Loud ramblings of a Software Artisan

Friday 4 December 2015

Let's encrypt all the things

Now that letsencrypt is more widely released, I took the opportunity to generate the certificates and install them manual on my hosting. In the future I will flip the switch to force HTTPS here. For now I made sure to avoid mixed-content as much as I could.

This was long overdue.

PS: I forgot to thanks @CorySolovewicz who helped in Twitter with the problem of "invalid" private key.

Friday 11 July 2014

Github tracks you by email.

That's right. Github tracks you by email. Each Github notification email contains in the HTML part a beacon. Beacons are usually one pixel images with a unique URL to know who did view the email or not - triggered by the HTML rendered downloading the image to display.

Two safeguards against that tracking:

  1. don't automatically download images in emails - lot of clients allow or default to this.
  2. view email only in plain text: impossible with some email system or client. Like K9-Android or just GMail. (by far this is what I do in Thunderbird)

Now I complain over twitter and according to Github Zach Holman:

"It’s a pretty rad feature for a ton of our users; reading a notification in one should mark the web UI as read too. We dig it."*.

Sorry, but there is no optout to tracking. Holman also said:

"you can just disable images. It’s the same functionality in the email as on the web, though. We’re not spying on anything."*


"[...] It’s just in this case there’s zero additional information trading hands."*.

Note that recent events showed me I couldn't trust Github ethics anyway, so I'd rather have them not have the info that them claiming it never change hands.

This wouldn't be important if Mozilla didn't mostly require Github to contribute to certain projects including. I filed bug 1031899. While I can understand the feature, I believe user privacy should be paramount, therefor not being able to disable tracking is a serious ethics issue.

Tuesday 29 April 2014

Fixing deprecations

Also, I updated the PHP version on the hosting side (the hosting company did, I just clicked on the button in the panel). This cause some glitches with the antispam and the rest when commenting. Sorry about that.

I addressed the known issues, related to deprecated PHP functions. This is still easier than upgrading to the newer version of Dotclear that break the URLs.

Sunday 9 February 2014

The open content

Open content is content that is also available openly.

The short: people claiming they don't blog anymore but write lengthy on the closed Google+, a platform that is closed (does not allow to pull the content of RSS), discriminate on names, and in the end just represent the Google black hole as it seems only Google fanboys and employees use it.

This also applies to Facebook, Twitter (to a lesser extent, just because of the 140 char limits) and so on.

Sorry this is not the Internet I want. It is 2014, time to take it back.

Monday 1 July 2013

Your next mobile app should be web based

There is no question about that.

I just switched from an Android phablet made by Samsung, device I came to hate for many reasons, to a Firefox OS Geeksphone Keon. That was my second Android phone, I switched because I got it for free[1], needed a carrier that worked better than the failure that is WIND Mobile on which I was using my Nexus One[2] and said Nexus One was just abandoned in OS upgrade by HTC AND Google after 22 month. I have to admit I missed the Nexus One, still, as Samsung didn't make Android better, quite the opposite.

Back to the point. I got that Geeksphone Keon, provided by my employer: Mozilla.

This is not a review of the phone, BTW, and all of this also applies to the just released Firefox OS phone in Spain.

On my Android phablet[3] I used 4 applications: the web browser, a twitter client (not Twitter's own though), Instagram and Foursquare.

On my Firefox OS phone, I had to scrap the last two. Why? Because despite requiring an internet connection and having some sort of web interface, their are unusable on the web.

Web browser

On Android I used Firefox for Android as my web browser. It is currently the best solution for web browsing is designed to protect your privacy and to run on more devices than Google's own Chrome. Call me biased if you want but truth is I have been using Firefox on the desktop too.

Firefox OS web browser is basically the same thing.


Twitter is a bit hurtfull. It is designed from the ground up to be used as a web application. Twitter has a mobile version that is meant to work well on small screen. They even have a packaged version for the Firefox OS Marketplace. Where it hurts is that Twitter web UI remains awful, either deliberately (given that the iOS client is awfull too) or because we got spoiled by third-party clients. On Android I was using Twicca (no source code) or Twidere (broke a bit at one point), but it should be noted that Twitter gave the finger to third parties when they added restriction on the development of client ; as well as bickering with Instagram to not show their content inline.

They get almost full marks for being a web app and treating it as first class.


On the desktop, if you go to Foursquare you get a decent web application, albeit you can do the major feature that Foursquare calls for: check-in.

On mobile, if I visit the website on Firefox for Android I get prompted to download an app.

On Firefox OS it is worse. Looks like their detection fail and they offer the desktop website that is mostly unusable on such a small screen. I filed bug 878132 for our tech evangelism to eventually have a look at.

Seems like they didn't go all the way to make it relevant on mobile web. Sadly. What was an experiment I started by the end of last year when I signed up for the service stopped here right at Firefox OS. It seems that I don't need it. They lost a user.


This one is the worst of the worst. First and foremost their web interface for desktop is very limited. Secondly, it doesn't scale at all on mobile - some content scale better than other. Third, they bickered with Twitter so that their content is not viewable inline.

Why does that last one matter? Try viewing the instagram content in the Twitter mobile web client.

I give a F as a mark.


Simply make your mobile app web based. It will run on iOS, Android, Firefox OS, Blackberry, etc. and people will be able to follow when they change phone and you won't need to spend a lot of resources for each platforms.

Also if you really want to have a packaged app, remember there are technologies like PhoneGap whose purpose is exactly that.


[1] minus the money I had to spend for unlocking it, thanks to consumer protections that don't exist in Canada

[2] first and foremost I didn't have service at the office downtown. second I was in the process of moving to Montréal where they don't have service anyway

[3] in case you didn't realize I call it phablet because it is a small tablet that one can use as a phone. Too big for your pocket, too small to be a good tablet, the worst of both worlds. It would never have been my choice ; but one doesn't simply look into the gifted horse's mouth.

Tuesday 2 April 2013

Mozilla is 15

Mozilla is 15 and that's 15 years of fighting for the open web. I remember the source code release, I built it on in Pentium 166 with 64MB of RAM - a Debian box. I maybe less RAM than that, I forgot. It was huge.

Since, the web has gone forward big times, and Firefox helped users to take back the web by bringing down the IE supremacy and focusing on a standardized web technology.

I have great hopes for the future of the free web.

Wednesday 20 March 2013

The importance of RSS and friends

Google did shutdown Reader, their feed aggregator. Speculation is that it is to promote the use of the proprietary publishing silo that is Google+, and I'm not saying as a Google+ grudge I might hold, I actually believe it might be one of the considerations.

Imagine a second if all the content was pushed exclusively to a popular silo like Twitter, Facebook and Google+: it would be confined to these environments and people wouldn't be able to aggregate elsewhere. Now what if one of these hugely popular silos disappeared. It has happened, it can happen again, I have numerous examples. And I am still look for the Google+ or Facebook feeds, while it is clear that Twitter already removed them.

With RSS[1] all we need is a different aggregator to pull the feed. It would still work. And that's what happening with Google Reader user base: they are moving to other platforms that offer the same feature, either web based, or using desktop software.

Let's have this a learning step and continue to focusing on open standards for publishing. Let's continue to provide feeds. Let's continue to request feeds. And more importantly, us software hackers, let's continue to provide awesome libre software to do the job and on which we can reliably build upon.


[1] this include ATOM and other variation of feed publishing based on open standards

Wednesday 26 September 2012

Bad security

Broken Lock
Broken Lock by lyudagreen, on Flickr

A big North American online travel booking system still store passwords in plain text. Worse: they claim they take your security seriously. Here is the excerpt of the confirmation email you get when you register:

PASSWORD:  We're serious about security. Since your
password is confidential, we won't repeat it here. However, if you ever
forget your password, you can always request a reminder

Yes, the email has been capitalized.

The other day I wanted to book some airline tickets, so I returned to the website. I had forgotten the password. No biggie, I follow the "lost password procedure" and chose the "email" instead of the still idiotic "security question".

Guess what? I didn't get a link to reset my password, or a temporary password. No. I got my password sent in plain text. Worse. It was in UPPERCASE and the passwords are case insensitive in the system. Wow. Just wow.

PS: this is not the corporate travel booking system we use at Mozilla.

Saturday 30 June 2012

YouTube HTML5 error message decoding

One thing puzzling with YouTube HTML5 support is the message "this video is currently unavailable" which could mean a lot of things. The actual translation is "we need to show you ads and you need Flash for that".

If should be noted that there is no problem on mobile platform, Android or iOS, the video is shown.

Wednesday 6 June 2012

Deleted my LinkedIn account

Yep, I deleted my LinkedIn account. Despite the fact that I got no value from it, the leak of 6.5M unsalted password hashes was just the icing on the cake. For so long they had a deficient SSL support, they ask to decrypt a captcha to login and lot of other stupidities. And their mobile app steal or leak personal info like your iPhone calendar.

I should have done that a long time ago. When they asked a reason I typed in "too dumb with security"

You know where you can find me.

Monday 9 April 2012

On Facebook buying Instagram

This morning we learned that Facebook bought Instagram, and that Facebook paid something like 1B$. I'll skip the part where I find that this acquisition is highly overpriced, and I'll leave the speculation of who might have participated into a bidding to the analyst.

But one thing I'm sure is that they didn't buy Instagram for its revenue. What is being said is that Facebook paid 33$ per user, and quite a number of users. But what will they do with that? Simple. Monetize. And this might by the solution to my criticism of Instagram: adding a web frontend to it. A web frontend is IMHO the easiest way for Facebook to track their users. In the announcement Facebook promised to keep Instagram a separate entity, but even the owe anybody but themselves to hold that promise, they can do that and track users using a web based frontend, like all the "Like" buttons to all over the Internet. Similarly I don't see why they should remove the function to Tweet the picture. Quite the opposite, keep it, people click to view the picture, "leave" Twitter to go to that Instagram page, and voila. Checked in.

In the end, it will be a bit more like the Hotel California: you can check out anytime, but you can never leave.

If you don't like that, you can still go and request your account to be removed.

Mandatory Instagram. Deep Cove, BC.

Thursday 5 April 2012

On Instagram

Instagram just released the Android version of their application. Instagram allows you to take pictures with your phone, apply some filters, upload it to their service and then have user that follow you comment or favorite them. A sort of Twitter for images.

This led me to rethink why I dislike Instagram.

I dislike Instagram not because of the photographic aspect of applying random filter to random pictures to try to let them look cool, not because it is (was) an exclusive club for iOS users, users that are self entitled and angry[1] as there are also plenty of talented people whose work I have a lot of respect for. No, it is not about that ; well it could be but that would be a very opiniated rant that would make me look like a hater. It is about the technical aspect: it is not the web.

Let's see.

If I go to the main website of Instagram, I get offered to download the app for iPhone, for Android, and beside info about them, their blog, their jobs, all I can do is edit my account. Yes you got that: it is about taking and posting picture, and from there I can't even view anything. WAT?

Now when people share their Instagram picture on twitter, you get a link like this http://instagr.am/p/JAqNexzGZr/. At that URL, you can see the picture, the comments if any, and that's it. You can not decide to start following the person even if you have an account nor can you browse through the other pictures. And to get that URL I had to "share" the image view e-mail or Twitter. There was no other way to get it.

That's exactly where my issue is. One has to use the app on your phone (previously only iPhone - even though it worked with other iOS devices including iPad) to view the pictures and the people. It is not a web application, it is Instagram. Imagine if Facebook or Twitter was like that? It is not like technology is missing. All the browsing and social features can be done as a web application, and modern browser today would allow even the editing part of the picture, and soon the taking a picture part.

And, yes I have an Instagram account, yes I have posted a few pictures from my iPad and from my Nexus One, one having a better camera than the other. Suddenly I got a surge in follower with the Android version released. But what if I wanted to use it from b2g[2]? Even Flickr I can.

Mandatory Instagram:


[1] read the twitter stream of @AndroidAGram, what he re-tweets is priceless

[2] non-withstanding that the camera capture isn't functional yet on b2g

Monday 14 November 2011

YouTube HTML5 - part 2

I may I sort-of praised Youtube and HTML5, allowing me to view some of the YouTube content without having Flash, and in Firefox since Google supports WebM, to some extent.

Here come the time to give some tips.

Enabling HTML5

Given the how buggy is the HTML5 implementation of YouTube, particularly with playlist and users, it is a two step process.

First, you have enable the HTML5 beta: the page will tell you the status. If it is enabled or not, what are the capabilities. If you use Firefox, you need Firefox 4 that supports the new WebM open format.

Second, to fix the UI issues, you have to use Cosmic Panda, the new UI. You enable it from that page.

At anytime you can return to these pages and revert your selection. Also you have to do that per browser - to be honest, since I'm not logged in, I can't really be sure if it sticks for the user.


If you are embedding Youtube video with <embed>, then you are doing it wrong. This is unfortunately what a lot of plugins for CMS to. You need to use the new <iframe>. For that, when you go to the video page, click share, then embed and you'll have the snippet of HTML to paste. This will embed the video properly, using HTML5 if the viewer supports it, with the fallbacks to the usual way if needed.

Thursday 18 August 2011

Dear Google,

Dear Google,

Who are you to tell me how I should write my name?

You could have managed than one swiftly. You didn't. You got feedback, you answered with worse policy. Your policy is so bad that it won't even be enforceable fairly, as you still have you own employees with fake profile, or exempt celebrities.

You created some great product and in that case you f***ed it up real hard.

You disable my profile, goodbye[1].

PS: Get a clue: read My name is me

PPS: even people using their real names get rejected - language warning over there.


[1] as of now I'm still on notice. Not changing it

Saturday 18 June 2011

On upgrading blogging software

After some time on Advogato which was social before the time in 2001, I decided in 2004 to host my blog. First on my own server on my DSL line, then later, before moving across the country, on a paid hosting. While I progressively relinquished the burden of administering the server itself, I still have kept full control of the blog software and the associated data. This is not something that just everyone can do as it has a set of implication from security to sysadmin.

The software was at first Nitlog written by software hacker extraordinaire Dave Coombs when at Niti. It served its purpose and was minimalistic by design. No database but flat files to edit. Works great of you access to the file system to post. Later, I moved Dotclear, a French blogging platform, GPL licensed, written in PHP. This was around the time when Movable Type licensing changed and the early day of Wordpress. The main motivation for moving to Dotclear was the built-in admin interface and a few other tidbits. I could have fixed Nitlog but lazyness prevailed as it seemed to be a rather large change given its design.

Dotclear 2.0 has been out for quite a while now and I have been thinking about upgrading. It isn't until very recently that I actually gave it a try. While the migration process seems to be seamless, importing directly from the database after a fresh installation, there are a few issue I consider important that needed addressing. First it broke the URLs. Doctlear 2 changed the way the permalink URL are made and the choice isn't as flexible as in Wordpress. While I can understand the benefit of the change, and while it is also addressed using a plugin – plugin that would redirect old to new – it is a bit disappointing. But that's not all. The URL for the RSS feeds have also changed. I'm sure I could implement something to redirect, but also, with the previous change in the URL structure, the fee will have new IDs for the post, causing wreck and havoc on aggregators where all the articles in the feed will be considered as new. And that's not acceptable in my point of view.

When I moved from Nitlog the URL were so different that I managed to keep the old one working with a clever check in the index and never migrated the articles to the new software. The RSS just didn't include these so everything was good.

Now here are the options:

  • keep the current one. Since it is not broken no reason to fix it.
  • move to Dotclear 2 and figure out how to fix the issues above.
  • move to Wordpress as there seem to be a plugin for it, but I'm not sure how reliable it is. And I'm not sure if it won't introduce the same issues as Dotclear 2 despite the more flexible URL settings that Wordpress allow.
  • move to something else like Movable Type. I once considered Movable Type for a different project as it had become GPL. Took Wordpress instead.

In any case, only the first solution involve not rewriting a theme.