Firefox 26, Netflix’s Suro, Vagrants and Dockers and Websockets for all – Snippets

snippets03

  • Firefox 26 digs in: Today we’ll see the release of Firefox 26, latest in the overly regular Firefox release cycle. From the (currently beta) release notes, we can see the big changes. All but the Flash plug-in are now click-to-play by default, Windows users can update their Firefox without having to write into the Firefox folders, the password manager can handle password fields generated by scripts and on Linux, if the installed gstreamer can handle h264, so can Firefox. A couple of fixes, some developer enhancements and thats about it. There’s also a Firefox for Android update due today. The release notes note some performance improvements, the same password manager enhancement and some fixes. The developer page for Firefox 26 covers changes of interest to developers in more detail. Firefox 26 will be turning up in updates and for download later today.

  • Netfix’s Suro goes open: From the people who brought you a cloud full of monkeys… Netflix’s latest open source release is Suro, an application monitoring system used by the video stream vendor to track the behaviour of their Amazon AWS deployed applications. Originally based on Apache Chukwa and adapted to fit Netflix’s demands, Suro pulls the company’s monitoring data from the various app clusters and pushes it to S3 (for Hadoop based analytics), to Apache Kafka (and on to Storm, Amazon ElasticSearch and Druid and to other event processors. There’s a lot more detail in the announcement including in production stats and how the pipeline is used to analyse errors.

  • Vagrant meets Docker: The latest update to Vagrant, version 1.4 has been announced and the big improvement in system that has traditionally been used to create automatically reproducible development environment is the addition of Docker support. The Docker provisioner can install Docker and then lets Vagrant cirtual machine pull and configure Docker containers within it. There’s also some enhancements to the scriptability of Vagrant itself, the ability to require a particular version of Vagrant and support for standalone file sync plugins.

  • websocketd: And finally, have you wanted to make a shell script or other app into a WebSocket server but lacked a library or access to the code to do it? Websocketd might be the answer as it turns anything with console I/O into a WebSocket server in a style rather reminiscent of CGI. Remember, most command line applications are not suitable for being exposed to the raw web, but the app could get you out of a hole when prototyping.

And, for reference, everything mentioned today is open source software.

Multiprocess Firefox, Kexec and Secure Boot, Poisoning GCC and OpenNebula 4.4 – Snippets

Snippets.png

  • Firefox goes multiprocess: Some years back, Mozilla embarked on the Electrolysis project to give Firefox a multiprocess architecture, where each web page ran in its own process. This idea isolates web pages from crashing each other and should have performance benefits too; Google’s Chrome, for example, was built with such an architecture. Unfortunately, a year later Mozilla put that effort on hold to work on things which would give quicker returns. Well, now it’s 2013 and the project in back and already in the nightlies. A full write up on Multiprocess Firefox is available in Bill McCloskey’s blog which explains there’s no release date for this work yet, how to enable it if you want to try it out and how things will break and how add-ons are affected.

  • Kexec and Secure Boot: Matthew Garrett has written up why kexec is disabled in Fedora when booted with Secure Boot enabled. Worth a read as it shows why being able to swap kernels in such an environment is a bad thing.

  • Poison for GCC: One thing Microsoft have done well is providing red lights for dangerous function calls (like strcpy and sprintf) in their tools (by adding a header file banned.h). Now, Leaf Security Research are creating a version for GCC with a Github project to create a “gcc-poison.h” file. Using it could help developers find those nasty vulnerable, error-prone functions hidden in their code base.

  • OpenNebula 4.4 goes “Retina”: The other other open source cloud platform, OpenNebula, has just been updated to version 4.4, codenamed Retina (after the Retina Nebula – this project has the best codenames). The update supports multiple datastores with scheduling policies to spread loads across different VMs and their associated storage. For more details, check the release notes.

Facebook Rocks, Open Source Managers and Funner Fonts – Snippets

snippets03

  • Facebook Rocks: Another database open sourced by Facebook? Yup, and demonstrating that the term “database” covers a lot of ground, Facebook’s latest is RocksDB, an embedded key-value store for those userfacing situations where you need a lot of woosh, little latency. Lead developer, Dhurba Borthakur, explains in a blog posting that RocksDB is based on Google’s LevelDB and is tuned to run on many-core servers which making efficient use of storage to cut down on write wear. It’s implemented as a C++ library with arbitrary byte streams for keys and values and all the major components are pluggable and replaceable. It’s published under a BSD licence and comes with an additional patent licence.

  • OSI gets a GM: The Open Source Initiative has long been a purely volunteer organisation and that has limited what it has been able to do. But that’s changing with the appointment of the first employee, Patrick Masson, who’s taken on the post of General Manager at the OSI. Masson has introduced himself to the membership and is setting out on his tasks of running working groups, expanding membership and updating the OSI’s communications. It’ll be interesting to see what a difference it makes.

  • Cosmic Sans Neue: Who doesn’t like programmer fonts with their mono-spaced elegance? But maybe you want something a tiny bit quirkier. Check out Cosmic Sans Neue Mono, which has a tiny bit of quirkyness, not only in it’s name but in some of the character shapes. You can also find it on GitHub and it’s available under the SIL Open Font Licence

FreeBSD 10.0beta3, SQL Injections, Rust stacks, InfluxDB and Circus renewal – Snippets

snippets03

Catching up on Codescaling with some of the less mentioned things worth noting…

  • FreeBSD 10.0’s latest beta: It’s into the home/RC straight for FreeBSD 10 with the release of the third and hopefully last beta of the development cycle. The original schedule would have seen RC2 available around now, but with a focus on a quality release, there’s been a bit of slippage. Check out this FreeBSD News item from September for a feel of what’s going in. I’m looking forward to the switch to LLVM/Clang and seeing how the tickless kernel works out.
  • SQL injection attacks by Google?: Sucuri have come across an odd thing, Google doing SQL Injection attacks. Basically, Google’s bots crawl a site with links which would carry out an SQLi attack if followed… and then follow them like the bots they are which carries out the attack. Google may want to add at least some filtering to their bots in future, but its something to remind any application that ingests URLs from the web to follow them that URLs are not necessarily passive.
  • Rust reworks stack plan: For those interested in the implementation of languages, the Rust developers have decided to drop segmented stacks. Segmented stacks were stacks that were allocated small and expanded as needed. This would have allowed threads to have a much smaller footprint, but it didn’t quite work out that way. Followups on the thread discuss the cost of memory, both having it and accessing it, and alternative strategies.
  • InfluxDB: Databases for time series data are in and the latest open source addition to the game is InfluxDB which prides itself in no external dependencies. The Go-based MIT-licensed code has a JSONic HTTP API, an SQLish query language and a playground server to get running with. Its early days for InfluxDB, but its off to a good start.
  • Mozilla’s Circus Renewed: Mozilla’s Services project has announced a new version of its process/socket manager called Circus. Built using Python and ZeroMQ and recently redeveloped to be Python 3 compatible and fully asynchronous, the software lets an administrator manage processes and sockets on servers through a command line, Python API or web console. You can find the code on mozilla-services github.

EOL for Python 2.6, Docker Inc and more iconic fonts – Snippets

Snippets

  • Python 2.6 signs out: Python 2.6.9 is the last source-only security fix release for the Python 2.6 family. The 2.6.9 release sees 2.6 officially retired after five years in the field. If you are still running 2.6, UPDATE! At the other end of the scale, Python 3.3.3 got its first release candidate with full support for Mac OS X 10.9 Mavericks.
  • dotCloud becomes Docker Inc: Acknowledging how important its Docker container software has become, dotCloud has announced it is becoming Docker Inc. The platform-as-a-service business of dotCloud will be maintained, but the company’s resources are going into Docker, Docker services and building out the Docker ecosystem.
  • More icon fontage: Bootstrap is not alone in having a fine icon font for its graphical imagery. Say hi to Ionicons, created for the Ionic front-end framework. Very stylish, and MIT licensed open source.

Debian update and freeze plans and openSUSE 13.1 RC – Linux Snippets

snippets03

  • Debian update: Debian’s second update of Wheezy, 7.2, is now with us. As usual, if you are updating your Debian regularly, you’ll have most if not all of this, but now there are new ISOs to install from to make fresh installs faster. Further details on the update on the Debian site.
  • Debian’s long freeze: Meanwhile, Debian 8 “Jessie” is starting on the long trajectory to release with a date set for a freeze of 5 November… next year, 2014.
  • openSUSE 13.1 nearing: The folks over at openSUSE have published a release candidate for 13.1 and are imploring people to test. One thing that isn’t happening though is that Btrfs isn’t going to be default, but it is described as “good candidate for default filesystem for the next release” after the shakedown its had in this release cycle. Lots of other updates in the final run up which should see a second release candidate and a final release on 19 November.

X.org vintage bugs, Google FOSS fixings and a dropzone – Snippets

Snippets

  • Vintage bugs: Back in 1993, a use after free bug when handling ImageText wriggled its way into the X.org server and settled into what is believed to be every X.org server release that came after. Just over 20 years later, a security advisory and patch have been published for the bug. So look out for updates to your Linux distribution’s (or other Unix’s) X.org server in the near future. To many eyes, all bugs are eventually shallow. But, who really wants to look inside an X server.
  • Google’s FOSS-fixins: If you are looking for more than just bugs to fix, you can also check out Google’s latest bounty program which is offering rewards for proactively fixing up the security in well known open source applications. First up for rewards are OpenSSH, BIND, ISC DHCP, libjpeg, libjpeg-turbo, libpng, giflib, Chromium, Blink, OpenSSL, zlib and “Security-critical, commonly used components of the Linux kernel”. Help harden them up and you could be in line for up to $3133.7. The second phase will see that set of code joined by Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, the toolchain security for GCC, binutils and LLVM and OpenVPN. I applaud Google for this as it goes beyond Google Summer of Code manpower and mentoring and should let a whole new set of contributors help harden the open source ecosystem.
  • DropzoneJS: Do you love sites which make it easy to upload images with a drag and a drop into the browser? The open source (MIT license) DropzoneJS library helps you do it with style, letting you drag files into the drop zone and showing uploads with thumbnails – its reported to have some trouble with hundreds of images, but also is easy to implement – if thats what you want to work with its there to be fixed.