Thursday, March 24, 2011

What that mysterious fix was: TenFourFox "4.0s"

Those reading earlier entries will notice I was puzzling over two strange commits attached to a (then) sec-locked bug that forced an RC2 and appeared limited in scope. They were indeed limited in scope, but to deal with a problem that has now become public; namely, a certificate authority had credentials stolen enabling an Iranian-based attacker to sign multiple bogus certs. At least one, and possibly more, escaped.

This is one of those cases where I question why something where the exploit was, technically, already in the wild was not publicly disclosed and I would have probably held the release for it at the time.

It is now unclear exactly how much of an impact this bug has because everyone knows about the bogus certs that got released and they are already revoked at the OCSP level. Still, there is the possibility they could be used for nefarious purposes under certain circumstances and I will be releasing a "4.0s" later today with display-version 4.0 but updated build-IDs incorporating this fix. This will coincide with 3.6.16 nicely in any case. For Classilla users who follow this blog, this will be part of Classilla 9.2.2 as well.

Since I'm forcing a re-release, this will also include the more targeted fix for issue 37 which I am pretty sure is secure and stable. That should make all you JavaScript performance gearheads happy again. It will not include the AltiVec WebM accelerator; that bug is snowballing a bit and I want it to have beta coverage. You should expect these builds sometime this evening Pacific time and the G5 is already cranking them out as you read this. (UPDATE 9:10pm: Updates are now available. There will not be a separate changeset pack as, with the exception of the one-liner for issue 37, it is exactly the same and the security issue is in the Mozilla branch.)

35 comments:

  1. Thank YOU!!! You ar my hero!

    My Power Mac G4 1.25(MD) still work hard fast for me. I love it!

    You should put a paypal donation button or somethin.

    ReplyDelete
  2. Classic, yes, the paypal button is an idea.
    The guys at http://www.xabaras.it/firefox-powerpc/ have one indeed. BTW, maybe their source can be useful for your work? And conversely? They don't have Tiger support however.

    ReplyDelete
  3. Really amazing work, It makes me so happy that there are others like me who enjoy developing on old macs; Although I don't have the time to do something major like this...

    ReplyDelete
  4. Thanks, Toni and Naiw!

    eorusi, I am flattered by the sentiment but don't accept donations personally. Perhaps if the project grows, fine, but I find money just complicates things and my day job pays my bills just fine. I refuse donations for Classilla as well.

    The Xabaras build appears to be a straight PPC compile of Firefox 4 with cosmetic changes, similar to El Furbe, and it doesn't look like there is additional custom source. Much of the custom source we use is for Tiger compatibility, but a fair bit is also related to the JavaScript accelerator, which is TenFourFox-only, and we also have our own update infrastructure. However, if you see something else about it you'd like me to look into, give me a link.

    The "build farm" is halfway through the architectures (7400 and G3 to go), so we're on target for a PM release.

    ReplyDelete
  5. Luv you man!

    btw, a bug you might have already gotten. Posting a comment to Facebook, the entry field does not size to accomodate more text.

    fyi!

    Thanks,


    Russ

    ReplyDelete
  6. Russ, thanks for the kind word! I have a love-hate (mostly hate) relationship with Facebook, so I have not personally encountered that bug. Your description suggests layout, and it is entirely possible it is Mozilla's bug, not 10.4Fx. If you notice it occurs *only* on 10.4Fx, and does NOT occur in Firefox 4 (3.6 doesn't count), please file it and I'll look into it. I'll accept comparison to any Tier 1 platform, including Linux and Windows.

    For everyone else, 4.0s is up with the security update and the JavaScript performance fix. Go get.

    ReplyDelete
  7. Hey guys!

    Kudos for the project - I had to revive a 1Ghz eMac, and after installing Leopard and TenFourFox, it's snappy again :D

    I have a question: has anybody noticed/reported a bug with arabic text? Letters are displayed as disconnected characters instead of the whole word (characters+ligatures).

    Other than that, so far, so good! Mozilla+Extensions on the Mac again

    ReplyDelete
  8. Hey

    All developers who make programs for our old, but dear machines are heros. They increase the quality of our LANs. I bet many use G4, G5 under window sharing from Intel macs.

    Thanks
    Jan

    ReplyDelete
  9. Thanks for the kind words, J and indigoCat :)

    indigoCat, yes, Arabic text by default does not have proper ligatures. This is because the Apple Arabic fonts require CoreText (AAT) to render, and we don't support CoreText. Harfbuzz can do Arabic, which is our font renderer exclusively, but it requires an OpenType font. This is in the release notes; look at issue 5 for an example with a WOFF font.

    ReplyDelete
  10. I'm very happy with this release, it works like a charm!!! :D But I've a question... how do you install more languages? I'm Spanish and I want to translate the browser, he he...

    ReplyDelete
  11. Hi there,

    I downloaded TenFourFox, which I am grateful for. I have a g3 PPC iMac. The one thing that I'm noticing is that some pages do not load properly. Text and images overlap. This is a phenomenon I haven't seen on my Mac in years, probably before I started using Firefox anyway. I never had this problem with Firefox 3.6,(or Safari for that matter)so I have the 3.6 still on the computer in case this problem continues to annoy...

    I am not tech savvy, but perhaps a piece of software is not updated?? What should I check for?

    Thanks

    ReplyDelete
  12. Hi, thx for this great job ;-)

    i'll vote for this project as the best open Source project of the year! lol

    As Salva said, how can we contribute and translate this project in our own languages ??

    ReplyDelete
  13. Thanks for the kind words. Arnaud and Salva, look at issue 42. An enterprising user is already creating a French translation and I would be happy to facilitate more languages.

    omnipop1026, my suspicion is that the "images" are actually Flash applets. Flash and other plugins are on life-support in TenFourFox 4.x for technical reasons and graphics glitches should be expected. In 5.x, they will be turned off completely. My recommendation is to install a Flash blocker such as Flashblock, which is what I use personally, and then you will only see the Flash applets you want to see. It will also enable your G3 to perform better.

    ReplyDelete
  14. I will follow this blog from now :) I'm very happy with your work, our G3, G4 or G5 are not outdated machines. I've seen that there are some problems with Flash apps (buddypoke for Facebook, for example), but the same happens under Linux in my PC. But well, Flash under PPC it's a very very bad product. I hope sometime a new and open alternative will grow. I don't like too much Flash, but there are a lot of apps around there.

    Regards :)

    ReplyDelete
  15. First off grateful for all your hardwork 'porting' Firefox 4. However, I would like more in-depth about the plugin problem. It is obvious that there is a problem as there are rendering problems with Flash clearly visible, as on amazon.co.uk MP3 store.

    However, at the same time I am able to run Firefox 3.6.16 side-by-side and this has non of the problems with Flash that I am alluding to. Also Safari 5.0.5 has no problems with Flash. So what has changed?

    I am asking more out of interest than anything else. Clearly plugins don't have a clean separation from the platform. As a programmer, I am curious, because this information is not widely discussed online.

    ReplyDelete
  16. ct1003, what changed is the Mozilla graphics stack to facilitate acceleration. Particularly with respect to retained layers (new in Mozilla 2.0), they were only optimized to work with CoreAnimation, which doesn't exist on 10.4 -- remember that TenFourFox as its name suggests is compiled against the 10.4 SDK. I've played with some experiments trying to flush the layers with scrolling plugins, but the approaches I tried don't seem to work and make things slower. If you have some different ideas about this, feel free to submit code, but it's this sort of plugin rot on PPC that is why I will be decommissioning plugins in 5.0.

    ReplyDelete
  17. Is Flash going to be a thing of the past?? I know that iPads do not have Flash, which at the moment is a real pain in the butt. So what is the alternative? Is there a problem with Adobe? They seem to have a few products that are pretty much universal , like Reader

    Forgive my naivete on this issue, I just want my computer to work well. Without Flash plug-ins what's a PPC to do?

    ReplyDelete
  18. Not to be flip, but Adobe's already made that call whether we like it or not. PPC 10.1 didn't even get the security update Adobe issued for the other releases (they say it's not vulnerable per my contacts at Mozilla, but that may merely mean it's not exploitable on this architecture), and wide adoption of 10.2 is eagerly awaited by content producers as it offers better DRM. Eventually there will be no way to view such content in PPC OS X.

    Killing plugins in TenFourFox 5 is just recognizing the reality that no one wants us anymore, and plugins are a big issue with regards to stability and security as they are code that's no longer updated and not under our control. It's already a petty annoyance for graphics, and that alone is just going to get worse.

    ReplyDelete
  19. Is there a way to launch the profile manager present in the Mozilla release of Firefox. For example, to launch this initially using Terminal in MacOS, it would be: /Applications/Firefox.app/Contents/MacOS/firefox-bin -ProfileManager However, when I tried this replacing the .app with TenFourFox7450, it returned that the file doesn't exist. Is there another way to do this, or more appropriate syntax?


    Thank You,
    Matthew E. Mills

    ReplyDelete
  20. Matthew, I just tried

    /Applications/TenFourFox7450.app/Contents/MacOS/firefox-bin -ProfileManager

    on my iBook and it came up okay. Did you forget the .app, maybe?

    ReplyDelete
  21. My recent inquiry regarding the profile manager was initiated by my own syntax error because of my copy of the application being located on an external drive. This issue has been resolved.


    Thank You,
    Matthew E. Mills

    ReplyDelete
  22. Hi Classic,
    Yes, I see your point about money.
    As for the Xabaras thing, I cannot really "see something else about it", since I know nothing about programming.

    Last thing, I tried to install Speedyfox (which should be universal and tiger-ready), but it says that my version of macosx does not support it. Do you think it can be an issue related to TenFourFox being installed on my PB? (I have no other firefox versions installed). But maybe it would be the same on an intel-machine with firefox 4.

    Thanks

    ReplyDelete
  23. My powerbook and my myself want to thank you very (very, very) much !

    ReplyDelete
  24. Thanks for this software. It has saved me from having to purchase a new laptop, which for financial reasons, would have been a windoz system.

    About the plugins & flash issues: If you remove plugins all together, does that mean I can't have plugins like adblocker or firebug? If that's the case, when you finally remove plugin usage, can you have TenFourFox remind me that I can always revert to Firefox 3.x (especially for using firebug).

    Thanks again, super product!

    ReplyDelete
  25. ppc 970 Dual 2G PPC G5 Leopard 10.5.8
    your G5 app says " not supported on this architecture".
    I downloaded it twice, but noooooo!

    I was SO CLOSE! Dang!

    ReplyDelete
  26. Thanks, Paul and Rebe!

    Rebe, plugins and addons are not the same thing, though they can resemble each other and do similar things, so it can be hard to explain the difference. Even though plugins are being deprecated, addons are not. Things like Adblocker and Firebug are addons, and they will remain supported as long as the addon itself doesn't contain any binaries that require an Intel Mac.

    Sedaray, I'm using the G5 version myself on my own personal G5 to write this. Are you sure you're not using some other build? It looks like you're trying to use Firefox 4, not TenFourFox.

    ReplyDelete
    Replies
    1. Classic I have the same problem Sedaray has
      ppc 970 Dual 1.8G PPC G5 Leopard 10.5.8
      not supported on this architecture :(

      Del Digitall

      Delete
  27. My old iBook is in perfect conditions after 5 years and I am happy I do not need to change to Intel for the time being. I just wanted to say thank you! And definitely add that Paypal donation button :-) Diana

    ReplyDelete
  28. Thanks, Diana!

    eorusi, I'm sorry I missed your post the first time. I don't know much about Speedyfox, but I'll look into it. It's likely it has a binary component that wasn't built for PPC despite what the creator says, however.

    ReplyDelete
  29. Classic, no problem of course. Speedyfox apparently requires Leopard. Too bad indeed, since everyone says it works just great. However, I found that Vacuum Places does exactly the same job, and it's an add-on... though not yet compatible with FF4.
    Thanks

    ReplyDelete
  30. Which flashblock version do you recommend?

    ReplyDelete
  31. The current one will do. I'm using 1.5.14.2, IIRC.

    ReplyDelete
  32. Hi Still loving and using tenfourfox.

    What is the commandline command i can use to call this to open a given url?

    Thanks,

    Russ

    ReplyDelete
  33. Probably the easiest thing is to simply use the "open" command. Assuming TenFourFox is your default web browser,

    open http://your.url/

    ReplyDelete
  34. Everytime I'm on Amazon.com now, as soon as I search for something using TenFourFox and I go to a particular cd or book, the pg is all shrunk-up like it is making a default assumption that I'm using a mobile device. I'm using a Mac OSX 10.5.8 and though I never had problems before, since yesterday, 1/9/12, it's been stuck in this mode. On every cd, book, etc., I always have to click an "Amazon Full Site" button to go to a larger Mac-friendly version. I spoke to an Amazon rep and they said it is NOT their doing and it is truly annoying since I go to Amazon nearly every day. Do you know how it can be fixed without reloading or changing my browser? I don't want to lose the 200 bookmarks I have stored among other things.

    ReplyDelete

Due to an increased frequency of spam, comments are now subject to moderation.