not all change is progress
December 13, 2015
Direct download links:
MP3 &
Ogg
0:01:28 News
0:39:00 Over a Pint: Saving Mozilla
It’s long been clear that Mozilla’s management don’t understand the real potential value of the organisation. So stay with us after the news to hear us pick apart some of the recent developments at Mozilla, and to find out how they could become an influential and powerful force for good in the Internet age. Or they could ignore us, and continue on their current path towards total irrelevance and obscurity.
0:01:28 News
Debian GNU/Linux Is Latest Open Source Option on Microsoft
Azure Cloud
Not a typo: Microsoft is offering a Linux
certification
Linux Foundation and Microsoft: A Great Start to a Great
Partnership
Free HTTPS certs for all – Let’s Encrypt opens doors to
world+dog
Let’s Encrypt May Improve Security for Regular People More
Than Any Other Initiative This Decade
Hacker News
thread
PHP 7 Released
Infosec bods rate app languages; find Java ‘king’, put PHP in
bin
Google launches new interactive interstitial ads and in-ad
game tryouts
Google will retire Chrome support for 32-bit Linux, Ubuntu
Precise, and Debian 7 in March 2016
Google’s Chromebooks make up half of US classroom
devices
EFF complaint says Google broke privacy pledge by tracking
students
Google fights back against EFF claims that it’s probing kids’
privacy
0:39:00 Over a Pint: Saving Mozilla
Mozilla is a dying organisation. Relatively cash rich, but without any apparent self-awareness of what it is that makes many of us still value them, they continue to tilt at windmills and fritter away two key assets: their war chest, and our goodwill.
Consider this less of an Over a Pint, and more of an intervention.
a little while ago you were (rhetorically) asking for examples of people in floss communities using discriminatory language etc. how about starting with your own homophobic imagery?
Perhaps you could give some examples? I just finished this episode and have no idea what you are talking about, unless it was some Britishism I didn’t understand.
Chrome Browser is good, but I have (like many others) found that it freezes up one too many times. Thus my “go to” browser is Mozilla Firefox. Just because Joe likes Chrome over Firefox doesn’t mean that others have the same mind. But anywho, I do love your podcast. I do agree that Mozilla’s management has not been focused.
You may remember my “three waves” articles I linked you to a while back. You discussion of hobbyists vs bureaucrats in the linux kernel is basically directly addressed by that. See also https://lwn.net/Articles/563578/ (the squashfs maintainer replying to the kernel guys going “hobbyists? What are those?”)
As for entropy in phones, it’s the same as entropy in routers and other embedded devices, which has been chronic issue for decades. Linux Weekly News alone has a dozen articles in their “Random Numbers” kernel index section, going back to 2006:
https://lwn.net/Kernel/Index/#Random_numbers
The tl;dr is that any externally visible entropy source (incoming network packets, etc) doesn’t count because the NSA can see it, measure it with nanosecond accuracy, and add it to their simulation to bring the number of guesses they have to make at your key down to a manageable number. (Given that with a parabolic antenna they can read the signals from your screen and keyboard we’re not sure if there’s ANY good source, but that they can’t bulk collect. The “One Drone Per Child” stuff is still a few years away.)
(The thing about the NSA having your data is that unofficially organized crime will have it a decade later. Any data that is collected and never destroyed will eventually leak, the question is how long.)
For those of us who do not trust the letsencrypt script to manage our web server configuration, they provide the “certonly” option, which does just what it sounds like. Then you can used your preferred configuration method to point your webserver’s key and cert directives to the letsencrypt certs and keys (these are symlinked to the current version for each domain, meaning you never have to update the paths when renewing). Pretty easy, and you don’t have to worry too much about letsencrypt breaking your webserver. For the truly paranoid, either read the script, or as Paddy suggested, use or write an alternative client using the API.
For what it’s worth, Let’s Encrypt does require a bit more than email address verification. When you first request a cert for a new domain (or maybe at renewal too?) you have to prove that you control the webserver at that address by means of a few different “authenticator” options.
I set this up for webmail on my VPS, as well as for IMAP and SMTP. No nasty surprises, but I haven’t had to renew yet. I’m going to attempt fully automating renewal with a cron job every 85 days or so.
Hi Nathan, one of the things we’re really not great at on the show — and I’m the prime offender — is in fully explaining topics, rather than simply assuming prior knowledge on the part of the listener (either general Linux/computing background, or awareness of a specific news story). As you say, and like other ‘cheap’ CAs, Let’s Encrypt does require some proof of domain control. It just never occurred to me that there was a need to spell that out, as I’d personally take it for granted that this would be the case, so assumed that the listener would too. This sort of presumptuousness is something we’ve recognised and discussed amongst ourselves, but having it flagged up here may help the need to address it lodge in my brain, so thanks.
Regarding entropy deficiency, I’m not sure about Android devices, but there is a significant concern for virtual machines. Ubuntu created polinate, which is an “entropy as a service” client, for this purpose: http://manpages.ubuntu.com/manpages/trusty/man1/pollinate.1.html
Hopefully the trusted remote sources of entropy are also sufficient…
In theory KVM and QEMU fake a hardware random number generator as a way to read from the host’s /dev/urandom. The problem is, those devices provide infinite entropy on demand and the host (especially a headless server) has a finite amount of real entropy, so a VM will tend to drain the host’s entropy pool (hence urandom instead of blocking /dev/random).
The paravirtualization stuff is about creating emulated devices that don’t exactly pretend to be real hardware, so you can have for example a “hardware” random number generator that blocks when the host’s /dev/random runs dry, and program the rest of the client OS to be ok with that.
Webservers used to install sound cards so they could switch on an unconnected microphone and read the noise from the low bits to get radio static to mix into the pool. Of course the real crypto guys wonder if that radio static can be simulated from the operation of the rest of the machine, but that sort of thing is crypto guys’ job.
Hello. About the why Microsoft runs Debian conversation, i think that Valve went to Debian because of Trademark issues. Many companies don’t want to have trademark (or legal) issues and prefer Debian which they can use as they like . Debian, for certain projects, is cheaper or safer or more flexible or all of the above.
George’s points all seem persuasive. I am not at all familiar with what Microsoft’s support offerings are or how resource intensive they are, but I do wonder if Azure already supported Ubuntu how much more effort was really necessary to support Debian as well.
Back in April, The Linux Action Show talked to a Debian developer who works for Microsoft’s Open Source Stratagy team (http://www.jupiterbroadcasting.com/81137/rockin-2015-linuxfest-nw-las-362/). That interview might give some more perspective on Azure adding Debian support — at least in one small part of Microsoft there are people who support Debian.
There is a distinction you did not make in the
Thunderbird discussion. Mozilla is considering stopping
its maintenance of Thunderbird. It already stopped
development of Thunderbird several years ago (Thunderbird
is not developed by a community not controlled by
Mozilla). Thunderbird and Firefox share the Gecko browser
engine underneath. Currently, Mozilla engineers help with
integrating changes to Gecko (all made for the benefit of
Firefox) into Thunderbird so that Thunderbird can keep
pulling in security and bug fixes without breaking.
Mozilla also helps with various support services like
source code hosting and binary distribution.
Mozilla plans to overhaul Gecko to work with html/css/js
rather than XUL. The Thunderbird team is unlikely to do a
complete overhaul of Thunderbird to keep up with this
change, so it will most likely fork Gecko and maintain a
XUL version. Mozilla’s chairperson sent out the message
about Thunderbird to start the conversation about how
Mozilla should handle this — should it continue to
maintain Thunderbird after it diverges from Firefox or
should it let it go on its own? Should Mozilla still
provide hosting/distribution/etc or make a clean break? I
have seen some sentiment in the Thunderbird community
that a clean break would not be so bad, since they would
not have to spend effort on integrating the steady stream
of Firefox updates to Gecko, but I worry about losing
Mozilla’s official security support (see this post for
more: https://blog.lizardwrangler.com/2015/12/03/thunderbird-update/)
.
Personally, I use gmail’s web interface for most of my email any way, but I use Thunderbird to keep an offline copy of everything. I’ll be annoyed if I have to come up with an alternative backup. Reasons I have seen given for using Thunderbird include its support for multiple email accounts and its ability to handle pretty large volumes of mail. You mentioned alternatives to Thunderbird including on fork of Thunderbird. One thing you didn’t mention though is that if Mozilla cuts ties to Thunderbird it will effectively become a “fork” of Thunderbird but it will continue to be developed by the Thunderbird community. The last time I looked into Thunderbird alternatives it seemed like the alternative email “clients” with the most active development were web mail servers that you could run locally and connect to via your browser.
You guys are generally pretty adamant about mobile being the future, so I was a little surprised you seemed positive about Mozilla focusing on Firefox moving forward. I guess their future is tied to Firefox for Android? It is a reasonably good browser but my understanding is that its market share is a good bit worse than even desktop Firefox. I guess it ties into several of the points you were making — Mozilla is relevant for its historical role in producing a browser at a time when default browsers were suboptimal and these days all of the default browsers are pretty comparable, so Mozilla needs to find some new space to fill.
My vote for a void that Mozilla could fill is to make a micropayment system that works and that people want to use. Their mission is to foster an open web that empowers users and the current business model of the web — advertising and data harvesting — is fairly hostile to that mission. Unfortunately, they already discontinued a project (Persona) that was along the same lines, though it seemed to be well regarded.
By the way, I don’t think you ever linked to a news story about Mozilla ending its sponsored tiles program, but you discussion about them being led by MBA’s spouting gobbledygook reminded me of their post about the end of the sponsored tiles program. It really is worth reading if you want a laugh. It’s amazing he was able to write 6 paragraphs without saying anything: https://blog.mozilla.org/advancingcontent/2015/12/04/advancing-content/
Hi Will — yep, that last link in your comment was the one Jesse was referring to when he used the non-word ‘learnings’. It was in our private notes, but never made it into the published ones (for the sanity of our listeners!)
What you are suggesting about micro-payments is exactly the sort of thing that I was attempting to get at when I was talking about how Mozilla could — and should — leverage their position of trust. They are so well positioned to provide real value for the greater good in this particular sphere that I’m truly shocked that they apparently can’t see it. Or, as was suggested, they do see it, but are simply far more concerned about the next quarterly payment from Yahoo. Immensely frustrating, and ultimately self-defeating for their long-term future.
From our conversation on-air, the three of us seem to have a different take on the value of Firefox itself. Personally, I see the only real long-term value of that browser as being primarily the delivery mechanism for early adoption of these other privacy- and service-related features. Make them open, but use Firefox to kick-start an enthusiastic user base and everyone else will have to follow. Instead, we see Mozilla baking-in proprietary services, and adopting a singularly unimaginative ‘me-too’ approach that is at odds with their own mission statement.
I do understand the technical reasons why Mozilla consider Thunderbird a poor fit in the post-XUL world, but I still think that they’re wrong to be looking to offload, rather than rewrite, at this stage. But that’s only because I can see value in a widely used and respected email client offering seamless end-to-end encryption and message signing. But that comes back to my original contention that the ‘pivot’ they are currently making is the wrong one, when an alternative exists that would benefit both themselves and the rest of us far, far more.
Hopefully, we’ll discuss this a little more on the show sometime soon, as there is so much potential here. Should Mozilla choose to grasp it.
Oops, I should have said “Thunderbird is *now* developed…” not “Thunderbird is *not* developed…”
Comments are now closed.
The content of this website, and that of the podcasts produced by the website owners, is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License.