Hacking for Christ

Firefox Roadmap

Ben notes that he has updated the Firefox 2.0 Roadmap.

This part doesn't make sense to me:

We're going to replace the existing nomenclature for pre-releases from alpha and beta to "Developer Preview" and "Preview Release" to more solidly differentiate them. The reason: for some time people have associated Firefox Preview - Releases with high quality and we want to make sure there are no guarantees made of any pre-release we offer. We also want to make it clear that Developer Previews in no way represent final or feature-complete code.

He seems to be saying:

• People have historically associated "Firefox Preview Release" with high quality
• Future preview releases may not have that quality
• So, instead of calling them "alpha" and "beta", we are calling them "Developer Preview" and "Preview Release".

Surely that's completely backwards? If they aren't going to have the quality associated with "Preview", we should be avoiding calling them "Preview" anything at all costs!

Or have I misunderstood?

Introducing 'Grout'

I've just released version 1.0 of Grout, a program which solves certain classes of tile-placing, edge-matching puzzles, such as that illustrated here. I originally wrote it to solve specifically six-sided puzzles for a programming competition back in 2001, but then generalised it when I came across a four-sided puzzle at a friend's house.

I don't know if anyone else will have a use for it...

Partially Delumped

Well, that wasn't too bad :-) Still feeling a bit rough, though. And no citrus or dairy until Saturday... not that I can eat anything that isn't liquid or puree right now anyway.

Biopsy results in two weeks, chest appointment in March.

Another Hospital Trip

I'm afraid I won't be around for the next few days, because I'm going into the Royal Marsden in Chelsea to have a small lump removed from the floor of my mouth. This was something I noticed a few months ago, and may or may not be connected with my recent medical adventures in 2001.

During the set of scans they did before Christmas, they also found a 1cm node (well, "white splodge" might be a better description) on my chest x-ray in the upper lobe of my left lung. I'll be seeing a chest specialist about that in due course, no doubt.

Just as last time, I'm finding Philippians 4: 6-7 to be very true. The peace of God really does transcend all understanding.

Firefox To Change Name Again

San Francisco, 25th January 2004 - The Mozilla Foundation (NASDAQ: MOZ) announced today that its ground-breaking Firefox browser would be renamed "FoxGoo" with immediate effect.

"With lead developer Ben Goodger now being paid by Google, it seemed an ideal time to rebrand. Again." commented Mitchell Baker, the project's Chief Name Changer. "We feel that the name 'FoxGoo' more clearly represents our commitment to standards, innovation and choice of integrated search on the Internet. Well, maybe not the 'choice' part."

"Google have decided that it would be much easier to get some mindshare from Firefox's, I mean FoxGoo's success than develop their own browser. I, for one, welcome our new non-evil search overlords", said Asa Dotzler, the Foundation's head of QA, Community Relations and Beard Studies.

Godzilla could not be reached for comment yesterday.

Some Clarifications Regarding about:mozilla

It has come to my attention that there is some confusion over the origin of the about:mozilla text, what exactly it refers to, and the basis of its literary style.

about:mozilla was originally an "Easter Egg" - a hidden amusing feature put into a software program unrelated to its main purpose - in version 1.1 of Netscape's browser. These days, it's so well known that it hardly deserves the name. The history of about:mozilla, giving the different versions of the text displayed, is well explained on Wikipedia. After a small amount of editing on my part of the section about the most recent revision, everything that page says is now true to the best of my knowledge.

The current about:mozilla text is as follows:

This text was written by Neil Deakin in the days following the split of the Mozilla Foundation from AOL. It was one of several suggested texts that we evaluated; we considered this one to be most creative, and in the spirit and style of the previous two. At my prompting, the mozilla.org staff approved the inclusion of Neil's version in forthcoming builds. You can read the bug which documents the development process. I checked a slightly modified version into Mozilla on the 1st September, 2003, and Ben Goodger checked the same text into Firebird (as it then was) later that month.

The nature and literary style of the text may be slightly mystifying to some. To understand it fully, you need to first be aware of the influence of the King James version of the Bible on modern English culture.

The King James (or Authorised) Version of the Bible is an English translation which was first published in 1611. It is so named because King James ordered the translation to be made. For several hundred years, it was the most commonly-used English Bible. Today, it has been superceded by more accurate translations which take advantage of modern linguistic scholarship and a better knowledge of the original text.

However, the language of the King James, which today would be thought of as archaic, has had a significant impact on English-speaking culture. Even today, people often quote the Bible (perhaps unknowingly) in the King James version, or language which approximates or imitates it. For example, they might say "Judge not, lest ye be judged", rather than "Do not judge, or you too will be judged" (Matthew 7:1).

The about:mozilla text is designed to be in the style of Biblical prophecy, such as that found in the book of Revelation, as translated in the King James version. For example: "And out of his mouth goeth a sharp sword, that with it he should smite the nations: and he shall rule them with a rod of iron: and he treadeth the winepress of the fierceness and wrath of Almighty God." (Revelation 19:15). The fictional "Book of Mozilla" is a book of similar prophecy about the rise of "the beast" (Mozilla, who has always been a great lizard) and his triumph over the world. When great changes happen in the Mozilla project (such as the release of the original code, and the split from AOL) the text is updated with a new 'quotation'.

The word "Mammon" is actually taken directly from the original text of the New Testament. It's a word of Aramaic origin, meaning something like 'riches' or, by personification, 'money-god'. The King James rendering of Matthew 6:24 - "You cannot serve both God and Money" - is "Ye cannot serve God and mammon". The word is also found in other related translations, such as the American Standard Version. Mainly because of the fame of this passage in its King James form, "mammon" in still used in English today, and is taken to refer to an imaginary God of money, possessions and pleasure.

So the use of "Mammon" in the text is an oblique reference to the Bible. Just as Jesus in Matthew 6 in the King James Version contrasts serving God and serving Mammon, following the truth and following falsehood, so the quotation sets up the difference between the followers of Mozilla (those reading the Book) and the followers of Mammon (those who oppose the coming world domination of Mozilla). (Some might well associate Mammon with Microsoft; I couldn't possibly comment on that...)

I hope this clears up some potential misunderstandings about the origins and meaning of the about:mozilla text. As a Christian who believes the Bible is the inspired Word of God, and a mozilla.org staff member and Mozilla contributor, I do not believe that there is any problem with about:mozilla from a Christian point of view. I would welcome emails from anyone who wishes to correspond with me on the subject.

A General Solution To Site Spoofing

[For those who may not know: site spoofing is when someone sets up a site and tries to get you to visit it, thinking it's another site. So they might set up http://www.paypai.com (note lowercase I) and send you an email inviting you to visit "http://www.paypal.com" and give your login details.]

Site spoofing is a significant issue. It enhances phishing attempts, which is apparently already a hundred-million dollar industry, even according to pessimistic estimates. It's our users who are being defrauded. And, as spam has shown, where there's money to be made, the problem doesn't just go away. It's mozilla.org's responsibility to do its best to deserve our reputation for security innovation by helping people to not be taken in. Domain name registrars who process thousands of applications per day at low margins can't be expected to hold the fort.

However, finding a solution is hard because it involves communicating clearly and unambiguously to a novice user the tiny difference between a lowercase l and a lowercase i, and every other possible pair of confusable letters, without overwhelming them with so much confirmation and checking information that they just ignore all of it. I'm not sure that there's a textual solution, due to the almost infinite variety of domain names and fonts, and the human tendency to assume something almost the same is in fact the same.

So here's my idea. You hash the domain name, convert the hash into an RGB colour value, and colour some UI element that colour when you are on the site. This doesn't provide any first-visit protection, but it does provide a one-glance check as to whether you are on the same www.paypal.com that you were last week. And sites where you have high-value logins tend to be ones you've visited before.

I continue to maintain that anti-phishing and anti-spoofing efforts are pointless if the true site doesn't at least have SSL. So I suggest that, in Firefox, the background colour of the status bar field which shows the domain name would be the correct thing to change:

• It's semantically associated - the domain name is what's being hashed
• It's part of a piece of UI (the status bar) which is always present
• People look there on secure sites to see the name and the lock anyway.

So if users know from repeat visits that www.paypal.com is legitimate, then www.paypai.com is easily seen as bogus.

The human eye is very sensitive to colour differences; this should mitigate the fairly unlikely event of a spoof having a similar colour as the original. This scheme also has the significant advantage that it requires no user configuration whatsoever, and only minimal instructions ("Colour not the same? Be suspicious!").

There are extra foibles like trying to vary intensity so the colourblind don't get too left out, and limiting the colour range to make sure the text is always readable, but that's the basic idea. For bonus points, we should use a hash function which tries to ensure that the closer two inputs are, the more different the hashes, and for extra bonus points, all browser vendors should agree on the same hash function and colour range, so www.paypal.com is light green in all browsers.

Comment Spam and rel="nofollow"

There has been a lot of noise recently about Google's proposed "solution" to comment spam - the rel="nofollow" attribute for links, which makes search engines ignore them for the purposes of ranking pages by their associations.

It seems to me that there are actually two distinct problems here.

1. Google's problem. "All these comment spammers are messing up our search results. We're not making as much money as before!"

2. Joe Blogger's problem. "All these comment spammers are polluting my blog, and I have to spend ages deleting it all!"
   

Now, which problem does rel="nofollow" actually solve? Well, it certainly solves Google's problem - which is not surprising, given that they suggested it. The Googlebot can say "Ah, this is a blog. Does it have some links with rel="nofollow"? If it does, I can therefore trust all the other links on the page. If it doesn't, I won't trust any of them."

However, to solve Joe Blogger's problem, spammers would have to say "Hmm. I'm going to rewrite my extremely efficient spamming engine to check each blog to see if there are links there that have rel="nofollow" and, if there are, not bother to spam it". But they won't. They'll just spam you anyway.

The only way rel="nofollow" will ever help Joe Blogger is if so many blogs use it that blogspamming becomes entirely pointless - and then the blogspammer will just stop outright. And, given the number of old and abandoned blogs littering the web, that time is some way off.

I suppose it might have more immediate effect on spammers who target particular centralised communities, like LiveJournal. If all LiveJournal links suddenly acquire rel="nofollow", then the spammer may hang up his script. But for Movable Type users like me, where every installation is different, this won't happen. I'll be getting my daily dose of online poker and phentermine (what is that, anyway?) for some time yet.

So What Is a "Derived Work"?

The world of software licensing is, to be honest, a fairly dull one. Lots of reading and interpreting of legal documents, analysis of the meaning of terms, and negotiation with copyright holders.

You would be forgiven for thinking, perhaps, that discussing what is or is not a "derived work" under copyright law (a fairly key point with regard to the GPL, for example) is not the most exciting way to spend your evenings.

However, things can liven up occasionally, as they did last week on debian-legal, where a contributor who was frustrated at going around in circles on an argument over the use of the GPLed Kaffe VM to run the CPLed Eclipse IDE used a fairly graphical but memorable analogy to explain what a "derived work" actually is. I can't say I'll ever be using it myself, but it's an amusing read.

Hendrix Updated

I've updated Hendrix taking into account a lot of feedback which has been given. The new stylesheet is based on planet.mozilla.org's one, and was written by KDS Sahambi - thanks to him for that. More stylesheet ideas would be welcome; just add the &stylesheet=<path> parameter to try out your own.

Please bang on it again, and let me know of any further changes you think might need making.

Bugzilla 2.18 Released

At last, after around two and a half years of development, we've finally released Bugzilla 2.18. My two major contributions to this release were Generic Reporting (a much more powerful way of getting reports of the current state of Bugzilla) and Generic Charting (a way of getting Bugzilla to store data for and later plot an arbitrary query over time). The latter is somewhat less polished than the former; I suspect some more work is going to have to go into that over the next few weeks :-|

My initial implementation was in some ways overcomplicated - it suffered from premature optimisation - and in some ways not complicated enough, for example it didn't have any access control. Lessons learnt :-)

Note: bugzilla.mozilla.org is currently running version 2.19.1+ of Bugzilla - i.e. the trunk from a few weeks ago. It therefore has a few features which the 2.18 release does not. 2.20, the stable release corresponding to the 2.19 development series, will freeze in mid-March for a release sometime in June. In the future, the Bugzilla team hopes to release a new stable version every six months or so.

U.S. Constitution: Explanation Requested

One for all the Americans out there. The U.S. Constitution, as amended, has precisely two mentions of "religion":

Article VI: "...no religious Test shall ever be required as a Qualification to any Office or public Trust under the United States."

1st Amendment: "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; ..."

The first isn't relevant to our question. The second, on a straight reading, means "no official state religion (like those English colonial oppressors have), no government persecution of religion". Establishment in this case takes its original meaning of the verb "setting-up", rather than being the noun "building".

So here's the question, from a confused foreign observer: how does that make stickers on educational textbooks "unconstitutional"?

"Make no law respecting an establishment of religion" seems to have been replaced by the nebulous concept of "separation of Church and State", which has then been broadened into "anything any government or state body does which is even concerned with religion is unconstitutional", and then on to "anything any government, state or otherwise publicly-elected body does which might even be perceived as having something to do with religion is unconstitutional".

It seems to me that, in over-reaching the claims of the first half of the sentence, the U.S. is in serious danger of violating the second...

Text Insertion Technology

I answer a load of email, often with the same text. (People just don't read FAQs). It would be great to press a button in Thunderbird and get a menu of insertable boilerplate text. (A KDE application would also work.) Anyone got any ideas?

I used TagZilla for a bit, but I didn't have time to hack it to not invoke itself on message send. And the dialog doesn't support keys such as Enter to insert the selected text, which is rather annoying.

PalmSource contacts

Does anyone know anyone at PalmSource?

The last person to make significant contributions to the Mozilla codebase who has not given permission for relicensing was an employee of Be, Inc. So, Be needs to give permission for the relicensing. But Be got eaten by Palm, which then split into PalmSource and PalmOne!

So, who owns the copyright to the Be employee's contributions? I think it's probably PalmSource. So, if anyone knows anyone there I can contact to try and work out who to talk to, please let me know. It's not a big thing, and it's not a great deal of code - but it's enough that it would be a hassle to rip it out and have it rewritten.

11,915 Registry Entries?

Window spyware is getting installed via the "download DRM licence" feature of Windows Media Player files distributed over P2P networks (from Slashdot).

"On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting.

All told, the infection added 58 folders, 786 files and an incredible 11,915 registry entries to my test computer."

I don't have much sympathy for people who break the law and end up having their computer trashed as a result. But that's a mindblowing amount of spyware. Why on earth does a DRM system involve the execution of remotely-downloaded code?

Introducing 'Hendrix'

'Hendrix' is a new feedback-collecting mechanism for mozilla.org, designed for people who just want to leave a quick comment or rant, and can't be bothered with Bugzilla. The idea here is to lower the barrier to giving feedback, and simultaneously try and keep some of the less useful bugs out of Bugzilla.

There's a test installation here.

Hendrix is a web-to-news gateway, currently posting to the newsgroup netscape.public.mozilla.test, so this is where you should look for the form output. When it's deployed, it will eventually post to more appropriate group. The two current candidates are netscape.public.mozilla.wishlist, and netscape.public.beta.feedback which, while the name isn't massively appropriate, does have the advantage of being abandoned. Ideas welcomed.

I haven't worked on the styling; it would be great if someone would do a stylesheet for it, perhaps so it fitted in with the mozilla.org look. Everyone can have a go - pass the "&stylesheet=<url>" parameter. And yes, I have protected this against XSS. ;-)

If you want to play with the code, just check mozilla/webtools/hendrix out of CVS. It requires ExecCGI turned on, and the Template Toolkit and Email::Send Perl modules installed.

Griffin iTalk

Maybe someone at Griffin reads this blog ;-) They have a product called the iTalk, which is a microphone and speaker add-on for the iPod. The software is more geared to voice memos than always-on life recording, though.

Implementing Tags

I'm writing an extension to implement a currently-unimplemented HTML tag in Mozilla/Firefox. I can't say what it is; the smart among you may work it out, but if you do please keep it to yourselves :-)

My original plan was to define an XBL implementation of the tag and just bind it on. This plan is simple, but unfortunately it doesn't work. Implementing the tag requires using Mozilla platform features accessed via Components.classes, and as far as I can see, there is no way of applying an XBL binding to a tag in the content area in such a way that the XBL code is privileged - even if the binding uses a chrome:// URL to bind.

So, after much head-scratching and help from Boris Zbarsky, the current, horrible implementation strategy is as follows:

• Overlay browser.xul to add a script
• That script registers a handler for window.onload
• The onload handler adds a "_helper" member to the window.content.document object, which exposes useful methods for implementing <tag>
• This document._helper object is visible from the content

• Add a selector to ua.css (by appending to the file - ick) to bind my (unprivileged) binding to <tag>
• The binding gets invoked when a <tag> is seen
• The binding constructor also registers an onload handler, as the _helper object is not available at binding construction time (because the onload handler mentioned above hasn't yet fired)
• This onload handler eventually fires and calls methods on the now-present document._helper to deal with initial state of <tag>
• Methods on the binding call methods on document._helper as necessary to deal with scripted changes to <tag>

What do you think? Am I insane? Is there a better way?

Possible improvements I don't know how to do:

1. Find a way to make the _helper object available permanently, even while the page is loading.
2. Find a way to inject the binding rule without messing with ua.css.

Reply-To Automunging

Sometimes I have ideas for bits of software and think "that's a great idea, but I'll never get around to implementing it". So, rather than let this particular one go to waste, I'm posting it here to see if someone wants to pick it up and run with it.

For many, many years there has been a flamewar between those mailing-list users who think Reply-To munging is considered harmful, and those who think it is considered useful.

For those who don't know, Reply-To munging is when mailing list software changes the Reply-To header on list mail to point to the list. It's a "holy war" - people have entrenched positions, no-one ever changes their mind, and it's rare to find a list populated with solely one or the other type. I'd argue that the mungers are the majority, but maybe that's because I'm one ;-)

Anyway, here's the idea: a Thunderbird extension which allows you to define the behaviour of the Reply (note: not Reply All) button based on whether the email is from a mailing list or not. It would either reply to the From: address, the To: address or the Reply-To: address, depending on whether you would have preferred the list to be munged or un-munged. Here's a little table of which header to use:

So the extension would have a single bit of configuration - whether you like your lists munged or unmunged. It would then detect mailing list messages based on email headers, such as any of the List-* ones defined by RFC 2919 and RFC 2369, and make the Reply button magically do the right thing without any further hassle.

(Now, if only there were as simple a solution to the tabs-vs-spaces controversy...)

VisitorVille

VisitorVille are a Web analysis company, with the unusual ability to break down their results by company - presumably, by checking the records of which IP addresses are allocated to which organisation. They gather their data from sites within "a network of thousands of web sites" - although which sites those are isn't immediately clear.

Although the results should be taken with a large pinch of salt, a great deal of fun can be had observing, for example, how large companies don't really eat their own dogfood.

For example:

• 66% of Microsoft employee searches are done using Google...
  
• ...and 30% of Yahoo! employees
  
• 0.7% of Microsoft employees use Firefox
  
• Either the detection isn't too good, or a lot of Apple employees use iCab, OmniWeb or Opera
  
• There's a small but enduring OS9 community at 1, Infinite Loop
  
• Sun uses more Windows than Solaris
  
• IBM is getting with the program; over 7% Firefox/Mozilla
  
• No-one at AOL whatsoever uses any version of Netscape
  

Fortunately, the Mozilla Foundation appears not to be in their database, so I can poke fun without potential embarrassment ;-)

Firefox and Thunderbird Integration In KDE

You would have thought this was easy, but Googling turned up nothing useful (the KDE pref some people mention is mysteriously absent on my Mandrake 10.0 install) and so it took me half an hour. Here's the trick:

Firefox: in about:config, set:

network.protocol-handler.expose.mailto=true
network.protocol-handler.app.mailto=/path/to/thunderbird

Thunderbird: install AboutConfig, invoke it, and set:

network.protocol-handler.expose.http=true
network.protocol-handler.app.http=/path/to/firefox

This then pops up a "handle file type" dialog (not sure why) - pick the firefox executable again. This may not be the most efficient way, but it worked for me.

Somewhat Counterproductive?

At the New Year's Eve celebrations in central London last night, they had two minutes silence for the victims of the tsunami (how does that help them?), broadcast an appeal for funds over the loudspeakers... and then set off a ten minute firework display which cost around £1,000,000 (US$2,000,000).

What's wrong with this picture?

Still, if it means we get the Olympics I'm sure they'll consider it money well spent.