Let’s Encrypt

Today we announced a project that I’ve been working on for a while now – Let’s Encrypt. This is a new Certificate Authority (CA) that is intended to be free, fully automated, and transparent. We want to help make the dream of TLS everywhere a reality. See the official announcement blog post I wrote for more information.

Eric Rescorla and I decided to try to make this happen during the summer of 2012. We were trying to figure out how to increase SSL/TLS deployment, and felt that an innovative new CA would likely be the best way to do so. Mozilla agreed to help us out as our first major sponsor, and by May of 2013 we had incorporated Internet Security Research Group (ISRG). By September 2013 we had merged a similar project started by EFF and researchers from the University of Michigan into ISRG, and submitted our 501(c)(3) application. Since then we’ve put a lot of work into ISRG’s governance, found the right sponsors, and put together the plans for our CA, Let’s Encrypt.

I’ll be serving as ISRG’s Executive Director while we search for more permanent leadership. During this time I’ll remain with Mozilla.

Too many people to thank for their help here, many of whom work for our sponsors, but I want to call out Eric Rescorla (Mozilla) and Kevin Dick (Right Side Capital Management) in particular. Eric was my original co-conspirator, and Kevin has spent innumerable hours with me helping to create partnerships and the necessary legal infrastructure for ISRG. Both are incredible at what they do, and I’ve learned a lot from working with them.

Now it’s time to finish building the CA – lots of software to write, hardware to install, and auditing to complete. If you have relevant skills, we hope you’ll join us.

NPAPI Plugin Bugs, Accessibility

I want to talk a little bit about Mozilla NPAPI plugin bugs 78414 and 93149. I’m surprised by the fact that more people don’t complain about them given how irritating they are, particularly on Linux and Windows. We have an ugly hack on Mac OS X that mitigates the problem so it isn’t as much of an issue there, but the hack violates NPAPI and it’d be nice to not have to use it.

Here’s how annoying these bugs are, you have to use Windows or Linux for this example to work:

1. Open a new window in Firefox.
2. Go to a YouTube video, I suggest this one (I wouldn’t rickroll you, pinky swear!).
3. Click in the plugin, either on the video or the pause button or wherever.
4. Hit ctrl-w in an attempt to close the window.

Surprise! The plugin ate the keyboard command and the window is still open. It’ll eat tab key presses too, so you can’t tab focus away from the plugin. I don’t know how Windows and Linux users can stand this. At least on Mac OS X we let any keyboard commands in the native menu bar have first crack, and if they don’t do anything then we let the plugin have the event. This is a problematic and incomplete solution though, I won’t get into it here except to say that doing the same thing on Windows and Linux would be nasty. We need to fix the problem the right way, which will probably be a bit of a slog because it’ll most likely require changes to NPAPI and a fair amount of discussion between browser and plugin vendors.

In addition to being irritating, these bugs are problematic in terms of Section 508 compliance, which “requires that Federal agencies’ electronic and information technology is accessible to people with disabilities.” They can go on any list of reasons for federal agencies not to use Mozilla products.

We’re going to be looking into fixing these bugs soon, stay tuned…

My Experience with OpenSolaris (NV build 82)

I have been using OpenSolaris instead of Ubuntu on my IBM T43 laptop over the past month. I use that machine to debug gtk2 Firefox and to browse and write email while I’m sitting in my living room. Most of the time I used OpenSolaris NV build 81, for the past couple days I used build 82. I didn’t notice anything different between build 82 and 81 that I care about, so my comments here apply to both.

Install is easy. The setup screens are easy to get through, no glitches. All of the hardware that I care about works fine, including wireless. The one thing I did after my first login is disable the sendmail service via the Services control panel. That gave me a slightly faster boot time, I don’t care about sendmail.

Getting Firefox to build was also easy. There are instructions on developer.mozilla.org, they worked well for me. Remember to use “gmake” instead of “make” when building Mozilla stuff.

For editing code I used Sun Studio. It was easy to configure Sun Studio to be a straight-forward code editor, I do my debugging and most other things in the terminal so I don’t care about the project management features. Sun Studio worked really well for my purposes.

With a build environment and a good IDE I was perfectly happy doing my Mozilla work on Solaris. When I’m not writing code for or debugging Firefox, the only app I use is Firefox. The default install of Firefox works just fine for my web browsing and email-writing needs (I use gmail).

There are some things that bothered me during my experience. In order of how much I care…

  • When logging in, gnome’s volume manager and its battery monitor crash every time. This means I have to click through a bunch of crash dialogs every time I log in. Really annoying and it makes me nervous, but as far as I can tell it has no affect on my getting stuff done after the dialogs are gone.
  • There is no easy way to update your OpenSolaris NV install (that I know of). I have to download the new build iso (> 3gb) before I can update. Why can’t I just pull the new packages via software update and not have to deal with a huge iso?
  • NWAM (Network Auto-Magic) has incomplete UI. If you don’t have an ethernet cable plugged in it’ll throw up UI for selecting a wireless network, but once you’re connected to the network you can’t switch networks easily via UI. There is no pull-down menu or anything like that as there is on Mac OS X. Apparently they are working on it.
  • It is hard to find a complete changelog for OpenSolaris builds, so I never know if I should care to install a new build. There is something of a changelog here.

Updated: Updated my updating complaint based on new info. Added more changelog info, got rid of the crash reporter complaint since it isn’t specific to OpenSolaris which is confusing.

KernelTrap Is Awesome Again

KernelTrap is a really great website to read if you’re at least passively interested in OS kernels. For a couple years it was rarely updated and appeared to be largely unmaintained, but they are back with frequent, timely updates and a new UI. They follow Linux kernel development most closely but they also do a bunch of stories about other kernels like the various BSD kernels. This is especially good news since Kernel Traffic is on indefinite hiatus now. KernelTrap isn’t a detailed summary of weekly lkml (linux kernel mailing list) traffic but they do report on certain interesting lkml discussions as they are happening.

Installing and using Ubuntu Feisty Fawn Herd 5

I installed Ubuntu Feisty Fawn Herd 5 yesterday morning on an IBM T43 laptop. As I understand it, Herd 5 is basically the last alpha before the Feisty Fawn beta freeze. I wouldn’t normally bother messing around with an alpha Linux distro, but I had two good reasons for trying it.

First of all, I needed to test something on Linux fast and my friend made off with my FC6 DVD last month. I could either spend half an hour downloading a Ubuntu distro or who knows how long downloading FC6 again.

Secondly, I only really need the distro to compile Firefox and run it so I can take patches for a spin. I don’t need it to work out as something for me to use on a daily basis. That lowers the risk factor significantly, since I can probably live with a fair number of bugs and failures. As I’m excited to see Ubuntu’s progress, I figured it was worth a shot.

I’m glad I tried it because Ubuntu Feisty Fawn Herd 5 is awesome! It installed in about half an hour, with me only having to spend about 30 seconds in the installer. Once I booted into the operating system, I did a system update and pulled down about 550 updated packages. That sounds bad, but it didn’t take long and the update went off without a hitch. Such a big update is to be expected when you’re using an alpha release that is under heavy development. ALL of my hardware worked perfectly without me having to do anything – wired and wireless networking, the display at full resolution, the trackpad, everything. The IBM T43 that I have has some weird hardware and no operating system has ever come close to this level of hardware support – not even a fully updated Windows XP SP2 or a fully updated FC6 (both have terrible hardware support for the T43).

Next task was to get it to build Firefox. Not being an experienced Ubuntu user, I didn’t realize at first that it lacks some basic developer tools by default. Within about 15 minutes I was able to track down all of the packages I needed, they installed without issues, and 30 minutes after that I had built Firefox. Fantastic!

There was one thing that bugged me for a while, until this afternoon. “vi” was behaving strangely, in particular the arrow keys in insert mode would insert characters. Very frustrating. This afternoon I googled around and found out that Ubuntu ships with a mini version of “vi”, and the solution was to install the package “vim-full”. With that solved my Ubuntu Feisty system is a dream all around.

Boot time is great, the interface is nice and refined, everything is snappy and stable, and hardware support is wonderful. In an alpha release! This is how Linux should be.

Fedora Core 5 Linux

Fedora Core 5 is out! I just got an IBM T43 ThinkPad yesterday, perfect for checking out FC5.

The FC5 installer is significantly better than Fedora Core 4’s. Fewer questions I shouldn’t have to answer, and a better organized and easier to use package selection system. The new installer also just plain looks better. Fedora Core 5 was entirely installed in about half an hour.

Two things needed some tweaking in order to work on my IBM T43 ThinkPad – the screen and the wireless card. The good news is that both problems were easily solved.

The FC5 installer didn’t guess my display type correctly, giving me a maximum resolution of 800×600. This was solved by selecting a different display in the installer, “IBM 9514-B TFT Panel” with a resolution of 1400×1050.

FC5 didn’t recognize my wireless card, which has an Atheros a/b/g chip. This problem was solved by going to MadWifi, downloading 3 RPMs, installing them, and following the excellent instructions at MadWifi. My wireless was up and running in about 15 minutes.

I haven’t done much with FC5 other than set it up, explore the interface, and browse around some websites with Firefox (also, I’m writing this weblog entry on it). So far, I’ve noticed that Gnome has gotten faster (FC5 ships with Gnome 2.14), the interface shows some incremental simplification in a good way, and the software updating application (“Pup”) works great. This latter point is a big deal because prior to FC5 the GUI for getting software updates has been absolutely terrible (it rarely actually made it through a single round of updates). I used to have to use “yum” on the command line to get my updates, but there is no need to do that any more.

One thing FC5 sorely lacks is a nice GUI for dealing with wireless networks. Ubuntu has a really nice one, so I know it can be done on Linux. I had to do all my wireless network stuff on the command line using iwconfig and dhclient.

So far installing/using FC5 has been a good experience. Having a fully-functional Linux system in under an hour is awesome. I’ll write more thoughts about FC5 after I’ve used it for a while.

Note: While installing/using FC5 has been a good experience for me, it wouldn’t be for an inexperienced user. The display wasn’t autodetected, the installer still asks a few unnecessary and very technical questions (though fewer than the FC4 installer did), I had to install RPMs for my wireless card, and I had to set up my wireless networking on the command line. Tisk tisk…

SGI Builds World’s Fastest Supercomputer

If you missed it in the news, SGI built the fastest supercomputer in the world for NASA. Named Columbia, this new supercomputer has 10,240 Itanium-2 processors and kicks some serious floating-point arithmetic ass. Officially it performs at 42.7 teraflops (42.7 trillion calculations per second), beating out IBM’s latest supercomputer, Blue Gene/L, by more than 6 teraflops and gives SGI the number one spot in the world. It also gives me a paycheck 🙂

To me, the most important thing about this achievement is that SGI’s machine runs Linux. Its another great milestone for Open Source – may there be many more (e.g. Firefox 1.0)! I feel so lucky that I get paid to work on Open Source Linux systems! Go Tux!