Python

Does Python Need to Change? (zdnet.com) 233

The Python programming language "is a big hit for machine learning," read a headline this week at ZDNet, adding "But now it needs to change."

Python is the top language according to IEEE Spectrum's electrical engineering audience, yet you can't run Python in a browser and you can't easily run it on a smartphone. Plus no one builds games in Python these days. To build browser applications, developers tend to go for JavaScript, Microsoft's type-safety take on it, TypeScript, Google-made Go, or even old but trusty PHP. On mobile, why would application developers use Python when there's Java, Java-compatible Kotlin, Apple's Swift, or Google's Dart? Python doesn't even support compilation to the WebAssembly runtime, a web application standard supported by Mozilla, Microsoft, Google, Apple, Intel, Fastly, RedHat and others.

These are just some of the limitations raised by Armin Ronacher, a developer with a long history in Python who 10 years ago created the popular Flask Python microframework to solve problems he had when writing web applications in Python. Austria-based Ronacher is the director of engineering at US startup Sentry — an open-source project and tech company used by engineering and product teams at GitHub, Atlassian, Reddit and others to monitor user app crashes due to glitches on the frontend, backend or in the mobile app itself... Despite Python's success as a language, Ronacher reckons it's at risk of losing its appeal as a general-purpose programming language and being relegated to a specific domain, such as Wolfram's Mathematica, which has also found a niche in data science and machine learning...

Peter Wang, co-founder and CEO of Anaconda, maker of the popular Anaconda Python distribution for data science, cringes at Python's limitations for building desktop and mobile applications. "It's an embarrassing admission, but it's incredibly awkward to use Python to build and distribute any applications that have actual graphical user interfaces," he tells ZDNet. "On desktops, Python is never the first-class language of the operating system, and it must resort to third-party frameworks like Qt or wxPython." Packaging and redistribution of Python desktop applications are also really difficult, he says.

Firefox

Firefox 'Site Isolation' Feature Enters User Testing, Expected Next Year (zdnet.com) 14

An anonymous reader shares a report: Site Isolation is a modern browser security feature that works by separating each web page and web iframes in their own operating system process in order to prevent sites from tampering or stealing with each other's data. The feature was first deployed with Google Chrome in mid-2018, with the release of Chrome 67. Although initially, Site Isolation was meant to be deployed as a general improvement to Chrome's security posture, the feature came just in time to serve as a protective measure against the Spectre vulnerability impacting modern CPUs. Seeing the feature's success, Mozilla also announced plans to support it with the Firefox browser in February 2019, as part of an internal project codenamed Fission.

For both Google and Mozilla, implementing Site Isolation was a time-consuming operation, requiring engineers to re-write large chunks of their browsers' internal architecture. The process took about two years for both Google and Mozilla. While Site Isolation is now a stable feature inside Chrome, this work is now nearing its completion inside Firefox. According to an update to the Project Fission wiki page, Site Isolation can now be enabled inside versions of Firefox Nightly, the Firefox version where new features are tested.

Mozilla

Mozilla Fears 'Collateral Damage' in Google Antitrust Case (venturebeat.com) 73

Mozilla has responded to the U.S. Department of Justice's antitrust lawsuit against Google, but rather than commending the DOJ's action, the Firefox browser maker has voiced concerns that its commercial partnership could make it "collateral damage" in the fight against Google's alleged monopolistic practices. From a report: The DOJ, with support from 11 U.S. states, confirmed yesterday that it is suing Google for allegedly violating anti-competition laws by crowding out rivals in the internet search and advertising markets. "Small and independent companies such as Mozilla thrive by innovating, disrupting, and providing users with industry-leading features and services in areas like search," Mozilla chief legal officer Amy Keating wrote in a blog post. "The ultimate outcomes of an antitrust lawsuit should not cause collateral damage to the very organizations -- like Mozilla -- best positioned to drive competition and protect the interests of consumers on the web."

Mozilla has a long and complicated history with Google. In recent years, Mozilla has launched countless privacy campaigns against the internet giant's various online properties, and just last month it introduced a new browser add-on to crowdsource research into YouTube's opaque recommendation algorithm. On the other hand, Mozilla relies heavily on royalties from a search engine partnership with Google. The duo recently extended their deal to make Google the default search engine inside Firefox in the U.S. and other markets, which will reportedly secure Mozilla up to $450 million over the next three years.

Firefox

Firefox 81 Released, Can Now Be Your Default Browser in iOS (engadget.com) 34

Engadget reports: One big benefit of iOS 14 is that you can set non-Apple-made apps as your default, including for email and web browsing. Hot on the heels of you being able to set Chrome and Gmail as your clients of choice, Firefox is enabling you to make its browser the default on iPhones and iPads. Naturally, you'll need to have both the latest version of the operating system and the apps, and then just make the switch inside settings.
Meanwhile, Bleeping Computer profiles some of the new features in this week's release of Firefox 81, including:
  • The ability to control videos via your headset and keyboard even if you're not using Firefox at the time
  • A new credit card autofill feature for Firefox users in the U.S. and Canada
  • A new theme called AlpenGlow
  • Firefox can now be set as the default system PDF viewer

Firefox

Bug Allowed Hijacking Other Firefox Mobile Browsers on the Same Wi-Fi Network (zdnet.com) 15

"Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same Wi-Fi network and force users to access malicious sites, such as phishing pages," reports ZDNet: The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab. The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).

When devices are found, the Firefox SSDP component gets the location of an XML file where that device's configuration is stored. However, Moberly discovered that in older versions of Firefox, you could hide Android "intent" commands in this XML and have the Firefox browser execute the "intent," which could be a regular command like telling Firefox to access a link...

The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted.

Firefox

Firefox Usage is Down 85% Despite Mozilla's Top Exec Pay Going Up 400% (calpaterson.com) 169

Software engineer Cal Paterson writes: Mozilla recently announced that they would be dismissing 250 people. That's a quarter of their workforce so there are some deep cuts to their work too. The victims include: the MDN docs (those are the web standards docs everyone likes better than w3schools), the Rust compiler and even some cuts to Firefox development. Like most people I want to see Mozilla do well but those three projects comprise pretty much what I think of as the whole point of Mozilla, so this news is a a big let down. The stated reason for the cuts is falling income. Mozilla largely relies on "royalties" for funding. In return for payment, Mozilla allows big technology companies to choose the default search engine in Firefox - the technology companies are ultimately paying to increase the number of searches Firefox users make with them. Mozilla haven't been particularly transparent about why these royalties are being reduced, except to blame the coronavirus. I'm sure the coronavirus is not a great help but I suspect the bigger problem is that Firefox's market share is now a tiny fraction of its previous size and so the royalties will be smaller too - fewer users, so fewer searches and therefore less money for Mozilla.

The real problem is not the royalty cuts, though. Mozilla has already received more than enough money to set themselves up for financial independence. Mozilla received up to half a billion dollars a year (each year!) for many years. The real problem is that Mozilla didn't use that money to achieve financial independence and instead just spent it each year, doing the organisational equivalent of living hand-to-mouth. Despite their slightly contrived legal structure as a non-profit that owns a for-profit, Mozilla are an NGO just like any other. In this article I want to apply the traditional measures that are applied to other NGOs to Mozilla in order to show what's wrong. These three measures are: overheads, ethics and results.

Mozilla

Mozilla WebThings IoT Platform Spun Out As an Independent Open Source Project (mozilla.org) 4

tola writes: Following a round of layoffs at Mozilla, their WebThings IoT platform is being spun out as an independent open source project by former employees, with a new commercial sponsor. WebThings is an open platform for monitoring and controlling devices over the web, built on W3C Web of Things standards. It includes WebThings Gateway which is a software distribution for smart home gateways focused on privacy, security and interoperability and the WebThings Framework which is a collection of re-usable software components to help developers build their own web things. The project will be renamed from "Mozilla WebThings" to "WebThings" and will move to a new home at https://webthings.io/ Users will be able to opt-in to receive software updates from the new community run update servers and be offered the opportunity to transition to a replacement remote tunnelling service before Mozilla servers are shut down at the end of the year.
Java

Oracle's Plan to Keep Java Developers from Leaving for Rust and Kotlin (zdnet.com) 90

ZDNet reports: Oracle has released version 15 of Java, the language created 25 years ago by James Gosling at Sun Microsystems, which Oracle snapped up in 2009 for about $7.4bn to gain what it said was the "most important software Oracle has ever acquired". Java 15, or Oracle Java Development Kit (JDK) 15, brings the Edwards-Curve digital signature algorithm, hidden classes, and former preview features that have been finalized, including text blocks, and the Z Garbage Collector, while the sealed-classes feature arrives and pattern matching and records emerge as a second preview...

In July, Java fell out of RedMonk's top two positions for the first time since 2012 and now resides behind JavaScript and Python in terms of popularity. Tiobe in September ranked Java in second position, behind C and ahead of Python.... But Java is still hugely popular and widely used in the enterprise, according to Oracle, which notes it is used by over 69% of full-time developers worldwide... It counts Arm, Amazon, IBM, Intel, NTT Data, Red Hat, SAP and Tencent among its list of notable contributors to JDK 15. Oracle also gave a special mention to Microsoft and cloud system monitoring service DataDog for fixes...

As part of Java's 25th anniversary, Oracle commissioned analyst firm Omdia to assess its six-month release strategy for Java and whether it would be enough to keep millions of Java developers away from memory-safe alternatives such as Kotlin, the language Google has endorsed for Android development, and Rust, a system programming language that was created at Mozilla. "In Omdia's opinion, the work Oracle began a few years ago in moving to a six-month update cycle and introducing a new level of modularity, puts the vendor in good stead with its constituency of approximately 12 million developers," Oracle said in its report on Omdia's analysis.

"However, Oracle and the Java programming language need an ongoing series of innovative, must-have, and 'delightful' features that make the language even more user friendly and cloud capable. These will keep existing Java developers happy while steering potential Java developers away from newer languages like Rust and Kotlin."

Mozilla

Mozilla Shuts Down Firefox Send and Firefox Notes Services (zdnet.com) 27

Mozilla is shutting down two of its legacy products, Firefox Send and Firefox Notes, the company announced today. From a report: "Both services are being decommissioned and will no longer be a part of our product family," a Mozilla spokesperson told ZDNet this week. Of the two, the most beloved was Firefox Send, a free file-sharing service, and one of the few that supported sharing files in encrypted formats. Launched in March 2019, the service gained a dedicated fanbase but Send was taken offline earlier this summer after ZDNet reported on its constant abuse by malware groups. At the time, Mozilla said that Send's shutdown was temporary and promised to find a way to curb the service's abuse in malware operations. But weeks later, things changed after Mozilla leadership laid off more than 250 employees as part of an effort to re-focus its business on commercial products.
Mozilla

YouTube's Recommendation System is Criticized as Harmful. Mozilla Wants To Research It (cnet.com) 84

YouTube's video recommendation system has been repeatedly accused by critics of sending people down rabbit holes of disinformation and extremism. Now Mozilla, the nonprofit that makes the Firefox browser, wants YouTube's users to help it research how the controversial algorithms work. From a report: Mozilla on Thursday announced a project that asks people to download a software tool that gives Mozilla's researchers information on what video recommendations people are receiving on the Google-owned platform. YouTube's algorithms recommend videos in the "What's next" column along the right side of the screen, inside the video player after the content has ended, or on the site's homepage. Each recommendation is tailored to the person watching, taking into account things like their watch history, list of channel subscriptions or location. The recommendations can be benign, like another live performance from the band you're watching. But critics say YouTube's recommendations can also lead viewers to fringe content, like medical misinformation or conspiracy theories.
Chrome

How to Play Chrome's Hidden 'Dinosaur Game' and Firefox's 'Unicorn Pong' (howtogeek.com) 28

How-To Geek has discovered three of the world's most popular web browsers contain Easter Eggs: It seems like every browser has a hidden game these days. Chrome has a dinosaur game, Edge has surfing, and Firefox has . . . unicorn pong? Yep, you read that right — here's how to play it.

First, open Firefox. Click the hamburger menu (the three horizontal lines) at the upper right, and then click "Customize." On the "Customize Firefox" tab, you'll see a list of interface elements to configure the toolbar. Click and drag all the toolbar items except "Flexible Space" into the "Overflow Menu" on the right.

Click the Unicorn button that appears at the bottom of the window....

There's screenshots in the article illustrating all of the steps — and the result.
Programming

C++ is About To Get a Huge Update (zdnet.com) 217

ZDNet reports: The International Organization for Standardization's (ISO) C++ group, Working Group 21 (WG21), has agreed upon the finalized version of 'C++20', the first major update to the 35 year-old programming language since C++17 from 2017... The 2020 release of C++ is huge by historical standards. Herb Sutter, a Microsoft engineer and long-time chair of WG21 C++ ISO committee, said it "will be C++'s largest release since C++11", meaning it's bigger than any of the past three releases, which happen every three years. It's also the first version that has been standardized....

Two of the most important features coming to C++20 are "modules" and "coroutines". Modules, which was led by Google's Richard Smith, stands in for header files and helps isolate the effects of macros while supporting larger builds. As Sutter noted recently, C++20 marks the "first time in about 35 years that C++ has added a new feature where users can define a named encapsulation boundary...."

Coroutines represents a generalization of a function. "Regular functions always start at the beginning and exit at the end, whereas coroutines can also suspend the execution to be resumed later at the point where they were left off," C++ contributors explain in a proposal for coroutines.

"We expect it to be formally published toward the end of 2020," Sutter said said in an announcement.

Interestingly, the year C++ was first released in 1985, Microsoft used it to build Windows 1.0, ZDNet points out. "These days Microsoft is exploring Mozilla-developed Rust to replace legacy Windows code written in C and C++ because of Rust's memory safety qualities."
Firefox

Is There A Google-Free Future For Firefox? (forbes.com) 99

Forbes reports: Firefox is exploring subscriptions and other "value exchange" services to ease its financial dependence on rival Google, according to the browser's lead developer.

Firefox maker, Mozilla, is in the uneasy position of being financially dependent on its search deal with Google, which accounts for the majority of the organization's revenue. Although Mozilla only last month renewed the search deal, ensuring Google remains the default search engine for Firefox in the U.S. and other territories, the company is keen to explore other ways of raising revenue, including charging users for services.

Mozilla's partnership with Google is an uncomfortable alliance, not only because the companies distribute rival browsers, but because their values are markedly different. While Google generates the vast bulk of its revenue from online advertising, Firefox's developers expend much of their effort creating tools that thwart advertisers, including the automatic blocking of third-party tracking tools and social-media trackers. "At Mozilla, we tend to believe things are at their best when users have this transparent value exchange," said Dave Camp, senior vice president of Firefox at Mozilla. "The advertising model has become a default way to fund things on the internet and to fund products, and we're pretty interested — not just for financial reasons, but actually for health of the internet reasons — to explore how can we do better for users than advertising."

Mozilla recently began charging users $4.99 per month for its VPN product and Camp says the company is exploring other subscription products. "We don't have any immediate plans in the Firefox team to do add-on services or anything like that at the moment, but we're going to look at other ways to get some value exchange going on," said Camp.

Cloud

AWS Introduces a Rust Language-Oriented Linux for Containers (zdnet.com) 35

An anonymous reader shares this enthusiastic report from ZDNet: Earlier this year, Linus Torvalds approved of adding drivers and other components in Rust to Linux.* Last week, at the virtual Linux Plumbers Conference, developers gave serious thought to using the Rust language for new Linux inline code. ["Nothing firm has been determined yet," reported Phoronix, "but it's a topic that is still being discussed."] And, now Amazon Web Services (AWS) has announced that its just-released Bottlerocket Linux for containers is largely written in Rust.

Mozilla may have cut back on Rust's funding, but with Linux embracing Rust, after almost 30-years of nothing but C, Rust's future is assured. Rust was chosen because it lends itself more easily to writing secure software. Samartha Chandrashekar, an AWS Product Manager, said it "helps ensure thread safety and prevent memory-related errors, such as buffer overflows that can lead to security vulnerabilities." Many other developers agree with Chandrashekar.

Bottlerocket also improved its security by using Device-mapper's verity target. This is a Linux kernel feature that provides integrity checking to help prevent attackers from overwriting core system software or other rootkit type attacks. It also includes the extended Berkeley Packet Filter (eBPF), In Linux, eBPF is used for safe and efficient kernel function monitoring.

* Linus's exact words were "people are actively looking at, especially doing drivers and things that are not very central to the kernel itself, and having interfaces to do those, for example, in Rust. People have been looking at that for years now. I'm convinced it's going to happen one day."

The article also reminds readers that AWS's Bottlerocket "is also designed to be quick and easy to maintain... by including the bare essentials needed to run containers..."

"Besides its standard open-source elements, such as the Linux kernel and containerd container runtime, Bottlerocket's own code is licensed under your choice of either the Apache 2.0 or the MIT license."
Firefox

Firefox Will Add a New Drive-by-Download Protection (zdnet.com) 31

Mozilla will add a new security feature to Firefox in October that will make it harder for malicious web pages to initiate automatic downloads and plant malware-laced files on a user's computer. From a report: Called a drive-by download, this type of attack has been around for two decades and usually takes place when users visit a website that contains malicious code placed there by an attacker. The role of the malicious code is to abuse legitimate features in browsers and web standards to initiate an automatic file download or download prompt, in the hopes of tricking the user into running a malicious file. There are multiple forms of drive-by downloads, depending on the browser feature attackers decide to use. Browsers like Chrome, Firefox, and Internet Explorer have, across the years, gradually deployed various forms of protections against automatic drive-by downloads, but 100% protection can't be fully achieved because browser makers can't fully block legitimate web features and also because of the shifting landscape of web attacks, with attackers always finding a new hole to poke at.
Privacy

Your Browsing History Can Uniquely Identify You (schneier.com) 32

An anonymous reader writes: Researchers from Mozilla report in a study that web browsing histories (the lists of user visited websites) are uniquely identifying users (PDF). In their study that was the case for 99% of users. Treating web browsing histories like fingerprints, the researchers analysed how the users can be reidentified just based on the coarsened list of user-visited websites.

In doing so they upheld and confirmed a previous study from 2012, prompting the author of the original study to say that web browsing histories are now personal data subject to privacy regulations like the GDPR.

Sensitivity of web browsing history data questions the laws allowing ISPs to sell web browsing histories.

The now-vindicated author of the 2012 study added this emphatic note in their blog post. "Web browsing histories are personal data. Deal with it."
The Internet

A Quarter of the Alexa Top 10K Websites Are Using Browser Fingerprinting Scripts (zdnet.com) 13

An anonymous reader quotes a report from ZDNet: A browser fingerprinting script is a piece of JavaScript code that runs inside a web page and works by testing for the presence of certain browser features. In an academic paper published earlier this month, a team of academics from the University of Iowa, Mozilla, and the University of California, Davis, has analyzed how popular browser fingerprinting scripts are used today by website operators. Using a machine learning toolkit they developed themselves and named FP-Inspector, the research team scanned and analyzed the top 100,000 most popular websites on the internet, according to the Alexa web traffic ranking.

"We find that browser fingerprinting is now present on more than 10% of the top-100K websites and over a quarter of the top-10K websites," the research team said. However, the research team also points out that despite the large number of websites that are currently using browser fingerprinting, not all scripts are used for tracking. Some fingerprinting scripts are also used for fraud detection since automated bots tend to have the same or similar fingerprints, and fingerprinting scripts are a reliable method of detecting automated behavior. Additional details about the team's research can be found in a paper named "Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors," set to be presented at the IEEE Symposium on Security and Privacy, next year, in May 2021.
If you're concerned about the findings, you can block fingerprinting scripts by enabling anti-fingerprinting protections in your respective browser settings or by installing an ad blocker extension.
Firefox

Firefox Android Build That Caused Issues Is Working As Intended (theregister.com) 88

Today, Mozilla launched the updated Firefox Android app with a version that many thought was a beta because it was full of bugs and UI issues. According to The Register, this was a deliberate software release and is the new version of Firefox for Android, which is set to hit the UK today, August 25, and the U.S. on the 27th. From the report: A Reg reader yesterday alerted us to an August 20 version bump that was causing so many problems, our tipster thought it was a beta that had gone seriously awry. "To sum it up, on 20th of August, Firefox 79 was unexpectedly forced on a large batch of Firefox 68 Android users without any warning, way to opt out or roll back," our reader reported. "A lot got broken in the process: the user interface, tabs, navigation, add-ons." Meanwhile, the Google Play store page for the completely free and open-source Firefox has a rash of one-star reviews echoing similar complaints: after the upgrade, little seemed to work as expected. "This is the worst 'upgrade' I've ever experienced," said netizen Martin Lindenmayer. "My main gripe is that there is no back button (to return to your previous page) anymore."

What's happened is this: the last stable version of Firefox for Android was version 68, released in 2019. For over a year, Mozilla has been working on an overhaul of its browser in a project code-named Fenix. Moz has slowly rolled out the result of its work to netizens in preview and beta form -- and since the end of July, as a proper release: version 79. This new stable version is what appeared on people's devices. As well as changes to the user interface and many new features that have thrown some users, it is also missing support for all extensions. In fact, by last count, only nine add-ons are supported so far, though this is expected to increase over time. The browser has also adopted Mozilla's GeckoView engine.
If you accidentally updated the app and would like to roll back the update, you won't be able to. "[O]nce you've upgraded to the new browser, you won't be able to return to the old browser," says Mozilla.

For more information about the upgrade process, you can check out the browser's FAQ page.
Android

Firefox Daylight For Android Arrives With Enhanced Tracking Protection, New UI (venturebeat.com) 54

An anonymous reader writes: After more than a year of development, Mozilla today launched Firefox 79 for Android, branded Firefox Daylight. Like with Firefox 57 Quantum, Firefox Daylight gets its own name as it marks "a new beginning for our Android browser." The new version is "an entirely overhauled, faster, and more convenient product." Firefox Daylight includes Enhanced Tracking Protection on by default, a new user interface, Mozilla's own mobile browser engine GeckoView, and a slew of new features. Mozilla is rolling out the new Firefox for Android globally, starting in Germany, France, and the U.K. today, and North America starting August 27.
Open Source

Open Source Sustainability is Really a People Problem (infoworld.com) 58

Matt Asay, a former COO of Canonical now working at AWS, argues that the question of open source sustainability "is really a people problem."

But to make the case, he cites comments by Tobie Langel, formerly W3C's testing lead (and a former member of Facebook's Open Source and Web Standards Team) who's now founded an open-source strategies consulting firm whose clients include Mozilla, Intell, Google, and Microsoft. Much of the "open source sustainability" discussion has focused on the one thing that really needs no help being sustained: software. As Tobie Langel rightly points out, "Open source code isn't a scarce resource. It's the exact opposite, actually: It's infinitely reproducible at zero cost to the user and to the ecosystem." Nor is sustainability really a matter of funding, though this gets closer to the truth.

No, open source sustainability is really a people problem. Or, as Langel highlights, "In open source, the maintainers working on the source code are the scarce resource that needs to be protected and nurtured."

Over the past several weeks, I've interviewed a number of maintainers for popular open source projects. In every case, they talked about how they contribute because it's fun, but also acknowledged that some aspects of open source development can make it decidedly "un-fun" (e.g., demanding users who complain about missing features or existing bugs but don't contribute code or fixes). Most have found ways to turn their passion into financial independence, but Langel stresses that cash is critical to keeping open source humming along... "Without revenue, there is no maintenance, and without maintenance, the commons becomes toxic very quickly... As new security issues are discovered, open source code that isn't updated becomes a security risk..."

Langel is absolutely correct to argue, "In an ecosystem with infinite resources, the attention needs to be on the people taking care of and maintaining that resource, because that's where the bottleneck is." Again, that's partly a question of money, but it's even more a question of treating people with dignity and respect, while making open source communities a fun, welcoming place.

Slashdot Top Deals