Search Results: "danw"

11 December 2013

Gustavo Noronha Silva: WebKitGTK+ hackfest 5.0 (2013)!

For the fifth year in a row the fearless WebKitGTK+ hackers have gathered in A Coru a to bring GNOME and the web closer. Igalia has organized and hosted it as usual, welcoming a record 30 people to its office. The GNOME foundation has sponsored my trip allowing me to fly the cool 18 seats propeller airplane from Lisbon to A Coru a, which is a nice adventure, and have pulpo a feira for dinner, which I simply love! That in addition to enjoying the company of so many great hackers.
Web with wider tabs and the new prefs dialog

Web with wider tabs and the new prefs dialog

The goals for the hackfest have been ambitious, as usual, but we made good headway on them. Web the browser (AKA Epiphany) has seen a ton of little improvements, with Carlos splitting the shell search provider to a separate binary, which allowed us to remove some hacks from the session management code from the browser. It also makes testing changes to Web more convenient again. Jon McCan has been pounding at Web s UI making it more sleek, with tabs that expand to make better use of available horizontal space in the tab bar, new dialogs for preferences, cookies and password handling. I have made my tiny contribution by making it not keep tabs that were created just for what turned out to be a download around. For this last day of hackfest I plan to also fix an issue with text encoding detection and help track down a hang that happens upon page load.
Martin Robinson and Dan Winship hack

Martin Robinson and Dan Winship hack

Martin Robinson and myself have as usual dived into the more disgusting and wide-reaching maintainership tasks that we have lots of trouble pushing forward on our day-to-day lives. Porting our build system to CMake has been one of these long-term goals, not because we love CMake (we don t) or because we hate autotools (we do), but because it should make people s lives easier when adding new files to the build, and should also make our build less hacky and quicker it is sad to see how slow our build can be when compared to something like Chromium, and we think a big part of the problem lies on how complex and dumb autotools and make can be. We have picked up a few of our old branches, brought them up-to-date and landed, which now lets us build the main WebKit2GTK+ library through cmake in trunk. This is an important first step, but there s plenty to do.
Hackers take advantage of the icecream network for faster builds

Hackers take advantage of the icecream network for faster builds

Under the hood, Dan Winship has been pushing HTTP2 support for libsoup forward, with a dead-tree version of the spec by his side. He is refactoring libsoup internals to accomodate the new code paths. Still on the HTTP front, I have been updating soup s MIME type sniffing support to match the newest living specification, which includes specification for several new types and a new security feature introduced by Internet Explorer and later adopted by other browsers. The huge task of preparing the ground for a one process per tab (or other kinds of process separation, this will still be topic for discussion for a while) has been pushed forward by several hackers, with Carlos Garcia and Andy Wingo leading the charge.
Jon and Guillaume battling code

Jon and Guillaume battling code

Other than that I have been putting in some more work on improving the integration of the new Web Inspector with WebKitGTK+. Carlos has reviewed the patch to allow attaching the inspector to the right side of the window, but we have decided to split it in two, one providing the functionality and one the API that will allow browsers to customize how that is done. There s a lot of work to be done here, I plan to land at least this first patch durign the hackfest. I have also fought one more battle in the never-ending User-Agent sniffing war, in which we cannot win, it looks like.
Hackers chillin' at A Coru a

Hackers chillin at A Coru a

I am very happy to be here for the fifth year in a row, and I hope we will be meeting here for many more years to come! Thanks a lot to Igalia for sponsoring and hosting the hackfest, and to the GNOME foundation for making it possible for me to attend! See you in 2014!

30 January 2013

Russell Coker: SE Linux Things To Do

At the end of my talk on Monday about the status of SE Linux [1] I described some of the things that I want to do with SE Linux in Debian (and general SE Linux stuff). Here is a brief summary of some of them: One thing I ve wanted to do for years is to get X Access Controls working in Debian. This means that two X applications could have windows on the same desktop but be unable to communicate with each other by any of the X methods (this includes screen capture and clipboard). It seems that the Fedora people are moving to sandbox processes with Xephyr for X access (see Dan Walsh s blog post about sandbox -X [2]). But XAce will take a lot of work and time is always an issue. An ongoing problem with SE Linux (and most security systems) is the difficulty in running applications with minimum privilege. One example of this is utility programs which can be run by multiple programs, if a utility is usually run by a process that is privileged then we probably won t notice that it requires excess privileges until it s run in a different context. This is a particular problem when trying to restrict programs that may be run as part of a user session. A common example is programs that open files read-write when they only need to read them, if the program then aborts when it can t open the file in question then we will have a problem when it s run from a context that doesn t grant it write access. To deal with such latent problems I am considering ways of analysing the operation of systems to try and determine which programs request more access than they really need. During my talk I discussed the possibility of using a shared object to log file open/read/write to find such latent problems. A member of the audience suggested static code analysis which seems useful for some languages but doesn t seem likely to cover all necessary languages. Of course the benefit of static code analysis is that it will catch operations that the program doesn t perform in a test environment error handling is one particularly important corner case in this regard.

26 January 2012

Russell Coker: Links January 2012

Cops in Tennessee routinely steal cash from citizens [1]. They are ordered to do so and in some cases their salary is paid from the cash that they take. So they have a good reason to imagine that any large sum of money is drug money and take it. David Frum wrote an insightful article for NY Mag about the problems with the US Republican Party [2]. has an interesting article about eco-friendly features on some modern cruise ships [3]. Dan Walsh describes how to get the RSA SecureID PAM module working on a SE Linux system [4]. It s interesting that RSA was telling everyone to turn off SE Linux and shipping a program that was falsely marked as needing an executable stack and which uses netstat instead of /dev/urandom for entropy. Really the only way RSA could do worse could be to fall victim to an Advanced Persistent Attack :-# The Long Now has an interesting summary of a presentation about [5]. I never realised the range of things that stores, I will have to explore that if I find some spare time! Jonah Lehrer wrote a detailed and informative article about the way that American high school students receive head injuries playing football[6]. He suggests that it might eventually be the end of the game as we know it. Fran ois Marier wrote an informative article about optimising PNG files [7], optipng is apparently the best option at the moment but it doesn t do everything you might want. Helen Keeble wrote an interesting review of Twilight [8]. The most noteworthy thing about it IMHO is that she tries to understand teenage girls who like the books and movies. Trying to understand young people is quite rare. Jon Masters wrote a critique of the concept of citizen journalism and described how he has two subscriptions to the NYT as a way of donating to support quality journalism [9]. The only comment on his post indicates a desire for biased news (such as Fox) which shows the reason why most US media is failing at journalism. Luis von Ahn gave an interesting TED talk about crowd-sourced translation [10]. He starts by describing CAPTCHAs and the way that his company ReCAPTCHA provides the CAPTCHA service while also using people s time to digitise books. Then he describes his online translation service and language education system DuoLingo which allows people to learn a second language for free while translating text between languages [11]. One of the benefits of this is that people don t have to pay to learn a new language and thus poor people can learn other languages great for people in developing countries that want to learn first-world languages! DuoLingo is in a beta phase at the moment but they are taking some volunteers. Cory Doctorow wrote an insightful article for the Publishers Weekly titles Copyrights vs Human Rights [12] which is primarily about SOPA. Naomi Wolf wrote an insightful article for The Guardian about the Occupy movement, among other things the highest levels of the US government are using the DHS as part of the crackdown [13]. Naomi s claim is that the right-wing and government attacks on the Occupy movement are due to the fact that they want to reform the political process and prevent corruption. John Bohannon gave an interesting and entertaining TED talk about using dance as part of a presentation [14]. He gave an example of using dancerts to illustrate some concepts related to physics and then spoke about the waste of PowerPoint. Joe Sabia gave an amusing and inspiring TED talk about the technology of storytelling [15]. He gave the presentation with live actions on his iPad to match his words, a difficult task to perform successfully. Thomas Koch wrote an informative post about some of the issues related to binary distribution of software [16]. I think the problem is evenm worse than Thomas describes. Related posts:
  1. Links January 2011 Halla Tomasdottir gave an interesting TED talk about her financial...
  2. Links January 2010 Magnus Larsson gave an interesting TED talk about using bacteria...
  3. Links January 2009 Jennifer 8 Lee gave an interesting TED talk about the...

27 February 2007

Edd Dumbill: OpenID and microformats support on XTech site

Thanks in no small part to the advocacy of Simon Willison, I've just OpenID-enabled the XTech web site. OpenID log in box on Expectnation Users can now create their accounts using an OpenID, or associate an OpenID with an existing account. A single-sign on solution like OpenID solves an important problem for us, as most people tend to interact with our conference web sites in only one or two time periods each year. While we've gone to the trouble of making retrieving a password easy, there's still the mental burden on the user of setting up the account and noting it down somewhere. As a measure of the impact of this on me personally: I habitually save registration confirmation emails in a certain mail folder. Since 1997 I have collected no fewer than 572 of these, and I'm sure some have been missed! One other cool thing about OpenID is that finally I can get the identity I wish to have. No longer do I have to be a compulsive early adopter of every service just to get the name edd. (Well, as long as said service integrates OpenID of course!) Personal branding is an important attractive aspect of OpenID.ImplementationImplementing OpenID using the Ruby ruby-openid gem was quite straightforward, as was the logical integration into our user models. I've not been the only one following this path recently, as illustrated by this post on Rails OpenID integration from Dan Webb.The harder problem of deploying OpenID lies in making the user interface work well: ultimately that will have a huge influence over its uptake. We've made a decent first go of it in Expectnation, but I'm sure we'll evolve and improve it over time. The main puzzling thing is how obvious to make the OpenID facility, given its relatively small take-up right now. We don't want to confuse normal users too much by using it. Microformats When I did my behind-the-scenes piece on the building of the XTech schedule last week, one feature I didn't discuss was the support for microformats we have in the schedule and on the session pages. If you use a tool such as Operator, you can easily save talk times to your calendar while reading the schedule.
XTech schedule microformats I'm personally a little late to the microformats party. Being a fan of pragmatic RDF, I didn't see much need for microformats right away. However, with tools like Operator I can honestly say that the use of microformats does enhance the XTech schedule.My impressions of microformats (in particular hCalendar and hCard) from using them are mixed. One the plus side, it was very easy to do. On the negative side, I found them restrictive in the sense that for the metadata to be present in the hCalendar object, it needs to be part of the HTML presentation.So, while microformats are meant to be about making human readable data useful for computers, they can have a tail-wagging effect on the human markup. Let me elaborate. In the conference schedule there is a grid overview. For readability here we want to keep the details down to a minimum in each box. There is definitely no need to repeat the date of each presentation when you can see there's a grid per day.But also we want to have microformats available in the page so users can use the grid to pick off talks to add to their calendar. The only details you currently get from the microformat are those you physically include inside the div marked as vevent. This means we can't embed the full details, such as the talk description. It also means I indulge in some dubious markup practices (an empty abbr element) in order to get the date and time into each hCalendar object.It seems to me that this could be ameliorated by more intelligent user agent behaviour. Each of my hCalendar events is given a URL. At the end of that URL is a full description of the event, using microformats. So, as long as I reference the URL in a summary page, the user agent can beetle off and pull down the full information, in much the same sort of way that FOAF uses the rdfs:seeAlso property.So, remove the expectation that microformats provide complete data, and I'm sold.Other schedule features: iCal,
Of course, we have iCalendar support in the XTech schedule, so you can subscribe conventionally using iCal, Evolution or a similar program. Aaron Straup Cope took the iCalendar, and uploaded each event into If you look at the upcoming events tagged xtech07, you see the results of his work.This foreshadows some of the social elements we plan to add to Expectnation itself: indicating your intent to attend a talk, and adding comments to it. As a program chair I'm finding this quite fascinating to watch.

17 December 2006

Clint Adams: Next week: why everyone should go to tech shows topless

Kathy Sierra writes about how conference T-shirt distributors are not trying to make their attendees look sexy enough, by providing tees that attempt to hide breasts. She doesn't mention underwear though, and this suffers from exactly the same problem. The free logo-branded boxers you get at these things are almost always poorly-made and ill-fitting. Why not provide Speedos or bikini bottoms or anything which will tightly-hug the pubic region and showcase one's junk? Does this guy want to hide his genitalia? No, he wants to strut, proud and trouserless, across the expo floor, knowing full well how much the conference organizers care about him. Bless his courage and rejection of societal norms.

28 February 2006

Erich Schubert: On AppArmor vs. SELinux

Some might have read recent news such as Novell SELinux killer rattles Red Hat, or Dan Walsh's critique of Novells AppArmor release, concerned with "unix like fragmentation in the security sector". While I also do think that SELinux is both more mature in the core system and more powerful than AppArmor (with a big plus being that SELinux is in the vanilla kernel) - I do think that AppArmor can quickly become a true SELinux killer, by just being better documented and easier to use. SELinux has serious deficiencies in documentation and development community. Almost all the available SELinux documentation is based around the policy as published by the NSA, which is "superseded by the reference policy project". This is the policy currently in Debian and used in the Gentoo SELinux docs - which hasn't received any updates in months now. The newer "reference policy" is updated every few days, by exporting Tresys' internal SVN into a public CVS on sourceforge. Dan Walsh claimed "multiple distributions shipping with SELinux including Fedora Core (2,3,4 and soon 5), Red Hat Enterprise Linux 4, Gentoo, Debian, Ubuntu, Suse and Slackware. " Which is not entirely true. SuSE has AppArmor now, Fedora and RHEL are pretty much the same, and apparently neither Gentoo, Debian, Ubuntu or Slackware are up to date with SELinux. Or actually involved in the current development. So that basically makes 1 distribution using current SELinux and 1 distribution using AppArmor... Looks like a tie to me. Also with the development it's pretty much down. AppArmor was developed by a small company called Immunix, and is now backed by big Novell, owner of SuSE. Current SELinux is mostly developed by a small company called Tresys, and somewhat backed and used by RedHat. Both have the feeling of "closed door" commercial development, which may be the reason why it reminds some people of the old Unix wars. Both of course claim to do an open development, with for example the current SELinux Symposium. But if you look closely at the Agenda and the speakers, it's fairly obvious that this is pretty much a business meeting, with some university speakers talking about the security concepts used. Just one quote from the site:
Developer Summit
An invitation only meeting for the core developers of SELinux to discuss future plans for SELinux and upcoming technologies.
The winner of this "war" between AppArmor and SELinux will be whoever manages to incorporate community development best, and get the other distributions like Debian, Ubuntu and Slackware to support their efforts. Currently neither of them has the air of actively supporting them, which is really bad. Widespread adoption is also where grSecurity has failed before.