sorry, did you blink?

I’m in Portland this week for a promising meeting about the Linux desktop, and I got to start my day today with a quick little interview on KCBS-AM about yesterday’s thoroughly be-Digged launch of Firefox 1.5. It was live-to-air, which is a great way to get the blood pumping at 0620, I must say.

If you just must have your audio-interview-of-Canadian-Mozilla-Mikes fix, I entreat you to savour the talking-over-each-other glories of the inaugural podcast of “Inside the Net”.

Other shavermedia exploits of questionable note:

  • “The California Report”on KQED ran a segment on Mozilla in general, featuring interviews with myself, Mitchell Baker, and Robert O’Callahan. MozillaZine has some tips on where in the report you can find all the Mozilla goodness. (Especially Mitchell’s and Robert’s ever more goodly goodness.)
  • The Chris Pirillo Show let me eat up some, uh, bitwaves talking about the Extend Firefox contest. I haven’t actually listened to this one yet, but I presume he edited out all the double-entendre from the raw interview.
  • CommandN, everyone’s favourite indie technology internet video series, filmed me slouching for a few minutes. If you have more bandwidth than taste, you can also see me slouching in high-definition video.
  • I also now have a (huge) video of my LinuxWorld keynote, but I’m not sure where or if I’ll put it up. So bad!

several thousand words

I finally got around to posting the pictures that Madhava took for us of our new house.

oh hell yes

Mom + Intrinsyc = yay!

the maturity of writing your own

Daniel Glazman has written about the pain he’s experienced trying to update his splinter NVu tree to track the significant Gecko development. It’s a very difficult task, and not one that I would have signed up for. There are a number of suggestions that others have made that might have made the task easier, but that’s for another post. To be perfectly frank, I have little personal interest in making the “maintain a fork of Gecko in another CVS repository” use case materially easier, let alone adding cost to already-difficult Gecko development to support it.

(I had a huge section here about the details of internals-vs-platform and some excellent responses that others have made to the post, but I just moved it to another draft because this post is about something else, dammit.)

What I really want to write about is this passage in Daniel’s latest post on the topic:

Let me first give you an example : suppose you are an experienced c++ coder but a true beginner in Mozilla, and you need to build a xul standalone front-end for an app of yours; you can’t rely on xulrunner yet, because it’s said to a bit immature for the time being. So you want to build a standalone toolkit-based app like Nvu, Firefox or Thunderbird… You start looking at mozilla/browser, mozilla/mail and then you cry. The makefiles are incredibly complex and almost not commented, most of the files in app directory are hard to understand so you don’t really know how to tweak them[...]

If you are a software developer faced with the choice between

  • a piece of software that is designed to solve your exact problem, which is not yet release-quality, but is already being used by other people for their projects in exactly this way; and
  • writing your own such piece of software on the basis of code you don’t understand, and which was never intended to be anything more general than “the startup code for Firefox”

then you might have some reasons to choose the latter, I suppose, but I can’t for the life of me understand how “maturity” is one of them. XULRunner is farther towards its stated goal — which happens to be completely identical to the goal that Daniel uses in his example — than anything you’ll find in the directories that Daniel lists, as evidenced by the fact that a number of people are already using it in service of that goal.

Even if XULRunner falls short of some subgoal today, investment in improving it to suit the needs of your own app is almost certainly the wiser course, as you reduce the need to maintain your own private fork of the firefox/thunderbird/whatever code — back in the early Mozilla days, we used to refer to this as “the stupid tax”, and talk about how it was often a strong disincentive to keep patches private instead of integrating well-designed hooks into the core app.

welcome to “collision is not pre-image” day

If you start your day with slashdot (the informational equivalent of a Snickers-and-Skittles breakfast, IMO, but that’s for another day) or know someone who does, you’re probably aware that “something bad happened to MD5 today“. If you’re not, odds are good you don’t need to really care about it very much, so you can move to the next post in your feed reader.

There are a number of places you can go for a good explanation of what the significance of the MD5 attacks are, which should be a prerequisite for commenting on the effects of making those attacks faster (that’s today’s news; source for a long-known attack made public). It is not, however, so the internets are all atwitter about attacks on MD5-hashed passwords (still fine), software verification (still largely fine, other than bait-and-switching for some edge cases), certificate authorities (could be some really nasty baits-and-switches here), and P2P network poisoning (right in the jimmy).

If you are the sort of person who actually reads to understand before writing to inform, you should probably block off 30 minutes or so for explaining to the breathless around you what actually happened today, and what the attacks really represent in practical terms. (In theoretical terms, they are indeed a mortal blow, but there has been no shortage of such blows for MD5 and SHA-1 for a while now. Anyone building new crypto-using systems, or maintaining existing ones, has been moving to other hash functions for a while, or should have been.)

begins at home, they say

It’s time for Child’s Play again, and this year our very own Sick Kids is in on the action.

If you were wondering what to get me for Christmas, all 5 of you who read these blog who think about such things, please don’t give me more things that I will have to move. Click and click and make a scary time for a child a little more comfortable.