Slashdot Mirror

> No, it sounds like they're putting the hate on Emacs users

Yes, they actually are.

http://www.chromium.org/chromium-os/developer-guide#TOC-Enter-the-chroot

> You cannot run programs on your filesystem from within the chroot. For example, if you are using eclipse as an IDE, or gedit to edit a text file, you will need to run it outside the chroot. As a consolation, you can can use vim. If you desperate for emacs, try typing sudo emerge emacs. Of course it will build it from source so allow 5-10mins.

What's left that doesn't run in a browser?

• music player? With the HTML5 audio tag, ogg playback plus MP3 in Chrome, it's doable
• editor? Bespin, Firefox extensions for simple text editing, FCKedit for local WYSIWYG are good enough
• todo list? TiddlyWiki is a complete editable wiki that runs from a single HTML file (impressive!); I use the mGSD version with action items and projects

I've run Linux for years and besides vim and zsh, the only native app that has impressed me as much as the best browser-based apps is Inkscape.

I'd love to run even more stuff in the browser. I hate that I access most resources through bookmarks and the browser's smart location field, but other resources I have to go through the GUI toolkit's file "browser", and then launch external apps that usually lack all the browser's niceties (View Source, Ctrl-+ to zoom, bookmarks/back/forward/history, tabs, etc.). Browser-based doesn't mean using the cloud for all my files; browsers don't care if they load resources from http or file:/// URLs. ChromeOS has a Content View to show you local files, supposedly integrated with the Open/Save dialog; I wish Firefox Places had a directory view along with its bookmarks and history view. I don't want Firefox to integrate with my Linux desktop toolkit's crappy file handling and half-hearted semantic efforts, I want Firefox to subsume them.

I'd like to try it out. Hmm, no .img on http://www.chromium.org/chromium-os . There's a Hexxeh blogging about it at http://chromeos.hexxeh.net/ , but the most recent build from his "bleeding edge, untested!" series at http://chromeos.hexxeh.net/vanilla.php is "Version 0.8.71.rdb7d4e77, built on 28th of October 2010."

Javascript could never choose the cookies' location, there was never any JS API to do it.

Flash, on the other hand, it's a binary blob outside of the browser's control, unless it uses a sandbox like Chromium is doing.

The chromium sandbox design documents discuss how on Windows Vista and later different parts of the browser run with low integrity mode like IE 7+.

HTTP only supports one active stream over TCP or SSL/TLS, SPDY is a proposal to allow HTTP over TCP or SSL/TLS to support multiple streams:
http://www.chromium.org/spdy/spdy-whitepaper

I'm guessing only multiple HTTP streams over SSL/TLS will be very backward compatibility with the existing internet.

Thus soon, https (thus SSL/TLS) with the SPDY extension may even be faster to load your webpage than normal HTTP.

Re: toolbarqueries.clients.google.com -- Don't use Chrome. If you like Chrome use Chomium instead (open source base of Chrome minus secret closed source Google juices).

Re: googlebot -- Sitemaps be damned, use "robots.txt".

Yes, a higher load, but the load will only be increased by a very, very small marinal number. Just have a look at what the Google study had to say about it.

With the right extension we could even speed up loading of the webpages:

http://www.chromium.org/spdy/spdy-whitepaper

Because HTTP does not currently do multiplexing of multiple streams over the same TCP (or TCP/SSL) connection. The only solution that is has is to open several connections and because we need to use TCP-slowstart it can't utilize the available bandwidth.

http://blog.chromium.org/2010/03/does-your-browser-behave.html

^only about js, but it's quite characteristic and from a fabulous source.

Standards compliance of course might be a problem here and there, in places still not far from "best viewed in IE" - some pages unfortunately settled on "best in IE and FF" instead of targeting standards, not much of an improvement - but it's getting better. Especially where there's strong third or even fourth major player, as in most of CIS / ex Warsaw Pact (where BTW Opera is often actually at or near the top)

In fact, one funny thing: I keep an old version of Opera (9.27, a solid "classic" release) on an old dual PII 266 that I keep around and still boot sometimes. Lately many pages tend to work much better in it (despite obviously not targeting such old release, probably not even Opera generally) - I suspect due to dropping focus on IE6.

Yes! I've discovered lately when evaluating Chrome for workstation use that Chrome now has a (ever-growing) list of group policies available. Grab the adm/admx templates and MSI installer and check them out.

Coincidentally, the latest Chromium/Chrome Canary/Chrome Dev builds also started ignoring IE's trusted zone lists and so windows integrated authentication (Kerberos Negotiate) stopped working. Boo. Supposedly there's a new policy that I can set to fix this. I reported the issue but am waiting for clarification on whether this is intended behavior, a security issue, or what.

Well if you really cared you could pass --safe-plugins to Chromium and sandbox Flash. It'll break some websites but YouTube works. Details: click. Linux details: click. On Linux the sandbox is using either chroot (SUID) or policies (AppArmor, SELinux, seccomp...).

Not unless you consider the Android platform similarly insecure for allowing native libraries. The problem with ActiveX was that the installed components had full user or system permissions. Android limits what capabilities native libraries have (JNI required for most I/O tasks). The operating system limits the Native Client library permissions.

See here: NaCl - Trusted vs Untrusted.

In the presence of a sandbox environment, trusted code runs outside of the sandbox and can perform privileged operations while untrusted code is prohibited from doing so by the enclosing sandbox, which isolates potentially misbehaving or malicious software from the rest of the system.

Now as an outsider I don't really know which 'sandbox' the Native Client documentation is referring to. It's probably Chromium's sandbox support.

On Windows that means the self-contained library won't be able to do anything to the user account besides access the temporary cache. On Linux that probably means AppArmor/seccomp limiting (not like anyone uses SELinux).

Not unless you consider the Android platform similarly insecure for allowing native libraries. The problem with ActiveX was that the installed components had full user or system permissions. Android limits what capabilities native libraries have (JNI required for most I/O tasks). The operating system limits the Native Client library permissions.

See here: NaCl - Trusted vs Untrusted.

In the presence of a sandbox environment, trusted code runs outside of the sandbox and can perform privileged operations while untrusted code is prohibited from doing so by the enclosing sandbox, which isolates potentially misbehaving or malicious software from the rest of the system.

Now as an outsider I don't really know which 'sandbox' the Native Client documentation is referring to. It's probably Chromium's sandbox support.

On Windows that means the self-contained library won't be able to do anything to the user account besides access the temporary cache. On Linux that probably means AppArmor/seccomp limiting (not like anyone uses SELinux).

http://www.chromium.org/nativeclient
http://code.google.com/p/nativeclient/
http://code.google.com/p/nativeclient-sdk/

Welcome to this early preview of the Native Client SDK. With the SDK and a Windows, Mac OS X, or Linux computer, you'll be able to build web apps that seamlessly use native C/C++ code to perform high-performance computation, render 2D/3D graphics, play audio, and respond to mouse and keyboard events — all without requiring users to install a plugin. Until Native Client is on by default in Google Chrome, you can run web apps that use Native Client by launching Google Chrome version 6 or later with the --enable-nacl flag.

Chrome apps, Chrome OS, Chrome Web Store, and Native Client all appear to be converging on similar release timeframes.

You're confusing external plugin DLLs (Flash, ...) with internal DLLs (FFmpeg, ...).

Chrome copied IE8's "protected mode" feature something like a full year ago, as well as its tab-per-process model. See the Sandbox FAQ.

Process Explorer showing ASLR enabled on Chrome's loaded DLLs:
http://i51.tinypic.com/20qgbr9.png.

Process Explorer showing IPC in Chrome (named pipe for low->medium IL communication):
http://i56.tinypic.com/mwfgck.png

Here you go - http://www.chromium.org/

The major design decision of ChromeOS was to make it secure even when used casually. It's unfortunately hidden in the press releases and security documents of the ChromeOS project page. The idea is that you can lend or borrow a netbook and not have to worry about keyloggers getting installed or your friend later viewing your private data. To achieve this goal, Google requires a TPM chip installed on the netbook so that a user can easily tell that the OS is unmodified, and the OS is stateless (modulo careful caching). This design is what makes ChromeOS so difficult to reconcile with Android, which is a single-user OS for very personal devices.

I hope that ChromeOS becomes successful because I do care about securely sharing computers, but if not enough other people care about this use case (or even understand the security concerns), then I can see how it may fail in the market.

I'm guessing you missed their highly re-reported blog post regarding the new release schedule.

So... Google Updater handles Chromium, I take it? Interesting.

I don't have Updater. It isn't bundled with the only Chromium builds I could find, and until your post I haven't had a reason to try it.

Conflating or not, I prefer a more role/task based concept.

That way I can use one browser for lower security level stuff (whether visiting sites, or having more fancy plugins), and not have it affect my other browser which I use for higher security level stuff.

And I can do this without having to buy multiple computers.

If the browsers support sandboxing that's great. But whether they do or not does not affect my approach. I'd still be using multiple browsers, because it is just better "hygiene", and a more secure way of doing things. If say your banking site has weaknesses, it's harder for others to exploit that+you if you only use one browser for banking and only banking and it's not your default browser.

In contrast if you use the same browser for everything, your risk goes up - you might type in the wrong password to the wrong site; there might be a flaw in your banking site, and some ad banner could cause you to load the "wrong link".

If it is possible to run multiple distinct and separate instances of Chrome and keep sandboxing enabled AND the sandboxing applies to all externally exposed stuff (plugins etc), then I'd be happy to use it. Otherwise it would not be as secure.

Lastly from: http://www.chromium.org/developers/design-documents/sandbox
"Under Windows, there is no practical way to prevent code in the sandbox from calling a system service."

You can go further: tabs are a hack by applications to make up for the failure of the traditional WM model and it's inability to handle large numbers of windows.

For what it's worth, KDE4 attempts to address that issue by enabling tabbed windows. I think it's a good example of what you're referencing, and a good perspective of what WM-based tabs look like.

That said, tabs in browsers also make more sense than WM-sponsored window tabbing. Browsers, for better or worse, have become an operating system in and of themselves, and thus are a special case. Most applications neither need nor would benefit from having tabbed support. Those that do (e.g., chat clients, document editors, browsers, etc.) typically have some form of tabs streamlined to their use cases and audiences. A WM-based solution would likely result in less usability on a per-application basis, since the overall use case wouldn't be tailored to a specific application.

I think we have a good model right now. Each application introduces tabs as necessary, which may or may not take advantage of tab support in either WM or UI toolkit (QT, GTK, SWT, etc.). Having WM support as a failsafe like KDE does is certainly nice, too!

The Chrome team watches pretty carefully for performance regressions, see http://build.chromium.org/buildbot/perf/dashboard/overview.html The buildbot will go red if there's a big one, and people watch the graphs for creeping regressions.

Well... http://dev.chromium.org/chromium-os/user-experience/form-factors/tablet

So could Google - but no one seems to be bitching about Google Code.

Google has been a great friend of open source. They have earned and continue to earn a great deal of trust and respect from the open source and free software community.

Compare to the current CEO of Microsoft and I think it will be clearer why Microsoft needs to do more.

because TFA doesn't explain that google wrote it themselves. Heck, even the google blog announcement doesn't explain that google wrote it themselves. Guess what, it turns out google did not write it themselves, they're using libpdf.so which is libpdf

I was referring to the Google blog post, which is linked from the Slashdot summary and thus counts as "TFA".

It says "Currently, we do not support 100% of the advanced PDF features found in Adobe Reader, such as certain types of embedded media" and "We would also like to work with the Adobe Reader team to bring the full PDF feature set to Chrome using the same next generation browser plug-in API", which I took to mean that:

1. it clearly isn't being written by Adobe, and
2. even if Google didn't write it, they are maintaining and improving it, so they "wrote it" in the same sense that Apple "wrote" WebKit.

As for the "libpdf.so", part, I assume you're looking at the part of the code that says

#if defined(OS_WIN)
            cur = cur.Append(FILE_PATH_LITERAL("pdf.dll"));
#elif defined(OS_MACOSX)
            cur = cur.Append(FILE_PATH_LITERAL("PDF.plugin"));
#else // Linux and Chrome OS
            cur = cur.Append(FILE_PATH_LITERAL("libpdf.so"));
#endif

Which means that they're using a file called libpdf.so on Linux. As another one of your replies points out, this is doubtful to be the 9-year-old unmaintained incomplete C library you link to, and judging from the Windows and Mac filenames, this is nearly definitely a library written (or at least maintained) by Google.

because TFA doesn't explain that google wrote it themselves. Heck, even the google blog announcement doesn't explain that google wrote it themselves. Guess what, it turns out google did not write it themselves, they're using libpdf.so which is libpdf

http://blog.chromium.org/2010/06/google-chrome-frame-now-in-beta.html

Google Chrome Frame - Now in Beta
Tuesday, June 08, 2010
Web developers have been itching to develop with HTML5 but have been held back by legacy browsers. Google Chrome Frame can help break this impasse by allowing applications to target HTML5 on versions of Internet Explorer. Today, we're excited to announce that Google Chrome Frame has graduated from Developer Preview into Beta.

Since our initial launch, we've been listening to developers: Instead of adding new bells and whistles, we've fixed more than 200 bugs to make integration with Internet Explorer seamless while improving security, stability, and performance. For example, we've improved our handling of Internet Explorer's InPrivate browsing, cache clearing, and cookie blocking. All of the enhancements and features of Google Chrome 5.0 are available in Google Chrome Frame too, including HTML5 audio and video, canvas, geolocation, workers, and databases.

As we've worked on these improvements, we've been excited to see sites adopting Google Chrome Frame, including Meebo and all the blogs hosted by WordPress. In addition to our launch partner Google Wave, some other Google properties, including Orkut and YouTube are also relying on Google Chrome Frame to deliver HTML5 experiences to millions of users.

For those of you who want to develop HTML5 applications and deploy them broadly, we encourage you to give Google Chrome Frame a try. Existing users will be auto-updated to the beta, so if you downloaded Google Chrome Frame before, you'll automatically get the new version. We're also creating a new dev channel release, where you can try out the cutting-edge features we're developing. For information on getting started with Google Chrome Frame, our project documentation is the place to start.

We're always working hard to improve, so expect further enhancements and performance improvements in both the developer and beta versions in the coming weeks. You can help by giving us feedback and filing bugs, and we'll have more to share in the days ahead.

Posted by Amit Joshi, Software Engineer, and Alex Russell, Software Engineer

BULLSHIT!

http://developer.apple.com/safaridemos/typography.php

You'll need to download Safari to view this demo.

...

http://developer.apple.com/safaridemos/photo-transitions.php

You'll need to download Safari to view this demo.

...

Enough said.

BULLSHIT!
I was able to run both demos without any complaint whatsoever using the latest nightly build of Chromium for the Mac:

http://img517.imageshack.us/img517/6917/screenshot02yl.jpg

Of course I didn't change the User Agent (apparently you need an extension that I don't have for that).

So, the problem may be that you are using an older version of a browser that still does not support these features.

Enough said.

It should be supporting whatever protocols its creators deemed it needs to support.

It could support SPDY for all I care.

The point is not what protocols are supported. The point is if it selectively displays some, but not other(s), it's inconsistent.

Bleeding edge! :) http://build.chromium.org/buildbot/snapshots/

The problem is Microsoft has consistently failed us all. This catastrophe must be squarely laid at their feet. Windows powers over 90 percent of the world's desktops therefore the solution must start there. On the desktop. MS has had decades to rectify this untenable state of affairs. They have so far proven themselves grossly incompetent. The only solution and the one I discovered is to quite simply switch to an alternative. Any alternative. Otherwise, Windows monoculture will be the downfall of us all.

I'd rather have buggy open-source software than have perfect software which I can't see through.

Don't be a total toolbag.

And the fact that FF gives me basically perfect performance is a very big deal.

You're insane. Firefox has the slowest Javascript performance of all major browsers, and frankly, even Slashdot loads faster in Chromium than in Firefox. I have plenty of machine, too, to the point where hardware definitely is not the problem.

It took a long time and a lot of work to get Mozilla's browser this good. Why the hell would I want to jump to some ad-company's free calculator? The thing doesn't even work properly.

In my experience, it works at least as well as Firefox. I've had problems with some versions of chromium refusing to load some pages, including some google pages. But I've had Firefox refuse to load at least as many pages, and it seems to have more problems with networking; connections to a flaky site just seem to time out more in Firefox. And the MOST annoying part of this is that Firefox will take away a partially loaded page that I'm currently reading and replace it with an error message. That is the most abusive thing a web browser has ever done to me, unless of course I've ever been rooted remotely, through IE. In fact, it DID happen to me once, but it was because this dipshit in the IT department brought up his own DHCP server which pointed to some compromised DNS, and I had just brought the machine up and gone to windows update. Or tried to.

Or just use Chromium. SRWare Iron is nothing more than a rebranded Chromium build that some clueless scumbag wanted to use as his meal ticket.

Opera is a major backer of web standards; typically the most compliant browser (Chromium guys don't seem to have a problem with pointing that out); they initiated HTML5 video tag and are backing Theora-only solution from the beginning. Plus there are just so many ways to keep the browser afloat - while all other big ones exist thanks to major corporate backing (yes, also Mozilla...you don't remember AOL?), Opera simply always chosen to go without corporate daddy...but that needed a way to make revenue for a long time already, not only when lately revenue from searches became viable. They not only found their niche, but are giving for free a usable browser to the fastest-growing segment of the market. Millions of people who wouldn't have a browser otherwise.

Give them some credit...

PS. What was that mess with Firefox (free?) and Debian?

The mess with Debian and Firefox is that Debian was the only people that were still fixing security holes in Firefox 1.x and mozilla got upset because they were distributing an unauthorized version (lacking the security holes) with the Firefox name.

Debian compiles firefox with iceweasel branding instead of firefox branding, most distributions modify firefox more than debian.

Canonical (ubuntu) claimed the whole thing was because the debian developers were being unreasonable, and then when they found themselves in the same situation with their LTS version of ubuntu couldn't use use iceweasel and created "abrowser" and were ready to set abrowser as the ubuntu default when Mozilla came up with a compromise that worked for Canonical and Mozilla.

It was mostly an example of how badly debian does at PR.

Opera is a major backer of web standards; typically the most compliant browser (Chromium guys don't seem to have a problem with pointing that out); they initiated HTML5 video tag and are backing Theora-only solution from the beginning. Plus there are just so many ways to keep the browser afloat - while all other big ones exist thanks to major corporate backing (yes, also Mozilla...you don't remember AOL?), Opera simply always chosen to go without corporate daddy...but that needed a way to make revenue for a long time already, not only when lately revenue from searches became viable. They not only found their niche, but are giving for free a usable browser to the fastest-growing segment of the market. Millions of people who wouldn't have a browser otherwise.

Give them some credit...

PS. What was that mess with Firefox (free?) and Debian?

I'm running chromium on OS X. There is native os x daily build. This is what I use.

Not that I'm anymore happier Google's products taking over everything...

It's not like Chromium is anywhere close to that; it grows, sure, but this time it might bring honest adherence to standards instead of a kind of duaopoly, making websites to work with "IE+FF" that was semi-common for some time. Even if they are only slightly better than FF with standards at this point; this post means they rather care.

Good for me, and any user of the browser which is closest to the bullseye. And good for the web.

You can build it from source here. The instructions are pretty straightforward.

I guess I did...so in that case I will wait for the "real thing"...that is Chromium from Google.

One use-case is to have a VNC client in Google Chrome OS / Chromium OS http://www.chromium.org/chromium-os

I haven't had much of a chance to play around with it, but it looks like it still suffers from all of the "problems" (ie things i don't like) that i've complained about before.

In particular, it's still lacking a lot of options that i think ought to be available, like making new tabs open at the end of the list, having a minimum size that tabs can shrink to and a scrollable tab bar, having a drop-down list of all open tabs, and the ability to move the tab bar below the rest of the toolbars. Which is mostly just a list of all the fixes that the Firefox browser has already introduced. There's no shame in benefiting from the experience of those who have come before if you're unable to think of a way to improve the interface yourself.

Obviously not everyone wants those features, which is why the should be options and not defaults, but i think enough people do that it _is_ worth making them options. Unfortunately Google's view towards user customability remains... unencouraging at best. (Or, IMHO, "stupidly wrong.") Luckily _some_ of those changes can be implemented by extensions, but not all of them.

At least now two alternative engines are starting to get recognition around the world, and newer one of those two seems to strive more for standards compliance (they wouldn't make this post otherwise). There was a time when a lot of sites appeared to be made primarilly with "IE + FF" in mind...which didn't really change that much in the grand scheme of things.

Thanks. Quite interesting, though it only seems to test JavaScript compliance, as far as I understand it.

But now perhaps sites will, to a greater degree, simply target standards... (just look at the link above to see why that's great news for you)

No news to me, but thanks again.

BTW, regarding safety of Opera - considering that it's big in post Soviet Block areas (typically #2 browser; in places #1, ahead of IE already)...maybe they just don't want to eat their turd? ;)

I frankly can't figure out an answer to that.

Here's how I run "Chrome": First I go to http://build.chromium.org/buildbot/waterfall/console Then I find the build that's all green for Windows and green for the first dot in the first column. This is how I decide it's a good Windows build. Do the same for your OS of choice. Make note of the build number on the left. Find the build here: http://build.chromium.org/buildbot/snapshots/ Navigate to the snapshot build directory. For Windows, you'll find a "portable" zip directory. Doesn't require install. There's also a mini-installer, which I use. End result is Chromium, up to date, and without some of the Google-added things that I don't really want.

Here's how I run "Chrome": First I go to http://build.chromium.org/buildbot/waterfall/console Then I find the build that's all green for Windows and green for the first dot in the first column. This is how I decide it's a good Windows build. Do the same for your OS of choice. Make note of the build number on the left. Find the build here: http://build.chromium.org/buildbot/snapshots/ Navigate to the snapshot build directory. For Windows, you'll find a "portable" zip directory. Doesn't require install. There's also a mini-installer, which I use. End result is Chromium, up to date, and without some of the Google-added things that I don't really want.

Care to point out which part of the code acts as a keylogger?

At least now two alternative engines are starting to get recognition around the world, and newer one of those two seems to strive more for standards compliance (they wouldn't make this post otherwise). There was a time when a lot of sites appeared to be made primarilly with "IE + FF" in mind...which didn't really change that much in the grand scheme of things.

But now perhaps sites will, to a greater degree, simply target standards... (just look at the link above to see why that's great news for you)

BTW, regarding safety of Opera - considering that it's big in post Soviet Block areas (typically #2 browser; in places #1, ahead of IE already)...maybe they just don't want to eat their turd? ;)

Congratulations, you've just described the very thing that Google is announcing.

http://www.chromium.org/developers/design-documents/google-cloud-print-proxy-design

I think the idea is that, in the future, printers will start to implement these services natively, eliminating the need for such a proxy.

Note that Chromium supports several process models. You might try experimenting with others, along with monitoring how your tabs are divided with its Task Manager, to help figure out what's going wrong for you.

Microsoft, Google and Apple all want Flash to die.

Google bundles Flash with Chrome: http://blog.chromium.org/2010/03/bringing-improved-support-for-adobe.html.

Actually, Google seems to be exploring the possibility of tailoring their OS to a tablet...
http://www.chromium.org/chromium-os/user-experience/form-factors/tablet ...ChromeOS though, not Android

(but I think I remember some nafucaturers which showed Android-powered tablets at one of recent industry shows)