We’re looking at the situation of automatic updates for add-ons and whether or not tightening up the security of such updates is a good idea or not (this is one good reason why it could be). After some initial talking I would like to get a little feedback from the add-on authors out there who host their add-ons on their own websites and not on addons.mozilla.org. Are you such a person? If so then please take a few moments to check out the thread in the forums or on the newsgroup and take a few moments to answer my questions.
Of course nothing is a foregone conclusion at this point and you might have noticed that I host my own extensions, not on addons.mozilla.org so I totally have the self-hoster’s needs at heart 🙂
I guess it goes without saying that I’m fairly technically literate and as such I’m pretty well versed in both what makes a strong password and actually using them. I actually have a pair of passwords, one that I use for what I consider my more important logins (company accounts, servers and the like), and another that is for lesser services that if I lost or it got hacked then it wouldn’t be a major compromise of anything.
Given this it’s always particularly disappointing when I find something that I really want to use a strong password for but can’t, because the service in question can’t handle how strong my password is.
Take my new bank account with Lloyds TSB. The password for the internet banking is 6-15 characters, must contains letters and numbers, but cannot contain any spaces or anything non-alphanumeric. Bang goes about 4 characters from my strong password.
Lloyds aren’t alone either. I also have a savings account with Citibank. To log in to their online banking I am not allowed to type in my password by hand, instead I must use an onscreen keyboard with my mouse. Now I’m not quite sure what this is meant to serve, all it does is enter the characters into a regular html input box, you know, easily readable from an add-on or other form of spyware. And even worse the keyboard gives me just 51 possible characters to choose. At least Lloyds let me use both upper and lower case!
Maybe all these places having quite different restrictions on what characters I can use in my password is a cunning ploy to make me use a different password everywhere, but I find it a little disturbing that I’m able to use a stronger password with my online pizza delivery place than with my bank accounts holding thousands of pounds of savings.
David Baron recently put out the call for there to be more leak testing on trunk builds.Â We have a number of regressions that we need to find and fix before Firefox 3 goes out the door. The best way to do leak testing has always been to use his excellent leak-gauge script which catches more leaks than the leak monitor extension. Unfortunately the leak-gauge script is not the easiest of beasts to play around with.
Thankfully for some time now Nightly Tester Tools has had the leak-gauge script included in it to hopefully make this process a bit easier. I discovered today that that functionality has actually been broken on trunk builds so make sure you pick up the latest version 1.3b1 if you want to use it (don’t worry i should be pretty stable as betas go). Once installed just go to Tools – Nightly Tester Tools – Analyse Leak Log. Tell it where to find your log and it will create a leak report that you can copy to the clipboard at the touch of a button.
Unfortunately you still need to actually create the leak log, I suggest a script something like this (will need adapting for other platforms):
cp -f nspr.log lastnspr.log
Then you can analyse lastnspr.log while still logging the current run. In Firefox you can even set the log analyser as the home page so it automatically loads the last log on startup.
Note that you can’t analyse the log being generated by a currently running app, nor one from a crashed session in an app, both will look hideously leaky. Please be sure to file good memory leak bugs and good leak hunting.
Wow, it’s been a month to the day since my last post here, and quite a lot’s happened in that time. Those of you that keep up on Mozilla things might realise that I have changed jobs and I’m now working for Mozilla on the Firefox team under Mike Connor. I’m going to be putting work into the addons side of Firefox 3, in particular taking some of the main requirements as well as tackling some of the really irritating issues that have lain dormant for a little too long for my liking. Most exciting stuff for me right now (yes I know, I’m sad!) is that I’ve been working on doing unit tests for the extension manager component which makes testing new patches far easier to my mind as well as of course allow us to start catching regressions.
Getting this new position has been quite a fantastic achievement in my eyes and it’s allowed me to do other things that I’ve been needing to do for some time, like move house and various other personal goals that I won’t bore you with here.
In case you were wondering how this affects my extensions, well not much in all honesty. They are still all my personal work and all done in my personal time and the amount of time I have spare to work on them is (unfortunately) still about the same. I am however thinking about a fundamental change about how my extensions are available to the general public and in particular one that I think will encourage more outside contribution to my extensions, meaning that the burden is taken off me as a lone developer to add features and fix the bugs. I’m still mulling this over at the moment so watch this space for further news.
Update: Mozilla now produce intel gecko SDKs so there is no need to use the version I have put here, I’ll leave it for posterity though.
It’s currently a bit of a pain building xpcom components in intel macs. The only officially available sdk is ppc only. Until Mozilla come up with an official version, here is an intel build of it for those that want it: gecko-sdk-mac-intel-220.127.116.11.zip
As the name suggests it’s built against Gecko 18.104.22.168. To the best of my knowledge it’s right but please don’t bug me if you can’t get your component to work with it unless you’re pretty positive that it’s the sdk that’s wrong.
Right now I have no clue how you’d go about making a universal sdk, maybe if you know of a simple way then you could get in touch.
I can’t believe it’s been over a month since I wrote something here. Well I kinda can, lots of hectic stuff going on at my work right now which has been making finding time for Mozilla stuff tricky. Hopefully not for much longer.
I’m glad to say that I have managed to make great progress on the zip writer component. I have decided that dealing with multiple platform compiles for Nightly Tester Tools is just a bad idea, so instead I have pushed on with submitting the zip writer to Mozilla for review. Hopefully that will make it into tree where I (and of course anyone else) can just use it. There’s been a bunch of changes between the version I posted earlier and that that’s gone up for review, not least of which is a set of testcases that have made sure I didn’t break the old by making some cleanups.
Lots of people have been bugging me about when new versions of my extensions are going to be done. Sadly I can’t really do this. The old adage of “It’ll be done when it’s done” certainly applies. For most I don’t have a good handle on how much work is left and I certainly don’t know how much time will have to spend on them in the near future which sort of messes up any planning.
Oh and I’d just like to say hello to all you people reading planet out there. Assuming I haven’t broken my atom feed you should be able to see everything I write here from now on, you lucky lucky people!
Obviously for those keeping up with this rather minimal blog I’m somewhat behind where I hoped to be since my last post. Still no new release of Nightly Tester Tools so I thought it worth giving a quick roundup of the few extension’s I’m still working actively on and what’s happening with them:
Nightly Tester Tools is getting the main development work right now. My previous few weekends have been spent working on coding zip support so that it can update an extension’s compatibility info on the fly in the xpi file. This will allow the Mozilla extension manager to do it’s job, which is handling the safe install of the extension itself. Right now I’ve slowed down because I’m about to start talking to Mozilla about getting the zip writing component into the Mozilla platform which will undoubtedly require some API changes. That and I don’t have a Linux or Windows platform to do a build of the component on. If anyone wants to volunteer to assist (you need to already have experience of building a mozilla app) then please get in touch.
Tab Sidebar is an extension that many are waiting for the updates that I currently have in development. A lot of it is there and working, unfortunately there are also some broken bits so it’s really a case of finding the time to get those fixed.
/Find Bar/ is now totally broken on trunk builds of Firefox, but should still be ok on 2.0.0.x builds, though I have had a few error reports and suggestions on how to proceed. The next steps are to make this handle block content in pages as paragraphs and then to try to find and fix what’s causing a rare crash. I also need to work out how toadd to the new find bar widget on trunk without duplicating too much of it, but so far that’s proving to be tough.
Toolbar Thinger is not receiving a lot of attention. I have had some good reports that people are finding it very useful, also a couple of reports of problems unfortunately not in enough detail for me to be able to track the issues down. At some point I want to find a nice icon for it, do a full track through for any issues I’ve missed and then do a first proper release.
Update Channel Selector was always a very simple extension and so unsurprisingly it’s not needed a lot of work. Unfortunately it seems that Vista has changed that. In order to change the channel, the extension has to overwrite a file in the application’s installation directory. Vista doesn’t let you do that as easily as previous versions of Windows did. Unfortunately I do not have a Vista machine to play with so resolving that could take time.
Since both those extensions are open source (as are all my extensions) if anyone particularly wants to take over development of them then I am happy to discuss that possibility.
I spent some more time this weekend hacking on my Zip Writer component. It’s now pretty capable. It can open existing zip files and remove entries and append to them, happily rewriting the headers and everything exactly as it encountered them. And the other major win is that I have deflate code up and running which makes compression possible.
All this has allowed me to reintroduce making extensions compatible during the install process in a far safer way than was the case before. NTT can now watch the EM datasource, spot that an extension has finished being downloaded, then open that extension’s xpi file and if necessary rewrite the metedata to claim compatibility with the current version of whatever app you happen to be running in.
Depending on time I may have the next release of NTT out the door by the end of next weekend, but things are hectic as usual and I have to be various places over the coming week.
So there’s been this bug in Firefox for … well quite a while where it would suddenly stop remembering your toolbar customisations, window positions and even make your bookmarks appear to not be there, and in Firefox 1.5, make the search bar non-functional.
Well I’m quite proud to say that after quite a lot of research, and help from those guys doing Firefox support, particularly stevee, I think I have a fix for at least part of the problem. This bug (or at least the part I’m interested in) is all caused by one corrupt file. For quite some time I was unable to reproduce, and it turns out that that’s because the issue actually resolves itself in Minefield which is what I use day to day. Once I started testing on BonEcho it became pretty obvious what was going on. So the patch I’ve just posted for review basically spots a corrupt file on startup, and deletes it. Short and sweet.
Of course it’s not really the solution to the problem, just a nice way to make Firefox recover without too much hassle. The real issue is how the file gets corrupt in the first place.
One of the annoying omissions from the Mozilla platform has always been the inability to create a zip file. It’s been bugging me for some time since it’s the only way for Nightly Tester Tools to properly manage overriding compatibility for an individual extension install, without doing dangerous things like it used to. There’s been a Google Summer of Code project on creating such functionality but it didn’t get all that far.
Well Saturday night I finally bit the bullet, after talking about it for a long time, and took a crack at it myself. I didn’t like the API’s presented in the SoC project so I decided to just start from scratch andknock up something really really simple. And when I say simple, I mean that initially all this thing was going to do was create a zip file (no editing existing ones), and add files and folders to it, with no compression. That makes it simple see, just add a few file headers here and there and all you’re doing is copying data around.
So onto the second implementation in C++ this time. I guess it was probably inevitable that it would come to it, but JS at least is real quick to prototype things like this in. The C++ implementation now works as well as I’d initially hoped, so since then I’ve of course got bored and started looking into having real compression in there and maybe editing zip files in the future. Like most of my code all this is open source, you can view it in my subversion repository. What’s more, since I moved on, Mook has taken the JS implementation, plumbed in some cleverness and made it work for binary files too!
Obviously the code is to be used at your own risk and right now it’s not all that thoroughly tested. Hopefully though if I can convince bsmedberg of my API’s, this code might end up making it onto trunk so everyone can use it.