Codepope's Development Hell

Google has announced that it has past the $2 million mark in the total number of security rewards it has paid out. Thats a million for its Chrome/Chromium/Pwnium bug hunt and a million for its lower profile web application security programme. The former programme has been, predominantly, the headline grabber with headlines galore when the various cracking competitions kick off, but its the money paid out to the web application security programme which is more interesting as it demonstrates that a web surface is a rich seam of vulnerabilities waiting to be mined.

SDL 2.0: Version 2.0 of SDL (Simple DirectMedia Layer), the widely used zlib licensed library which offers a Windows, Mac OS X, Linux, iOS and Android library for driving graphics, audio and input has just been announced. New features, and there’s a lot, include 3D hardware acceleration, support for OpenGL 3.0 and ES, support for multiple windows, displays and audio devices. The Migration Guide has all the details. You can get the source and binaries from the download page and find all the other documentation on the wiki.

Been waiting for a Firefox OS phone to land in the UK or US? ZTE have announced that they will be eBaying the ZTE Open Firefox OS phone in both territories through their existing UK and US eBay stores. They have even been running auctions for pre-order collectible versions of the phone - you still have 3 days to bid on the UK pre-order auction but it’s already up to £73 (the list price in the UK will be £59.

Not Telling Tails: If you need to cover your tracks on the internet and locally, then Tails (The Amnesiac Incognito Live System) will help as its a Debian GNU/Linux distribution with built in Tor support and other privacy tools which doesn’t even leave local logs. Latest version is 0.20 and details can be found in the Tails 0.2.0 announcement. Vim scrubs up: Vim 7.4 was released last week. Highlights are a new, faster regexp engine, a thousand fixes and small improvements according to the announcement on the developer mailing list which also contains links to the various versions and a reminder to contribute to the ICCF Holland to help children in South Uganda if you like Vim.

Random numbers are hard to get right and it appears that faith in the word “Secure” in front of the word “Random” has tripped up developers again, this time with Bitcoin wallets on Android. Those developers have now been alerted to the fact when they are generating a random number to sign Bitcoin transactions, that random number isn’t of high enough quality and make it a lot easier to crack the signing.

PyPy.js: Have you considered a Python JIT compiler in the browser? Ryan Kelly, a Mozilla developer, has and is porting PyPy, the Python JIT, to the browser using Emscripten and getting the JIT compiler to emit asm.js code. Asm.js is a subset of Javascript which has a specialised optimiser. It’s early days for PyPy.js, but first benchmarking of the proof of concept does show how much impact the Asm.js optimisations have on performance bringing the code to half the speed of the C based JIT.

Rust, the alternative systems language that’s in development at Mozilla where they are using it to create Servo, a next generation browser, has just hit a huge milestone and entered into some turbulent territory. The runtime system for Rust, including a task scheduler written in C++, has now been replaced by a runtime written in Rust. Brian Anderson on the explained with a mailing list post that this was part of a huge rewrite of how Rust is going to handle I/O using libuv and stopping tasks that are blocked on I/O from blocking other tasks.

Google has announced it is adding 79 patents to its open source patent non-assertion pledge. Of course the pledge is limited only to things where the patents infringed are within the open source element … so no mixing a bit of FOSS into your proprietary application and hoping you’ll get coverage. Although there are 79 patents in the new batch, there aren’t 79 ideas in there. The count includes patents in each territory too, so take “Computer network for www server data access over internet” that patent is counted ten times, for Belgium, Canada, Switzerland, Germany, UK, Italy, Japan, Netherlands, Taiwan and the US.

AOSP - Android’s open source problem: JBQ, Jean-Baptiste Quéru, announced yesterday that he was stepping down as Technical Lead for AOSP, the Android Open Source Project. The problem appears to be a combination of Qualcomm’s desire to keep control of it’s SoC drivers and Google’s inability to shake them of that view despite building Nexus devices which use Qualcomm chips. JBQ has found himself in the middle of this and recent tweets quoted by Android Police seem to bear out that the pressure was getting to the AOSP leader who was being blamed for not getting factory restore images of various Nexus devices out of the door.

Amazon has announced that it will now be making “HTML5 Web Apps” available through its Appstore. But before you start packaging your web site into a commercial earner, there’s quite a few caveats to the term “Web App”. Firstly, the apps only come down the wire where there’s Appstore apps to sell them to you, so thats Kindle Fires and Android devices. No word on how the rest of the web is supposed to get access to these web apps.