It literally is their job. One of Mozilla's roles is to give their opinion on proposed web standards. It's one of the factors that determines what actually becomes a standard. WebUSB is Chrome (and derivatives) only at the moment. You can not like where they landed, perfectly valid, but they were asked.
Yes, but instead of saying "this spec is shit and full of vulnerabilities. Let's work on improving it", they just refused to participate in the discussion. What a childish POV.
I don't think that's a fair summary of Mozillas Position on the WebBluetooth/WebSerial/WebUSB specs. Interacting with arbitary devices has arbitrary consequences, mozilla seems to assume users are not able to understand these consequences and therefore cannot consent to it.
Well, the reason is in the links I provided, and the reasoning doesn't scream arrogance to me.
Personally, I think choice is great. Why be upset when you can download chromium (it is supported by pretty much any platform FF is) and use it to do all sorts of stuff with WebUSB, if you are into that?
Still, I would like to see FF disable these features by default and allow opt-in. I don't see a great reason to avoid implementing them behind some "wall" (other than to avoid an increase in a concealed attack surface).
You are completely missing the point just like Mozilla.
This is the same a surgeon saying they refused to perform life-saving surgery on you because they don't believe you understand the consequences of the possibility of dying in surgery.
The average person cannot be an expert on surgery or on browser security it's up to the people that have the education and work experience in there to make those decisions and handle them.
Mozilla as another poster said has taken their toys home because they didn't get what they want.
Be very careful with your threat model here. If an agent attempts to use the codes and they don't work, and they find out there's a dual pin mechanism, you could end up in more trouble than with whatever they'd have seen in the first place.
Yeah, people love to LARP being Snowden but never actually have anything even theoretically worth being sent to border-jail over protecting.
And, if you do, and you're really asking hacker news for opsec advice, I would suggest you abandon your career as a super-spy or whatever you're doing, because you're doing it very wrong.
We literally have collectively (to the value that US democracy approximates collectively) decided to abridge those rights within a certain distance of a border. I want people to understand what they are getting themselves into for the sake of their political protest. I would argue it is better to try to approach this reform differently than simply ending up in a border jail with your holiday ruined.
Have a phone just for travel. Different account. Only have things you actually need during travel on it. Turn on a cheap plan when you need it. If they ask for something just say you can't remember and let them keep it.
The GPL does not prohibit anyone from using a piece of software. It exclusively limits the actions of bad faith users. If all people engaged with FOSS in good faith, we wouldn't need licenses, because all most FOSS licenses require of the acceptors is to do a couple of small, free activities that any decent person would do anyway. Thank/give credit to the authors who so graciously allowed you to use their work, and if you make any fixes or improvements, share alike.
Security issues like this are a prime example of why all FOSS software should be at least LGPLed. If a security bug is found in FOSS library, who's the more motivated to fix it? The dude who hacked the thing together and gave it away, or the actual users? Requesting that those users share their fixes is farrr from unreasonable, given that they have clearly found great utility in the software.
It does if you then share the resulting software. And I think if you make an improvement just for your own enjoyment, you'd be a better person if you shared it back than if you didn't.
Anyway, the GPL is there to protect final users and not the maintainer of the project. And if a software is running on someone else server, you are not the user of that software. (Although you use the service and give the data, but that's another problem)
The GPL "does not prohibit anyone" in a narrow legalistic sense. In colloquial discussions (see e.g. https://www.gnu.org/licenses/why-not-lgpl.en.html), the Free Software Foundation is quite clear that the GPL exists to stop proprietary software developers from using your code by imposing conditions they can't satisfy.
A decent part of my job is open source. Our reason for doing it is simple: we would rather have people who are not us do the work instead of us.
On some of our projects this has been a great success. We have some strong outside contributors doing work on our project without us needing to pay them. In some cases, those contributors are from companies that are in direct competition with us.
On other projects we've open sourced, we've had people (including competitors) use, without anyone contributing back.
We have a solution to this. It's called the (L)GPL. If people would stop acting like asking for basic (zero cost) decency in exchange for their gift is tantamount to armed robbery, we could avoid this whole mess.
The GPL doesn't do anything when the project is just used internally by another company.
They never trigger the distribution clauses, and they own the copyrights of all the work being done. So if you NEVER distribute binaries outside your company's walls. The GPL is a giant nothing, for most practical cases.
That's why we're starting to see the AGPL more now. But even then, for INTERNAL applications. It's still a nothing.
The GPL doesn't cure people being greedy. It just changes how they are allowed to be greedy.
When I, as a little child (or at least that is how it feels now), got excited about contributing to open source, it was not the thought that one day my code might help run some giant web platform's infrastructure or ship as part of some AAA videogame codebase that motivated me. The motivation was the idea that my code might be useful to people even with no corporation or business having to be involved!
You can want to be helpful without wanting to have power or responsibility.
I'm interested in people (not companies, or at least I don't care about companies) being able to read, reference, learn from, or improve the open source software that I write. It's there if folks want it. I basically never promote it, and as such, it has little uptake. It's still useful though, and I use it, and some friends use it. Hooray. But that's all.
There is tons of reasons. E.g. public money public code. We are in research and we are open sourcing because we know that we cannot maintain anything, giving people the chance to pick up stuff without having buy stuff that is constantly losing value and becomes abandon ware very soon these days (at this point we often don't even have the resources to open source). So what you most get from us is 'public money crappy unmaintained code'
I've build a custom thumbnail/metadata extraction toolkit based on libavcodec/libavformat that runs the decoding in seccomp's strict mode and communicates the results through a linear RGB stdout stream. Works pretty well and has low overhead and complexity.
Full transcoding would be a bit more complex, but assuming decoding is done in software, I think that should also be possible.
It's layers. Docker is better than nothing, but a VM is better still, and even better is docker on a dedicated VM on dedicated hardware on a dedicated network segment.
To make a bit of a strawman of what you are saying even better still would be an unplugged power cable as a turned off machine is (mostly) unhackable.
To be more serious seurity is often in conflict with simplicity, efficiency, usability, and many other good things.
A baseline level of security (and avoidance of insecurities) should be expected everywhere, docker allows many places to easily reach it and is often a good enough tradeoff for many realities.
