s relationship with the web, testing some architectural ideas, like…
|
|
Project Tofino: Introducing Datomish, a flexible embedded knowledge store |
Evolving storage is hard. Can we make it easier?
|
|
Mark Mayo: (Re)defining the Tofino Project |
TL;DR: s/Tofino/Browser Futures Group/
|
|
Andreas Gal: Will anyone in the GOP oppose a white supremacist in the White House? |
Update: After I posted this, 167 House Democrats signed a letter denouncing the appointment of Steve Bannon. But even more importantly, Lindsey Graham stated that he opposes any attempt to abandon Senate filibuster rules. This will allow Democrats to stop some Trump appointments if they can find another GOP senator who makes a similar pledge.
Yesterday our incoming president Donald Trump appointed white supremacist Steve Bannon to the White House. The Democratic party responded overwhelmingly … with silence, which highlights just how deeply broken and beaten the Democratic party is at the moment. While Nancy Pelosi posted a statement, the rest of the party is paralyzed and can’t get themselves to take a stance against a guy endorsed by the Ku Klux Klan and the American Nazi Party. I called Representative Speier and Senator Feinstein. Neither of them has a position on this matter. If the Democratic party has a hard time deciding whether to support or denounce the guy whose media outlet touts “Birth Control Makes Women Unattractive and Crazy” and “There’s No Hiring Bias Against Women in Tech, They Just Suck at Interviews”, I think we can abandon all hope that the Democratic Party will be any kind of checks and balances on Trump.
Our last and maybe only hope may be forces of reason within the GOP. I know thats a tall order. The vast majority of the Republican establishment is falling over themselves trying to appease Donald Trump, lead by Speaker Paul Ryan, who “has no concerns” about the appoint of Bannon. But as Ben Adida pointed out yesterday on twitter, there are a few GOP senators who have vocally criticized and denounced Trump before November 8 and maybe they’ll find the heart to be the patriots we need them to be at this hours.
2/ at this point GOP, you’re the only thing left in Trump’s way. You decide, @SenJohnMcCain @LindsayGrahamSC whether you want to enable him.
— Ben Adida (@benadida) November 15, 2016
Donald Trump is writing history by bringing the white nationalist agenda back into the White House. Anyone in the GOP who isn’t taking a stance against this is implicitly siding with the alt-right. Senator McCain, Senator Graham, is that how you want future generations to remember you?
|
|
K Lars Lohn: the Madness of the Internet |
http://www.twobraids.com/2016/11/the-madness-of-internet.html
|
|
Sean McArthur: Introducing Reqwest |
In web development, you can find resource after resource, framework after library, all helping you to build a web server. But what if you need to use a client? So many applications need to download something from the web, or to upload some data, and in many instances are left with the standard HTTP library to do it. That works, but it’s so much better to be able to reach for a tool that includes the batteries in the packaging. Several languages have something like this. Now Rust does too.
If you need to make HTTP requests in your application, you probably want to reach for reqwest.1
There are several parts of HTTP that we usually just want to happen for us automatically. For many of us, these extras are not something we’d consider ‘extra’, but just business-as-usual. This includes things like following redirects, connection pooling (keep-alive), JSON payloads, cookies, and more.
The 0.1 release includes some of these things already, and the missing parts should come in subsequent releases. To fetch a particular URL, it can be as simple as this:
let res = reqwest::get("https://rust-lang.org")?;
From there, maybe you just want to dump the page into the console:
::std::io::copy(&mut res, &mut ::std::io::stdout())?;
What about sending bodies in a POST request?
You could send the raw bytes of anything you want using the body() method of a RequestBuilder. But more likely, there are a couple of formats that are far more common that we just want to taken care of for us. 0.1 provides convenience methods for sending forms (urlencoded) and JSON data.
let client = reqwest::Client::new()?;
let res = client.post("https://httpbin.org/post")
.form(&[ ("foo", "bar"), ("baz", "quux") ])
.send()?;
Or you could build a HashMap and send that as a form instead. Indeed, the form() and json() methods take any value that implements Serialize, so you could even use a custom struct.
#[derive(Serialize)]
struct User {
name: String,
id: u64,
}
let user = User {
name: String::from("Sean"),
id: 42,
};
let res = client.post("https://httpbin.org/post")
.json(&user)
.send()?;
Easing the sending of multipart forms is a feature that will hopefully be added shortly in 0.2.
The way the reqwest crate handles TLS is similar to cURL. It uses the awesome new native-tls crate to make use of built-in-to-the-OS TLS implementations when they exist, and using the new OpenSSL 1.1 if it does not. For now, that means it will use security-framework on masOS, and schannel on Windows. It’s plausible that something like [rustls][] (or ring or something else) would eventually replace the OpenSSL backup in the future.
Blah blah, what does all that mean for you? That on whichever OS you happen to be using reqwest, it will try to provide the easiest experience for you when connecting to HTTPS websites.
Another reason to use reqwest is to ease the upcoming changes to hyper, which is adopting non-blocking IO. Many applications do not need to make thousands of requests. Many just need to make 1, or a few, and writing code in a blocking style is easier. Without the need to make thousands of requests, the benefits of non-blocking IO are fewer. So, reqwest::Client plans to always provide a blocking API. Even when hyper releases with non-blocking IO, reqwest will upgrade to it and still present the Client with the same API. Your code won’t need to change, but it will become more robust underneath.2
Others will likely want many of the convenient features of reqwest, but with non-blocking sockets instead. There will likely be a reqwest::AsyncClient or similar added as well.
Besides the eventual upgrade to non-blocking IO, the plan is that reqwest will gain other conveniences as well. Currently proposed ideas include:
The odd name is an unfortunate consequence of being late to the party. The request crate is effectively abandonware. I’ve tried reaching out to the author in various ways, but he seems to have disappeared from the internets. The requests crate (with an ’s’) also exists, but does seem to be actively developed.
|
|
The Mozilla Blog: Latest Firefox launches today |
The newest versions of Firefox for desktop and Android are available today. For information on what’s new with today’s release, check out the release notes. Also, keep an eye on this blog, as we have exciting Mozilla and Firefox news to share in the coming weeks.
Download the latest Firefox for desktop and Android and as always, let us know what you think.
https://blog.mozilla.org/blog/2016/11/15/latest-firefox-launches-today/
|
|
Nathan Froyd: efficiently passing the buck with needinfo requests |
A while back, Bugzilla added this great tool called needinfo requests: you set a flag on the bug indicating that a particular person’s input is desired. X will then get something dropped into their requests page and a separate email notifying them of the needinfo request. Then, when X responds, clearing the needinfo request, you get an email notifying you that the request has been dealt with. This mechanism works much better than merely saying “X, what do you think?” in a bug comment and expecting that X will see the comment in their bugmail and respond.
My needinfo-related mail, along with all review-related mail, gets filtered into a separate folder in my email client. It is then very obvious when I get needinfo requests, or needinfo requests that I have made have been answered.
Occasionally, however, when you get a needinfo, you will not be the correct person to answer the question, and you will need to needinfo someone else who has the appropriate knowledge…or is at least one step closer to providing the appropriate knowledge.
There is a right way and a wrong way to accomplish this. The wrong way is to clear your own needinfo request and request needinfo from someone else:
Why is this bad? Because the original requester will receive a notification that request has been dealt with appropriately, when it has not! So now they have to remember to watch the bug, or poll their bugmail, or similar to figure out when their request has been dealt with. Additionally, you’ll get an email notification when your needinfo request has been answered, which you don’t necessarily want.
The right way (which I just discovered this week) is to uncheck the “Clear the needinfo request” box, which turns the second checkbox into a “Redirect my needinfo request”:
This method appropriately redirects the needinfo without notifying the original requester, and the original requester will (ideally) now receive a notification only when the request has been dealt with.
https://blog.mozilla.org/nfroyd/2016/11/15/efficiently-passing-the-buck-with-needinfo-requests/
|
|
Chris H-C: Data Science is Hard – Case Study: What is a Firefox Crash? |
In the past I’ve gone on at length about the challenge of getting timely data to determine Firefox release quality with respect to how often Firefox crashes. Comparatively I’ve spent essentially no time at all on what a crash actually is.
A crash (broadly) is what happens when a computer process encounters an error it cannot recover from. Since it cannot recover, the system it is running within ends the process abruptly.
Not all crashes are equal. Not all crashes mean the same thing to users and to release managers and to computer programmers.
If you are in the middle of drafting an email and the web page content suddenly goes blank and says “Sorry, this tab has crashed.” then that’s a big deal. It’s even worse if the entire browser disappears without warning.
But what if Firefox crashes, but only after it has mostly shut down? Everything’s been saved properly, but we didn’t clean up after ourselves well. This is a crash (technically), but does it really matter to a user?
What if the process that contains Flash crashes and web advertisements stop working? It can be restarted without too much trouble, and no one likes ads, so is it really that bad of a thing?
And on top of these families of events, there are other horrible things that can happen to users we might want to call “crashes” even though they aren’t. For instance: what if the browser becomes completely unresponsive and the user has no recourse but to close it? The process didn’t encounter a fatal error, but that user’s situation is the same: Something weird happened, and now their data is gone.
Generally speaking, I look at four classes of crash: Main Crashes (M), Content Crashes (C), Content Shutdown Crashes (S), and Plugin Crashes (P).
In my opinion, the most reliable indicator of Firefox’s stability and quality is M + C – S. In plain English, it is the sum of the events where the whole Browser goes poof or the Web Content inside the browser goes poof, ignoring the times when the Web Content goes poof after the user has decided to shut down the browser.
It doesn’t include Plugin crashes, as those are less obtrusive and more predicted by the plugin code, not Firefox code. It does include some events where Firefox became unresponsive (or “hangs” for short) and had to be terminated.
This, to my mind, most accurately encompasses a measure of Firefox quality. If the number of these crashes goes up, that means there are more times where more users are having less fun with Firefox. If the number of these crashes goes down, that means there are fewer times that fewer people are having less fun with Firefox.
It doesn’t tell the whole story. What good is a not-crashing browser if it doesn’t scroll when you ask it to? What good is a stable piece of web content if half of it is missing because we don’t support it? What good is a Firefox that is open all the time if it takes twice as long to load the web pages you care about?
But it gives us one very important part of the Firefox Quality story, and that’s good enough for me.
:chutten
|
|
Tantek Celik: Managing Stress, Anger, Grief, To Be Useful And Productive |
A friend overseas asked me how am I “managing stress-anger-grief so as to be useful and productive”, in the context of the disappointing US Presidential election result.
I txted her the following, which I’ve expanded and structured here in the hopes that some of these techniques will help others too.
Start every day with a solid morning self-care routine.
Wake up before sunrise. Drink water, take vitamins, brush your teeth. Eat a small healthy snack or drink.
Do some yoga, or go for a run, or both. At least a 15 minute walk outside near your home, up a hill, by the water, through some trees.
Shower and brainstorm actions for the day. Eat a proper breakfast.
Execute on things that matter, and continuously let go of (ignore), cut, get rid of distractions, noise, unnecessary things.
Feed your body and mind nourishing food and information, not sugary things that spike blood sugars (and emotions), nor inflammatory media (nor status update social streams, instead, read thoughtful blogs). Eat modest meals regularly and in a timely fashion. Eat dinner early, get to bed early.
Show even more kindness to everyone who is obviously hurting.
There’s no time to to let stress or anger distract from all we must do.
When emotions help motivate, tap into them, when they distract, take a break to breathe, relax, take a walk, get fresh air, let go, and refocus.
Then get back to work.
Keep spending time with people you care for, and doing & making plans for all things you appreciate & enjoy so you keep in mind & heart everything you’re fighting for.
That’s a good start. In addition to all that, try to write something constructive every day, if not publicly, at least for yourself, or to friends & family.
http://tantek.com/2016/320/b1/managing-stress-anger-grief-be-productive
|
|
This Week In Rust: This Week in Rust 156 |
Hello and welcome to another issue of This Week in Rust! Rust is a systems language pursuing the trifecta: safety, concurrency, and speed. This is a weekly summary of its progress and community. Want something mentioned? Tweet us at @ThisWeekInRust or send us a pull request. Want to get involved? We love contributions.
This Week in Rust is openly developed on GitHub. If you find any errors in this week's issue, please submit a PR.
Announcing Rust 1.13. novemb.rs, the distributed Rust hackfest, is happening this weekend. If you would like to participate, please refer to the website for a local meetup or for a chat to get in contact with other Rustceans. Note that if you want to attend a meetup, you should check on Friday for most up-to-date information.
No crate was selected for CotW.
Always wanted to contribute to open-source projects but didn't know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!
Some of these tasks may also have mentors available, visit the task page for more information.
.lines() returns an error.If you are a Rust project owner and are looking for contributors, please submit tasks here.
152 pull requests were merged in the last week.
.. in tuple (struct) patterns.{into,from}_raw to Rc and Arc.#[macro_reexport]ing custom derives.Default for Duration.Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week:
Every week the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now. This week's FCPs are:
ptr::read_unaligned and ptr::write_unaligned, which allows reading/writing to an unaligned pointer.Style RFCs are part of the process for deciding on style guidelines for the Rust community and defaults for Rustfmt. The process is similar to the RFC process, but we try to reach rough consensus on issues (including a final comment period) before progressing to PRs. Just like the RFC process, all users are welcome to comment and submit RFCs. If you want to help decide what Rust code should look like, come get involved!
PRs:
Ready for PR:
Final comment period:
Other notable issues:
If you are running a Rust event please add it to the calendar to get it mentioned here. Email the Rust Community Team for access.
No jobs listed for this week.
Tweet us at @ThisWeekInRust to get your job offers listed here!
Now higher-kinded types especially are one of those PL topics that sound forebodingly complex and kind of abstract (like monads). But once you learn what it is, you realize it’s actually relevant to your life (unlike monads).
— @nikomatsakis invoking the M word in his blog post.
Thanks to Japaric for the suggestion.
Submit your quotes for next week!
This Week in Rust is edited by: nasa42, llogiq, and brson.
https://this-week-in-rust.org/blog/2016/11/15/this-week-in-rust-156/
|
|
Aki Sasaki: scriptworker 1.0.0b1 - chain of trust verification |
As I mentioned before, scriptworkers allow for more control and auditability around sensitive release-oriented tasks in Taskcluster. The Chain of Trust allows us to trace requests back to the tree and verify each previous task in the chain.
We have been generating Chain of Trust artifacts for a while now. These are gpg-signed json blobs with the task definition, artifact shas, and other information needed to verify the task and follow the chain back to the tree. However, nothing has been verifying these artifacts until now.
With the latest scriptworker changes, scriptworker follows and verifies the chain of trust before proceeding with its task. If there is any discrepancy in the verification step, it marks the task invalid before proceeding further. This is effectively a second factor to verify task request authenticity.
1.0.0b1 is largely two pull requests: scriptworker.yaml, which allows for more complex, commented config, and chain of trust verification, which grew a little large (275k patch !).
This is running on signing scriptworkers which sign nightlies on date-branch. We still need to support and update the other scriptworker instance types to enable end-to-end chain of trust verification.
|
|
Mozilla Privacy Blog: Time for a Conversation about Government Hacking |
Mozilla and Stanford’s Center for Internet and Society recently hosted the first in a series of discussion events about government hacking. From the San Bernardino case, in which the FBI exploited a security flaw to break into an iPhone, to the Shadow Broker’s leaks involving the public disclosure of NSA hacking tools, government hacking is now constantly in the news. This activity raises a host of challenging questions that our event series is dedicated to tackling.
The first event focused on proposed changes to Federal Rule of Criminal Procedure 41, which will allegedly expand law enforcement’s authority to hack its targets. You can find excerpts of that event below. This event was a wonkfest, so if you want all the details and are prepared to get deep into the weeds, watch the full video here.
Cybersecurity is a shared responsibility. One unique element of this discussion series is that we are pulling together many of the industry, government, and civil society players who share that responsibility. And we have done so, consistent with Mozilla’s commitment to transparency, in an open forum, so everybody can benefit from the expertise on display.[quotes/clips could fit here then]
Our next event on November 16th will focus on the process the government uses to determine if and when it should exploit security vulnerabilities to hack its target or disclosure those vulnerabilities to make everybody safer. We’ve assembled an all star panel for this topic. Check out the events page for more detail and to RSVP. If you can’t make it, we’ll share another blog post and video recap here.
Joseph Hall, CDT’s Chief Technology Officer, on online vs offline searches:
FBI Deputy General Counsel Greg Browser provides an overview of the issue:
Richard Salgado, Google’s Director for information security and law enforcement, on reciprocity:
Jennifer Granick, CIS Director of Civil Liberties, summarizing points of agreement:
https://blog.mozilla.org/netpolicy/2016/11/14/time-for-a-conversation-about-government-hacking/
|
|
Air Mozilla: Privacy Lab - November 2016 - Privacy Around the World |
At Santa Clara University Location: Santa Clara Law School, The Williman room in the Benson (Student Center) Building
https://air.mozilla.org/privacy-lab-privacy-around-the-world-2016-11-14/
|
|