In other news, I am now working for Collabora! It is a great opportunity for me, and I will do my best to be on par with the great people that are now my colleagues. I have had the pleasure of working with Marco Barisione, and Pierre-Luc on WebKitGTK+, for some time, and some (most? =)) of them are also fellow Debian and GNOME developers, so I feel at home. Contributing to WebKitGTK+ and Epiphany is something I do as part of my job too, now, and I m not planning on dropping my volunteer contributions =). I have actually landed some patches, and worked on the 1.1.4 release with my @collabora.co.uk address already, and I hope the future holds more opportunity for such contributions!

This code comes from the actual sources of the last PHP release (ext/sockets/sockets.c). It's probable that this code has been here like, forever: First, yes, this is for real a static variable in the C module, those guys don't know about either of the const or static keyword.

   /* inet_ntop should be used instead of inet_ntoa */                                                       
   int inet_ntoa_lock = 0;

   /* ... */

Then they wrap getpeername:

   PHP_FUNCTION(socket_getpeername)
    
       /* ... */
       if (getpeername(php_sock->bsd_socket, sa, &salen) < 0)  
           PHP_SOCKET_ERROR(php_sock, "unable to retrieve peer name", errno);
           RETURN_FALSE;
        

so far so good. Or maybe not so good.

       switch (sa->sa_family)  
           case AF_INET:
               sin = (struct sockaddr_in *) sa;
               while (inet_ntoa_lock == 1);
               inet_ntoa_lock = 1;

Riiiiiight, locks 101, you fail.

               addr_string = inet_ntoa(sin->sin_addr);
               inet_ntoa_lock = 0;

QUICK ! let's release the lock before we actually use addr_string !

               zval_dtor(arg2);
               ZVAL_STRING(arg2, addr_string, 1);
               /*... */

And you know the best of it ? Of course that code is totally useless since^[1]:

   $ grep -wc inet_ntoa **/*.[hc] grep -v :0
   ext/sockets/sockets.c:4
   ext/standard/basic_functions.c:1
   ext/standard/dns.c:2
   main/network.c:1
   sapi/cgi/fastcgi.c:1
   sapi/tux/php_tux.c:1

Those guys are priceless. Especially when you consider the number of 50-liners to implement inet_ntop that lie around.

Since late 2008 WebKit/GTK+ has been advancing in a better pace than earlier that year. Patches are being reviewed and committed actively, mostly by Holger Freyther (zecke). This last month, among other goodies such as better keyword searching for the WooHoo bar in Epiphany and enabling WebKit s Soup backend to upload files, I have been working on getting download support into WebKit/GTK+ so that we can use that API in Epiphany. Most of the heavy work was done by Marco Barisione and Pierre-Luc Beaudoin early last year. I brought the patch up-to-date and modified it with input from various people into something simpler and handling some more use cases. Tonight I finally reached a milestone, being able to download a Debian ISO with Epiphany/WebKit:

This is work in progress. There are many rough edges to sharpen, still, but this work should be ready for merging very soon. If you want to help take a look at the WebKit bug report we are using to track this work, and the corresponding Epiphany bug report. Anyway, I ve been using both Epiphany and WebKit/GTK+ from trunk for about a month now, and the number of things I am missing is going down quickly. Come help us test and get a regressionless Epiphany with WebKit/GTK+ for GNOME 2.28!

Last weekend I found yet another movie that satisfied my apparent need for the strange and bizarre: Delicatessen by Marc Caro and Jean-Pierre Jeunet. (You can find older movie-related posts on my old blog.)

It s the last day of the most awesome linux.conf.au 2009 conference in Hobart, Tasmania. I ve just witnessed the a room full of 500 people sit with baited breath as Linus wielded a set of clippers to shave Bdale Garbee s beard, followed by Bdale (with a razor with 3 more blades than last time he shaved, a tiny bowl of water and a hand-mirror) trying to make it look neater. The LCA twitter feed was up on the projector, and someone rightly observed this whole event was actually pretty weird. There are already pictures on flickr too. However, well done to Bdale for being such a good sport, but it looks like his wife Karen will accompany him next year to make sure he doesn t agree to anything else like this, and supervise the waxing of Rusty s chest :) What s this all in aid of? After the incredible auction for this beautiful picture from Karen, and generous donations at the Penguin Dinner on Wednesday night, the conference has now raised between AU$ 35k and 40k towards the Save the Tasmanian Devil appeal. Around AU$ 1.3k of the nonsensical winning consortium s AU $10.6k bid came from the Collabora folks who were at the dinner, and AU$ 1.2k from Collabora and Collabora Multimedia directly. We were all set to place a winning AU$ 3k bid but then Matthew and Daniel came up with the Bdale shaving scheme, and then things really picked up. I m glad we took part - the lead scientist from the project was really grateful, and I hope the money can make a real difference to their great work. On more mundane matters, I also gave my talk this morning, and my slides (Telepathy slides v2.0 thanks to Marco) are online. I also made a few demos of new awesome stuff you can do with Telepathy (most of the patches are already merged upstream or well on the way):

• Geolocation support (XEP-0080) support in the XMPP backend and Empathy, using GeoClue to find your location and the libchamplain Clutter & Open Streetmap widget to display where your contacts are. Thanks to Pierre-Luc, Alban and Daf for their work here - more details on Pierre-Luc s blog.
• Support for launching file transfers over link-local XMPP from Nautilus using the Empathy plugin for nautilus-sendto. This is already merged upstream but needs a patch to work with trunk Empathy. Thanks to Marco, Jonny and Guillaume for their work on this.
• Alban also made a neat hack to Rhythmbox which allows exporting your DAAP music server to one of your contants over a Telepathy Stream Tube. Thanks also to recent work from Marco, these tubes now go over XMPP s SOCKS5 Bytestreams, giving much better throughput than the earlier in-band implementation, network permitting. The next step is unleashing the full might of our libnice NAT traversal library, signalling tubes with Jingle, and therefore making connections work peer to peer in up to 95% of the cases. However, this won t affect the APIs, stuff will just go faster! Isn t Telepathy wonderful?
• Olivier stepped up to show off the demo from his talk about Farsight, which shows his branch using the new telepathy-farsight library to allow recording Telepathy video calls directly into the PiTiVi video editor. His network was screwed up so it didn t work, but I did see it work in his talk yesterday! Awesome stuff, hopefully Edward and friends can pick it up and merge it in before too long.
• Unfortunately we ran out of time for Will to show off Guillaume s recent work on Telepathy-enabled Abiword on the desktop (rather than just Sugar s Write activity), but I expect he ll blog about it soon!

On that note, these were just the five that I picked to try and fit into my talk. There are a load more demos in the pipeline from the other guys in Collabora of doing stuff with Telepathy, so keep a close look on Planet Collabora for the next cool thing.

Tim (a member of my local LUG) writes about some observations he has made of a nearby river and speculates on a tidal bore-like phenomenon [1]. One thing that surprised me was how short the list was on the Tidal Bore Wikipedia page [2], and the fact that is it missing an entry for Tidal River at Wilson s Promontory [3] (where my family often spent the Christmas holidays when I was young). Some of the tidal bores are described as having a wave as high as two meters, Tidal River is not so impressive, my observation was that during the 80 s it was about 40cm near the mouth of the river. The area near the river mouth had many bends when I last saw it which absorbed some of the energy of the wave (but I expect that the river changes course constantly so it might be straight from time to time). On one occasion I River Surfed [4] about 500 meters upstream at Tidal River on a surf-mat (an inflatable surf-board). I have searched for research into this issue, the Tidal Bore Research Society [5] seems to just maintain a list of tidal bores and not do any real research. Pierre Lubin, Stephane Glockner, and Hubert Chanson published a paper titled Numerical simulation of turbulence generated by a tidal bore [6]. Hubert Chanson at the University of Queensland has written an interesting paper titled Physical Modelling of the Flow Field in an Undular Tidal Bore [7]. Hubert seems to have published more papers related to tidal bores than anyone else (or at least more papers that are publicly accessible).

• [1] http://tau-iota-mu-c.livejournal.com/141448.html


• [2] http://en.wikipedia.org/wiki/Tidal_bore


• [3] http://en.wikipedia.org/wiki/Tidal_River,_Wilsons_Promontory


• [4] http://en.wikipedia.org/wiki/River_surfing


• [5] http://www.tidalbore.info/


• [6] http://www.trefle.u-bordeaux1.fr/personnel/documents/ti2009_lubin.pdf


• [7] http://espace.library.uq.edu.au/view.php?pid=UQ:9448

Pierre,

do we trust our release team ;

• No.

shall we delay the Lenny release for firmware issues or not (We answered that twice in the past with huge majorities btw) ;

• Possibly.

shall we modify the meaning the the SC/DFSG.

• Only to remove SC#5 or remove the DFSG#4 compromise.

How should I vote?

This vote is a joke. It mixes very different questions, among them:

• do we trust our release team ;
• shall we delay the Lenny release for firmware issues or not (We answered that twice in the past with huge majorities btw) ;
• shall we modify the meaning the the SC/DFSG.

And you're supposed to make one single option win. Not all options deal with those three questions at once. So definitely, like Julien states it: It's a TRAP. That's why there is one and only one winning stategy to that vote:

• rank (like Christian did) Further Discussion first.
• rank all the answers to the previous questions at the same level 2 (e.g. for me it's probably option 2 and 4 or something similar).
• do not rank the rest (or rank it 3 or greater or - or whatever).

This vote is a perversion of our voting system, don't fall for it. Edit (answer to Neil): Neil, you don't get it, if you make anything else than Further Discussion win, you actually let one option of the vote win. As most of the ballot options only answer at most 2 of the underlying questions I cited above, and only one for many of the options, you give the power to the secretary to decide what the option you voted for meant. This is unacceptable, therefore, you have to put further discussion first. We just don't want to let one single man (that showed that he's totally unable to prepare a sane vote, without pushing his agenda at the same time) decide the real issue of the vote.

There have been 470 mails during the last month in the DFSG violations threads on -vote@, but only 10 posters have contributed more than 10 mails so far:

85 Robert Millan
51 Manoj Srivastava
18 Pierre Habouzit
18 Josselin Mouette
16 Thomas Bushnell BSG
14 Stephen Gran
13 Frans Pop
13 Ean Schuessler
13 Adeodato Simo
12 Russ Allbery

Is someone working on a summary of the discussions? I would really hate it if we were asked to vote on this, with a “for details, see the -vote@ archives” footnote. (Robert Millan sounds like a perfect candidate for this task :-) )

Sound Juicer "I Don't Know What You Heard But It's Mandatory" 2.23.2 has been released. Tarballs are available on burtonini.com, or from the GNOME FTP servers. Lots of fixes from the Amazing Matthew Martin:

• Stop playback when the disc is re-read (Matthew Martin)
• Only eject the disc if tracks were ripped (MM)
• Don't try and move the non-existant temp file when skipping (MM)
• Free the option context (Pierre Benz)
• Don't block until n-c-b quits when copying discs
• Fix playback track switching (MM)

Another point release for Etch has been done; now it's the time for the CD team to roll out new images after the next mirror pulse. The official announcements (prepared by Alexander Reichle-Schmehl, thanks!) will follow shortly afterwards. FTP master of the day was Joerg Jaspert, who did his first point release since Woody, as he told us on IRC. We appreciate your work and you spending your time that shortly before going to Argentina. This point release includes the etchnhalf update introducing a new kernel image (based on 2.6.24) and some driver updates. Additionally the infamous openssl hole will be fixed for good, even for new installs. Again I want to present you a list of people who contributed to this release. It cannot be complete as I got the information out of the Changed-by fields of the uploads.

• akira yamada
• Alexander Sack
• Alexander Schmehl
• A Mennucc1
• Andrea De Iacovo
• Andres Salomon
• Aurelien Jarno
• Charles Plessy
• Christian Perrier
• Christian Welzel
• Colin Watson
• dann frazier (indefatigable kernel worker, most sourceful uploads)
• Darren Salt
• Devin Carraway (3rd place of sourceful uploads, due to security work)
• Emmanuel Lacour
• Eric Dorland
• Fabio Tranchitella
• Faidon Liambotis
• Fathi Boudra
• Florian Weimer
• Francesco Paolo Lovergine
• Francois Marier
• Frank Lichtenheld
• Frans Pop (thanks for your d-i work!)
• Frederic Peters
• Gregory Colpart
• Holger Levsen
• Jan Wagner
• Jay Berkenbilt
• J r my Bobbio
• Joey Hess
• Joey Schulze
• Josselin Mouette
• Julien Cristau
• Kai Hendry
• Kurt Roeckx
• LaMont Jones
• Laszlo Boszormenyi
• Martin Pitt
• maximilian attems
• Michael Biebl
• Michael Koch
• Mike Hommey
• Moritz Muehlenhoff
• Noah Meyerhans
• Ola Lundqvist
• Otavio Salvador
• Patrick Matth i
• Petter Reinholdtsen
• Philipp Kern
• Pierre Habouzit
• Raphael Hertzog
• Rene Engelhard
• Robert Millan
• Roberto Lumbreras
• Roland Mas
• Romain Beauxis
• Russ Allbery
• Sean Finney
• Stefan Fritsch
• Steffen Joeris
• Stephen Gran
• Steve Kemp
• Sune Vuorela
• Thijs Kinkhorst (2nd place of sourceful uploads, due to security work)
• Thomas Viehmann
• Toni Mueller
• Tzafrir Cohen

From the Release Team we had dann frazier (who drove the important kernel part of etchnhalf), Luk Claes, Neil McGovern, Andreas Barth, Martin Zobel-Helas and me working on it. ;-)

Steve,

If you don't like seeing cumbersome security warnings for insecure https connections, how about not using https when what you really want is http in the first place?

Because I don't necessarily have the choice. When I'm reporting a bug on a given open source Trac, they often put https on them because they think it's better for them (and for them it is because they generated the certificate and so on), and there is no http version. Note that when I use https for myself, I import my CA in firefox, so I don't have a single warning, so I kind of know how to avoid them when I care about https. But there isn't always a plain HTTP alternative, and that is what makes it a real PITA. Okay, you want to warn the user the https isn't secure, there are plenty of ways that don't require you to add an exception on a certificate. I spoke of the little lock, because that's what is even on IE, but please remember than when you browse trusted https, the URL bar is in this kind of yellow. Well, if the https is unsecure, just don't put that background. If you really want, you can add some kind of rosa color to mark that it's "bad" but it in a not too terrible way (in opposition to a broken/invalid certificate and where the URL bar should be blinking red with an air-raid like siren). I repeat, the fact that the HTTPS certificate is self-signed never changes the fact that when a given user goes on this kind of https site, he wants to be there, and HE WILL click on the 5 silly steps of the SSL exception thing. So why bother ? It serve one single purpose: pissing users off. And for what it's worth, I disagree with you, most of the people that are not computer related I know absolutely don't know they could think that http_s_ is more secure than http. Each time I give them an URL without the http:// part they ask, is this https or http ?, because they absolutely don't get the difference, and I don't try to explain it to them, because this would lead them to think https is better. Those kind of people only rely on visual helpers from the browser part. They really do. PS: yes I also believe that bad security is worse than no security because it gives the illusion for people to be safe, and then they have bad behavior. When your condom is broken, things can go really wrong. But you missed my point, in the sense, probably because I'm too annoyed to make it clear inbetween rants. My point really was what I tried to explain, namely that if people don't know they should think there is security in the first place, your remark is moot, and for the other you can activate the different URL background, it's just fine. Of course, invalid certificates must remain a pain to go through, this whole thing is only about the untrusted ones.

Pierre, "Why on earth is https with an untrusted certificate less secure than http ?." Apparently you thought this was a rhetorical question. I disagree. https with an untrusted certificate is less secure than http, because whether or not most users understand the meaning of https, there are a significant number of users who do understand what it means, or at least think they do. You can't seriously tell me you that you think all users always look for the lock icon instead of looking at the URL to know whether they're protected, can you? Users, on the whole, are very good at cargo-culting where technology is concerned. Just because many users look for the icon does /not/ mean that there aren't other users who know just enough of the definition of "protocol" to be a danger to themselves. An https URL is a declaration on the part of the server (or the party linking to it) that the resource in question should be secure. This creates an expectation on the part of those users who know what https is that if the connection succeeds, it is secure, which means they'll think it's ok to do the kinds of things that they normally do over secure connections but won't do over unsecured ones. It therefore certainly is important to give users feedback that an https connection has failed. If you try to connect to an https resource, and your browser can't verify the certificate, something is wrong. Either the server operator is a stooge for Intel trying to drive up the client CPU requirements for web connectivity so that they can sell more chips, or the server operator has failed to establish a chain of trust to you in the appropriate manner, or someone really has compromised the connection with a man-in-the-middle attack. Any of these conditions are something that ought to be brought to the user's attention, not ignored. If you don't like seeing cumbersome security warnings for insecure https connections, how about not using https when what you really want is http in the first place?

Okay, following my irritated post I received (sigh) complaints about me being too harsh. So to these people here is what I say, because I'm tired answering the same thing over and over. For starters, the SSL dialog in firefox is badly designed:

1. My mom doesn't grok it, so it totally fails the "corridor testing" (see JoelOnSoftware if you don't know what it is), stop pretending otherwise;
2. since it fails with the "average not very computer literate user", I, as an advanced user, believe to be representative of this kind of person, say and affirm that this UI is completely broken and horrible, not to mention counter-intuitive.

That said, I have other things to say on the form. Yeah I've been harsh, and I will continue to be about this issue: this has not been designed with the simplicity in mind, but by geeks (FSVO geek) that believe that it's important to educate people about how nice HTTPS is and that everyone should talk in S3kr3t because its 733t. And I'm sure they tried very hard to make it very painful for users to have to deal with HTTPS and not believe in it to be trusted for bad reasons. Why ?

• because geeks want to use https when possible ;
• but they care about it to be secure (FSVO secure);
• and that they want the whole world to do like them because they know the TRUTH.

HELLLOOOO PEOPLE this is the wrong way to do it. People are already aware that it is https, because they did typed https in the URL. And again, my mom doesn't know what the s in https stands for and she doesn't care. What she cares about is to see the small lock when she logs on her bank website, not even when she goes on her webmail. You REALLY want to make a simple UI ? Well, please try to explain and justify (with real arguments) Why on earth is https with an untrusted certificate less secure than http ?. Okay I'll let you 3 seconds to think. 1
2
3 What is your answer ? OH see ? it isn't. So now second 1 question, why does it need to be more painful to use https with an untrusted certificate than plain http ?. Well, I don't have 3 seconds to give anymore, so let's jump to the answer: there is absolutely no reason. See, I'm far from an UI expert, and what I use every day for UIs would revulse 99% of the planet: vim as an editor, awesome as a tiling window manager, vimperator for a browser, and I live most of the time in a terminal. But it takes me like 10 minutes to design what I believe to be an excellent UI for https with untrusted certificate: just don't mind the certificate and show it like plain HTTP. YES I'M ANNOYED That brings me to the last point. I see in my comments, and have received the same by mail, that I should not be harsh with people writing such a brilliant piece of software. Well, the fact that firefox is or is not a good piece of software is totally irrelevant. When you claim no less than trying to reinvent the web, well, if you fuck up this big, you deserve it. No matter if it's a free piece of software or not. (or a piece of free software or not). When you request your users to click on FIVE completely counter-intuitive buttons/urls to finally be able to see a webpage they want to see (and my mom doesn't care about the webmail being insecurely hosted, really), with the first screen being almost the same than what you get when a serer timeouts or 404, well, you're just out of your mind. There is absolutely nothing that can excuse such a bad design, and the SSL thing is a failure. I mean everyone is laughing at the vista way of asking you if you really meant to go pee, well I see no difference here, it's as dumb and inefficient. No matter how much firefox did improved (and it did memory wise, believe me, I feel it, and I'm really glad about that), https is part of my everyday's life. Those five clicks are a real PAIN. When I'm reading documentation, browsing some sources, and so on, I go through this dialog about 3 to 10 times in a row. I'm totally unimpressed, and just because a couple of geeks believed that it was GOOD to educate me about how dangerous untrusted certificates are, I have to break my workflow to grab my mouse in the middle of my work. No sorry, I don't really want to be calm. In fact, what annoys me the most, is that I'm a programmer. And as a programmer, the worst thing to me, is regression. Regression is what happens when you're sloppy, and don't test your program enough. It's what happen when you aren't good enough to keep your concentration, and don't see the big picture, and constantly break your program invariants. So when I see a regression that people did on purpose, well, it shocks me beyond what I can explain with words, that's the worst thing you can do to a piece of software. I won't really mind a new feature that only partially works, I won't mind if a feature that is complicated to write isn't there after 5 years dreaming of it, but this ? I do mind. There is no way to consider that ruining a piece of software like that to the name of A Greater Good is excusable. Oh and last words: wanting to educate people this way is a way worst offense that what I will ever say on the subject. Such a condescending approach to what they think of their users reminds me of various journalists that I met, and that when I tried to rephrase some things so that they can write about it to their readers, answered to me oh you know, they're too dumb, they'll never understand. And as a result, articles or interview are always distorted, can't interest the readers that don't care about the subject a lot, because there's nothing captivating in the article, and is totally inexact and uninteresting to people interested in the matter, because it's void from its substance. Well, the SSL dialog gives me the very same impression: it's annoying to me who knows what a SSL certificate is, and my mom won't know a single bit more what an SSL certificate is and why she should care^[1].

Today seems to be Firefox/Iceweasel 3 Bashing Day on Planet Debian, so let me join the fun :) I agree with most other people that the default Firefox/Iceweasel 3 config is not ideal, so here's what I did to fix it. Some of these items improve performance, some remove annoyances, some remove privacy issues, some remove security issues. Not everything here may be desirable for people other than me. General

• Disable the bookmarks toolbar via "View / Toolbars / Bookmarks Toolbar", nobody needs that and we save some screen space. Remove all pre-defined bookmarks while we're at it.
• Select "View / Toolbars / Customize".
  • Add the "New Tab" button/icon right after the "Home" button. This is probably the most-used button (for me at least) and it's not available per default...
  • Click "Use Small Icons", there's no reason to waste screen space.
  • Remove the Google search bar (useless).
  • Now move all icons and the URL bar into the menu bar (I'm not kidding). After that you can disable the nagivation toolbar via "View / Toolbars / Navigation Toolbar" and save even more screen space.

Preferences Select "Edit / Preferences". Main:

• Select "When Iceweasel starts: Show a blank page".
• Set "Home Page" to whatever you see fit.

Tabs:

• Enable "Always show the tab bar".

Content:

• At the right-hand side of "Enable JavaScript" click "Advanced" and uncheck all checkboxes. JavaScript stuff shouldn't need to do any of those operations.
• Uncheck "Enable Java". Nobody needs this crap and it's a huge security risk.

Privacy:

• Disable "Keep my history for xyz days" completely. Huge privacy risks.
• Disable "Remember what I enter in forms and the search bar". Huge security and privacy risks, almost no gain.
• Disable "Remember what I've downloaded". Huge privacy risks.
• Uncheck "Accept third-party cookies".
• Choose "Keep until: I close Iceweasel".
• Click "Show Cookies" and remove all of them.
• Enable "Always clear my private data when I close Iceweasel". Click "Settings" and check all items. You want to purge everything when closing Iceweasel.

Security:

• On the right-hand side of "Warn me when sites try to install add-ons" click "Exceptions" and remove all exceptions.
• Disable "Tell me if the site I'm visiting is a suspected attack site". Useless crap, possibly a privacy issue.
• Disable "Tell me if the site I'm visiting is a suspected forgery". Useless crap, possibly a privacy issue.
• Disable "Remember passwords for sites". This is a huge security risk, never ever enable it!

Advanced:

• "General" tab:
  • Enable "Warn me when web sites try to redirect or reload the page".
  • Disable "Check my spelling as I type". Useless, annoying crap, which probably even impacts performance.
• "Update" tab:
  • Disable "Automatically check for updates to: Installed Add-ons".
  • Disable "Automatically check for updates to: Search Engines".
  • Select "When updates to Iceweasel are found: Ask me what I want to do".
about:config Open a new tab, enter "about:config" as URL and hit ENTER. Click the annoying "I'll be careful, I promise!" button. Uncheck "Show this warning next time" while we're at it.
• Set browser.urlbar.matchOnlyTyped = true to disable the new, annoying "AwesomeBar" URL bar feature (which is also a huge privacy risk).
• Browser tabs are way too huge for my taste (thus only very few fit on the screen). Fix it with browser.tabs.tabMinWidth = 60 and browser.tabs.tabMaxWidth = 60 (needs a browser restart). You can even use less than 60 if you don't need any text and an icon per tab is enough for you.
• Disable the annoying, flashing auto-search stuff when you select "Tools / Add-ons / Get Add-ons": Set extentions.getAddons.showPane = false.
• Set bidi.support = 0. You'll probably never need it, so reduce the number of potential bugs and security issues by disabling it.
• Self-signed certificate handling is annoying, so fix it with: browser.ssl_override_behavior = 2 and browser.xul.error_pages.expert_bad_cert = true (thanks Pierre Habouzit).
• Set browser.tabs.closeButtons = 3 in order to prevent accidental closing of tabs (no more Close buttons on each tab, only one global Close button on the right). Yes, CTRL+Shift+T helps in case it still happens.
• Set network.prefetch-next = false to prevent random prefetching of webpages which means wasting CPU cycles and bandwidth, as well as subtle privacy and security issues.
Plugins None. Don't even think about installing crap like the closed-source Flash player if stability or security are important to you. If you absolutely must watch YouTube videos, I recommend youtube-dl. Extensions Use as few as possible. Every extention may have security problems or bugs, and can negatively affect performance etc. Pretty much the only one I use is NoScript to selectively enable JavaScript for some trusted websites (and disable it for all other sites).

Yes Stefano, I too believe that the SSL certificate thingy in Iceweasel 3 is just a bad joke. I mean WHAT THE FUCK WERE THEY THINKING ? At least in the RCs it improved, and the logo isn't the same as 404, it took me 10 refresh the first time I saw it to understand that it was not a 404 but an untrusted self-signed certificate. And the whole "exception" thing is absurd. NO I DON'T WANT TO ADD AN EXCEPTION you morons. Here would be a good UI, that I never saw implemented in any browser but would make sense:

• I want to browse the damn site, that you remember for me the current certificate, and browse without pretending it's safe (this way users do not believe to be protected when they are not).
• Next time I go to that website again, if the untrusted certificate changed, then and only then I want to be bugged about the fact that this website changed its certificate.
• I don't want any popup, anything, no "yellow" background in the URL (as the certificate is not trusted) no nothing, just browse it as if it was plain HTTP wrt the UI.

It's enough for 99.9% of the users. Then, some of us really care about importing some untrusted certificates (for our own webmails e.g.). Then well, a small button that allows advanced users to check, import, and mark an untrusted certificate as trusted is just what one needs. One can even hide that in some menu, it would be fine. I for example, have only checked the SSL certificate from my webmail and something like 3 or 4 websites. I do NOT want to be bugged for the other. But no, instead we have this completely delirious interface that no-one can sanely call User Interface. They're on crack. Anyways, here is a way to make your pain easier, either in about:config or in your $ HOME /.mozilla/firefox/$ profile-with-name-on-crack-id /user.prefs set the following values this way^[1]:

 user_pref("browser.ssl_override_behavior", 2);
 user_pref("browser.xul.error_pages.expert_bad_cert", true);

It makes validating a certificate two clicks away (one of the settings shows the 'add exception' buttons instead of showing a link to make them visible, the other settings makes firefox download the certificate for you so that you don't have to ASK HIM to do so^[2]. And you know the worst thing ? I'm sure the guy(s) who wrote this fucking dialog is(are) very proud of it.

I've always been bothered by those "Property Of Blank University" t-shirts that used to actually be the loaned (or stolen) property of college athletic departments but have now become popular enough that you can find them, for sale, in nearly any university store or gift shop in the US. Few people would assume that somebody with a "Property of" shirt had stolen their clothing. In fact, it's often impossible to find the shirts except on sale anymore -- and rarely from universities themselves. Here's my response. For those that don't know (and that's certainly many), Pierre-Joseph Proudhon is the nineteenth century French anarchist and mutualist most famous for saying, "La propri t , c'est le vol!" In English: "Property is theft!" You can buy my t-shifts (red on black, where possible), in my Printfection store. Source SVG is here. Please share variations in a comment.

  (1:55) 
  [artemis] sudo dpkg --purge ion3 ion3-scripts
 [sudo] password for madcoder: 
 (Reading database ... 126510 files and directories currently installed.)
 Removing ion3-scripts ...
 Purging configuration files for ion3-scripts ...
 Removing ion3 ...
 Purging configuration files for ion3 ...
 dpkg - warning: while removing ion3, directory  /etc/X11/ion3' not empty so not removed.
 dpkg - warning: while removing ion3, directory  /usr/lib/ion3/lc' not empty so not removed.
 Processing triggers for menu ...
 Processing triggers for man-db ...
 sudo dpkg --purge ion3 ion3-scripts  1,25s user 1,19s system 12% cpu 19,539 total

AAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHH I feel better now. I'm right now a proud awesome-3-git user. The current git version has 90% of what I used in ion3. I mostly mis tabs, but I'm almost already used not to have them anymore, tiling is way better after all, and there are pure lua implementations of those around, just the current one are not nice enough (IMHO) but it can only improve. Another missing feature is autocompletion in the launch command / ssh to / ... menus. But I assume this would not really be hard to add. OTOH there are already things that I like better in awesome: it's easier to extend than ion3, the widgets are a fantastic idea, it uses antialiased fonts, and so on. And layouts are a really clever idea for sure. See here to see what it can look like.

With firefox3 entering unstable, it's now possible to upload firefox3 extensions. Vimperator just entered unstable tonight, just enjoy it. For those not knowing about it, it's an excellent extension that gives to your firefox the vim look and feel. People that are already hooked to git will love it. Tiled window manager users usually love it. The best feature it has is the so called quick hints feature. Type f in command mode, to have nice labels next to every link in the page. You can type some letter, and only links that contains those letters will have the hints, and you'll see something like this (I added 'mo' after having asked for quick hints like you can see in the ruler):

Dear Bastian let's fix your blog post.

Philipp thinks, the fact that rng is not using the information in /usr/share/bug renders rng unfit for release and upgraded the corresponding bugreport from wishlist to serious. Moreover: since I dared to downgrade the report back to wishlist he decided to remove rng from testing and block it until the bug is fixed.

s/Philipp/the Release Team/g. And yes, we believe that reportbug-ng goes against the Maintainers wishes, and doesn't help users that don't know how to report a bug (and which are rng audience unless I'm mistaken).

I don t want to heat the debate about this bug again, but Philipp s decision seems arbitrary for me and I wonder if the same standard is applied to every other Debian package.

It's not, it was discussed in the Release Team and was not Philipp on his own alone. And yes, the same standards of quality is wanted for every package in Debian.

I mean, rng has no release critical defects.

That's you claiming that, there have been really constructive remarks in both bug that we upgraded, and that I think explain wisely why the current reportbug-ng behaviour doesn't makes it a suitable reportbug tool right now. I think for example that Sam's and Michael Biebl contributions in both bugs are good explanations of what is wrong and why.

It just does not use the aforementioned scripts as additional information in bugreports does this really render the software unfit for release ?

Yes it does. Again, people that use rng are I think, less experienced users, who need guidance through the bug reporting process. The kind of users that often send annoying bug reports. Instead of lowering the annoyance factor, you aggravate it. In the end, rng makes the frustration higher, and totally fails to meet its primary goals: making bug reporting nicer, simpler, and more efficient for the Reporter and the Maintainer. While it's probably nicer for the reporter, you totally fail on the other part of the contract. And if you don't care about the Maintainer, then well, reportbug-ng is just a spam machine to them, and your careless attitude toward them is unfit for release for sure.