Slashdot Mirror
Mozilla.org Releases Protozilla
An anonymous reader wrote in to tell us about Protozilla's release. "Protozilla enables Mozilla to execute any CGI program on the local disk directly, without passing it through an HTTP server." Its a strange little idea that could definitely simplify development.
There is a bug reported about JavaPlugin been loaded at statup. (bug 26516). And there are people working on it.
There are people working on startup performance.
And there are many reports about performance in general that are beeing addressed (Performance problems)
I hope someday Mozilla will be the Browser of our dreams. We can all help this to happen by reporting bugs, correcting them, or promoting Mozilla project.
MOD THE CHILD UP!
Does it have to be only for development? Assuming it can be done safely, imagine using local CGI scripts as an alternative to local shell scripts. This becomes particularly relevant for your casual users, epsecially as a means of establishing Linux as an OS for the computer novice. Imagine J. Random User being able to use Mozilla as their program launcher -- everyone and their mothers've already learned how to more or less use web browsers.
And using the web browser as an interface is certainly not a new idea. Even before IE sprung up (and the infamous "The web browser is part of the OS" statement along with it), we had software packages like SATAN doing this back in early '95. And if we look at the web browser abstractly, as a mechanism that allows files to be selected, retrieved, and viewed, its origins can be traced back to products like Norton Commander.
Generally it's used to point ftp to a real FTP client (Interarchie being popular) and afs to an AFS client (Apple File Sharing.) However it can be used for about anything, including hooks to scripting languages (AppleScript, Python, TCL) using the built in Open Scripting support.
Open Source is great but it didn't come up with this one first.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Zontar The Mindless,
Il n'y a pas de Planet B.
Of course, it's a security nightmare as you couldn't tell where the file had come from. Perhaps the files could use some form of authentication. Hmm. Yes, for example, NT users could "sign" launching controls then, on a company based intranet, they could launch programs as required from any networked machine. In unix, it could be used to launch programs running suid the creater of the launch control.
Rich
Zontar The Mindless,
Il n'y a pas de Planet B.
True, although the impression I got was that this framework would provide a nice helper app to do the magic for us. Furthermore, a CGI-based scheme would allow for easily porting apps from intranet use to local use and vice-versa. Finally, something that delves in to the realm of figuring out when to properly execute content that's trusted is something that I, personally, would feel less than comfortable writing. I would much prefer a system with some peer review.
People work on what they want to work on. I don't see you working on Mozilla's "pressing matters", so if someone else wants to not either, I don't see how you can complain.
Lots of people (particularly Netscape people) are already working on Mozilla's "pressing matters", and they are making huge strides.
And as others have pointed out, this isn't even an official mozilla.org project.
Lynx has done this for a long time (though you have to reference the script as LYNXCGI, iirc; I used it a few years ago to write a script to browse manpages through lynx). It's pretty useful if you want to use cgi scripts and junk for local documentation, but don't want the overhead of running a full web-browser.
Somehow, I dont think that this will be any different from any normal piece of software. I dont think that it will allow pages/javascript on the net to run local applications... the user has to call the application to run (at least I think so)
I believe it was meant to be some sort of memorial. Come on... show just a *bit* of respect for the brave men and women who died on that mission. Even in the faceless world of /. people should have a few shreds of respect for the dead.
Man is born free; and everywhere he is in chains.
Hmmm...
Do you program at all?
PHP is a language.
"CGI" is NOT a language.
PHP on many virtual hosting environments is running in CGI mode.
Please put a bit more thought into the next post before a knee-jerk post like this. "PHP is great, CGI is bad!". It's not even apples v. oranges, because at least both of those are fruits.
creation science book
CGI, under UNIX, is the best method of allowing
secure dynamic content creation in the case of
multiple users. mod_perl, mod_php, etc, do not
permit security boundaries between the users.
Even if it's technically correct, I've seen about 20 posts here already saying things like 'CGI sucks - PHP rules!' (I'm a huge PHP fan btw, this is not a PHP slam).
Although the mozilla people mention using it to test CGI programs locally, that seems probably the worst use of this technology. MUCH more interesting would be to tie in existing code (perl, javascript, etc) into one cohesive app, and run it *locally* with the mozilla app as the interface. No need for a net connection at all - you could write apps in Perl and distribute them to be used with a standalone Mozilla machine. Yes it could be done now if you're also shipping a webserver, but this is less to install and maintain.
Think standalone kiosks for starters. I was given a demo of a standalone kiosk system over a year ago (never got off the ground). The machine it came with was an NT box with VB Scripts, SQL server and some other stuff - huge $$$. Yes, you could replicate all of this with Apache/Mysql, etc. This just seems to make it even easier. Rather than treating the browser as just a client, it becomes more integrated - it becomes the app itself. Also, by using this IPC stuff, my Perl scripts can do one thing, my javascripts can do something else, and the mozilla frontend would tie it together (that's my impression, anyway).
I personally am becoming disenchanted with the whole mozilla thing - yes all this stuff is cool, but I think we all just wanted a decent browser about a year ago. Yes, keep developing and adding on, but a small, quick browser (with a netscape 4.7 compatibility toggle switch!) would have helped stave off the decline of this browser technology.
creation science book
mod_php and mod_perl by definition do not use the CGI interface. It is true that perl and PHP may be run as CGIs, but that is utterly different from mod_*, which involves running them with the privileges and address-space of the webserver.
... and Windows comes with Personal Web Server, which gives you an (admittedly poor) ASP & database facility. Useful for testing when poor decisions from previous staff lumber you with ASP :(
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
--
> If you can rm -rf so can any mischievous web page author over whose sorry
/tmp. On the other, if I wanted to use this ability to read email, Usenet, etc. thru a Protozilla helper-app, I would be thwarted because by sudoing to ``nobody", the helper-app could not write to my directory.
> ass^H^H^Hpage you might stumble. And that's a bad thing. This kind of security is about securing the client against the server, not the
> other way round.
Hence my statement, ``Although it would be even safer if anything that ran in this wise ran in rsh as `nobody'." On one hand, a malicious application could no nothing more than writhe around in
All of this are just some random thoughts about this ``new feature". After all, it's Sunday, & I should have better things to concern myself on this day of rest than computers.
Yet I hope that the folks responsible for this ``new feature" weigh the plusses & minuses carefully: if they can't make it work without emasculating it due to security concerns, then don't bother diddling with this.
The reason is this: there's this company up in Redmond, WA that is eager to deliver us all of this k-rad k3wl software, but because security puts a crimp in all of their 3l33t featurez, they don't consider security. It crimps their style. And as a resutl knowledgeable computer users hate them.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
This Protozilla project is in no context official! It's a Mozdev project, therefor it doesn't have anything to do with Mozilla.org! So, why is the topic "Mozilla.org releases Protozilla"?
-Håkan
For the greatest flexibility, the central star-point of a communications I/O multiplexer has to be the operating system, not a windows manager as in W95 (partly) nor an application as in Protozilla.
We're seeing the same old and discredited mistakes of yesteryear repeated here. Yes, this makes Mozilla vastly more powerful, and it is easy to see how its developers would appreciate such a facility for experimental purposes, but for the end user it is the wrong approach. Architecturally, it is the wrong design, and pragmatically it's the wrong thing to do as well: when Mozilla crashes, you do not want a pile of network services to go down with it.
Yes, I know it's advertised primarily as a hook for experimentation in protocols, but if any real service is ever delivered over it then we all lose.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
I think this represents one of the few flaws in the Open Source philosophy. Because developers are working on their own time, they work on whatever suits their fancy. More often than not, this involves some great new feature that's completely unnecessary, but rates high on the "cool-factor". So the things that really need to get done are delayed.
Netscape's programmers are paid to work on Mozilla. I would guess about 80-90% of the Mozilla development team is Netscape employees. So in other words, yes, Mozilla is open source but it is most definitely not a volunteer project. And I can tell you've never visited the bugzilla site, because bugs that interfere with functionality (crashing on startup, etc) always get highest priority and are usually the ones to get fixed first.
I agree with you in that the bloat is excessive, but it's really beyond anyone's control at this point. I can only hope that they continue with the bug fixes long after 1.0 and make it the best damn browser suite they can.
Based on the history of the project, I believe it can be done.
While many readers have taken pains to point out that this is really a mozdev project, and others have opined that this is great or just a yawn, we may have missed the overall point here..
Since mozilla's architechture is open and documentated, we are begininng to see more and more projects (been to mozdev lately?) that are extending the traditional "web browser" into something we cannot even fully comprehend yet.
Mozilla itself may not be ready for prime time, but the *concept* of a stable base on which to build other nifty tools is.. well.. like LINUX itself.
Way to go mozilla team. Hopefully next year, we wont have to have these "its too bloated" and "no its not, its our savior" arguments anymore - we can just sit and surf like we should.
..Brent
"We should not enthrone ignorance simply because there is so much of it."
Moderators need an additional choice: "Karma Whore" for people who cut-and-paste articles as their comments!
Mozilla.org didn't release this, it was someone's project at MozDev. You clearly know this, since you linked to mozzev.org.
I understand that this could be a nice feature and all, but a finished, functional, and [Ff]ree browser would be even nicer. Note that Netscape = 4.x is not functional (I've had to write cross-browser Javascript, and lemme tell you, NS is _not_ standards-compliant in any way, shape, or form). Opera is shaping up to be a very nice browser, but it's not free (as in beer), so I can't expect people viewing my websites to use it. So basically, if one of my clients wants to do something really cutting edge with their website, right now I have to tell them, "Fine, but that functionality is only going to work in IE 4 or 5, or Opera 5". I hate doing this, because I despise Microsoft. I keep checking back at Mozilla's site, waiting for the damn thing to get out of beta. But everytime I hear about Mozilla, it's "Mozilla added this great new feature...but they're still in beta."
I think this represents one of the few flaws in the Open Source philosophy. Because developers are working on their own time, they work on whatever suits their fancy. More often than not, this involves some great new feature that's completely unnecessary, but rates high on the "cool-factor". So the things that really need to get done are delayed.
This happens in a lot of volunteer organizations. In one organization that I belong to, we rotate cooking a meal before the meeting. We can generally find someone to cook, but it's very difficult to get people to clean. Why? Because cooking is a kind of "glory" job; if you do it right, you'll get compliments and thanks. Cleaning, on the other hand, is just as necessary, but people that do the cleaning aren't noticed or thanked.
So, in closing, I'd like to thank all of the under-appreciated people who make Mozilla a _browser_. And I'd like to tell all of the people who are busy bloating the hell out of it before it even gets out of beta to STOP killing a great product. If you really want to help, work on the rendering code, or the Javascript interpreter. Heck, just use the browser and submit bug reports so that they're found and fixed faster. Just stop killing on of the few alternative browsers that are available.
I had actually thought of this before. Only, the reason I wanted it was to be able to make an HTML inerface to programs on my own computer. I made a skinnable app for windows once, that used HTML image maps as it's skins. I think this kind of things would be really useful and flexible as a program's interface.
Please help! I'm stuck inside my virtual reality headset!
handle any existing protocols (like finger)
Actually, in mozilla, that's built in. Try finger:raduffy@idsoftware.com
--
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
Mozdev.org Developing Protzilla
An anonymous reader wrote in to tell us about Protozilla's first alpha release. "Protozilla enables Mozilla to execute any CGI program on the local disk directly, without passing it through an HTTP server. It also allows stateless interprocess communication, the use of external programs as protocol handlers (telnet, ping, etc.), and the use of local-only pseudo-URLs (similar to about:)." This is a project by independent developers unconnected to the Mozilla browser effort that adds a lot of neat functionality.
There's no "we" in team, only "me"
And as much as everyone rags on Java speed, Servlets are far and away faster than CGI.
Protozilla is NOT a new idea. Just look at how w3m gets things done! w3m uses a local CGI to do bookmarks and other things. This setup is nice because the browser executable is very small, and all the peripheral functionality is implemented in separate executables.
- CGI, under UNIX, is the best method of allowing secure dynamic content creation in the case of multiple users. mod_perl, mod_php, etc, do not permit security boundaries between the users.
I don't understand this. As far as I know, CGI scripts all run as the same user the web server is running as. Why is that more secure than PHP? More specifically, how can you claim that this puts some kind of "security boundaries between users."I suppose you could run the HTTPd as root and use the HTTP Basic Authentication info to su, but then you're running your web server as root, which is considerably less secure than running it as an unprivileged user.
So the parent is misinformative.
"moo" - cow 3, 1906
If you want to see what CGI really means and what is CGI and what is not CGI, please refer to the CGI spec. CGI refers to an interface that requires a set of environment variables to be set, passes in POST and PUT information via stdin, and returns HTTP response results on stdout.
This allows almost any language to be used to write CGI programs (C, perl, tcl, bash, whatever you want). But it doesn't imply that every interface to the HTTP protocol is CGI.
- it can run ASP, do all sorts of database stuff, etc, locally without needing a real web server.
But... but... if you're doing ASP programming, you're already not running a real web server!(Unless you're running Halcyon's Java-based ASP engine under Apache Tomcat, but that's just the first step on a road to madness.)
Jon Udell had a similar idea at least two years ago (see his book, Practical Internet Groupware).
There are plenty of programs out there that can work well with just an HTML+JavaScript interface, especially if you have a small database (even a DB_File!) on your machine, and an interpreter for a scripting language like Perl or Python.
I'm curious to see whether it does anything more than Jellybean can... there's something compelling about a tiny local web server with the power of mod_perl and a simple interface that lets you build persistent, network aware applications that can replicate data between clients. With XPCOM, it's certainly possible to write a nicer interface than one that only has HTML Form widgets and some onClick handlers.
--
how to invest, a novice's guide
Uh, not all of them are. First of all CGI implies one process per request, which isn't (I believe) true of PHP, nor do I believe the Zope engine or mod_php to be "built on top of" CGI in any way. They use an interface similar to CGI but only in the sense that CGI is basically trivially obvious. Also, Java does NOT use CGI at all. I've never seen nor heard of a Java CGI program, although again it would be possible. The Servlet API is the usual alternative in Java, which uses an interface quite distinct from CGI to glue together HTTP and Java code that produces HTML or other documents.
I just want a browser. A simple browser that runs on UNIX / Linux.
You do?? Shit, I don't think netscape/aol got word of this, I'll get on the horn to them right away. I'll say, "damn it, josepha48 just wants a browser, what are you guys doing!!"
Netscape does not follow the average hacker's agenda or requirements. It has a design, that includes a mail client, composer, etc, and thats what they make. Does it matter that the mozilla includes these things? If you dont like them, dont use them. It's not as though the mail client is resident in memory if you're not using it, just the browser is. If you're going to argue that they are wasting development effort on the other things, thats wrong too, because they have plenty of people working on each component. If everyone at netscape was working on just the browser, jack shit would get done.
As for the plugins, Edit, Preferences, Navigator, Helper Applications. Configure your normal apps for those things. Additionally, the Netscape 4.x flash plugin works under mozilla. Just copy it to the plugins/ directory.
(I'm not blind to mozilla's performance woes, however. But blame that on lack of usage of native widgetry, and usage of XUL.)
--
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
mod_php, mod_perl, mod_python, zope, roxen,
greetings, eMBee.
--
Gnu is Not Unix / Linux Is Not UniX
I just compiled my daily build of Mozilla a few hours ago, and while I havnt yet tested it, As a hard core mozilla user, and bug reporter, this should really spark some attention to Mozilla, since this is something that even 'the great and powerful IE5' can not do.
It doesnt seem to be in Mozilla yet, after reading the article, and tinkering with my new build, but still a wonderful idea. But how can it interact with other files that need to be on the server that you dont have? And what if you dont use absolute URLs? Im curious to see how it handles stuff like this.
Mozilla is really getting stable, I know some peoples opinions of Mozilla are tarnished, but seriously, give it a try, its come a long way in the past 6 months, I havnt used anything else in months. And please dont compare the current Mozilla tree to Netscape6, They are not the same thing. Netscape took Mozilla M18 (which is old nowadays) and messed up a very decent product. Try out the nightlies, then if you want to flame it, your at least qualified to do so.
And lets not forget that Mozilla 0.8 is supposed to be released the first week of Febuary, 1.0 is expected as early as Mid-April. We're almost there!!
Linux: Because a PC is a terrible thing to waste.
James Brents
Well, you know that if some other big company introduced it as a feature for their browser, everyone would be all over it in a heartbeat. Can you say "format c:"?
Fortunately, it is something that you have to actively seek out. It is not pre-packaged.
And you would suppose that developers would be up to speed on security and protection vs hackers and kiddies and industrial espionage
It is likely not to be broadly used by the public at large. Not until someone includes it in the public version of their browser.
Maybe MS will include it in the next version of their browser. One could only hope?
"It is a greater offense to steal men's labor, than their clothes"
Because it's so hard to run a web server on your development machine! Whatever.
And how well will you be testing your CGI, if you're not running it in the same (apache/thttpd/whatever) environment as the real server? You'll probably end up wasting more time modifying your code after the fact than it would take to set up a local web server!
Wow, I must be in a bad mood today.
For those afraid of the security issues associated with running CGI scripts locally -- this is a development tool only. In order for a script kiddie to misuse this, (s)he'll have to send your the CGI script in the mail, and tell you to run it for him :). Unless you're running Outlook, you're ok ;).
----------
Never underestimate the bandwidth of a 747 filled with CD-ROMs.
For anything meant for a market, I don't think it's good. However, it could be useful for experimentation. The first thing I thought was "security hazard". Looks to me like a developertool, not consumer-technology.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Surely you mean insecurity settings? :)
--
Correct.
All web languages use CGI, java, mod_perl, mod_python, everything.
Incorrect. There exist several other interfaces to use for dynamic content generation. ISAPI, NSAPI, and fastCGI are all faster alternatives.
When you put text in a textbox, and hit submit, thats normally CGI.
OK, you're quite some way from the truth now. When you put text in a text box and hit submit, you are performing a HTTP GET or HTTP POST. Whether the web server then uses CGI or fastCGI to interface with an out of process executable, or one of the many ways of dealing with the request in-process, has nothing to do with your form.
(unless the form uses mail, or whatnot).
You've finally lost me there. Could you explain how a form can "use mail". Surely you aren't talking about hyperlinks to mailto: URLs, which have nothing to o with forms?
"moo" - cow 3, 1906
From the mozdev front page:
While this project is not being developed (or released for that matter) from within mozilla.org itself, it and other projects at mozdev demonstrate how mozilla technologies can be used and extended and how the community of mozilla developers has and continues to expand "beyond the browser".
--Asa
> I would think this might be a script kiddies dream. Couldn't it be used to exploit local variables?
Interesting point, now that I have thought thru your question, & read the source page. What they wrote at Mozilla is:
> Protozilla is a browser add-on that makes it very easy to implement protocols in Mozilla (or Netscape 6.x). It is not a
> traditional browser plugin, but may be described as a "socket adapter", like the kind that you may carry around with your
> laptop when you travel internationally.
In other words, an ability to handle protocols like SMTP & NNTP akin to the ability of specifying helper-applications to handle MIME types. (And if this works with the Gecko rendering engine, you can specify your own choice of MTA or newsreader when you hit the link that requires that protocol, instead of being forced to d/l the whole bloated mass of Netscape!)
And if the admin for the workstation running the browser has done a proper job securing the ports, then there should be no new security issues.
My assumption -- & someone who knows more, correct me if this is wrong -- is that the browser add-in, being a daughter process, would inherit the environment the parent process has -- & ultimately that of the user. So unless you are doing something stupid like running your workstation as ``root" or ``Admin" this won't do anything to your computer worse than you can do in a non-privileged account. In other words, if *you* can't ``rm -rf *" & lose more than a few files, then neither can the enabled protocol.
(Although it would be even safer if anything that ran in this wise ran in rsh as ``nobody".)
However, I doubt anyone truly knows how security & environment variables are handled under NT4.0/Win2000, so maybe we do have another exploit waiting to happen in certain cases. Wouldn't be the first time MS coding practices proved injurous.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Burris
I was thinking much the same thing-- Nice idea, but it's a veritable viral breeding ground. (well -- trojan/worm, anyways). Before it's publicly useful/safe, I think that some real work is going to be needed in the area of security/sandboxing.
(secure Linux, here we come!)
`ø,,ø!
Free Software: Like love, it grows best when given away.
OK, so I recently discovered PHP too, and I think it's a lot better than plain Perl CGI.
But you should see CGI as a low-level protocol (the Common Gateway Interface) for transferring data, not as "a webscripting environment for Perl".
And you should (definitely) see PHP as a high-level language using the CGI protocol internally (to transfer form data, mostly).
I guess it's valid to compare the difference between PHP and plain CGI to the difference between Bonobo and plain CORBA (for as far as I know Bonobo, this seems quite a useful comparision).
It's... It's...
"We can confirm that Debian does *not* ship the version with the trojan horse. Our version predates it." [CA-2002-28]
Protozilla wasn't released by Mozilla. It was released by MozDev.org via the Alphanumerica/Collab.net merger. They have been pushing Mozilla stuff ever since.
Protozilla is great stuff. There is some really cool stuff you can do. For example you can write javascript or a bash script within Mozilla to do crazy stuff.
I created a cups:// protocol for the Common Unix Printing System. Basically since cups runs on a non-standard port I can just do a :
cups://localhost
which is cleaner IMO.
There are some significant security concepts here. Your web application could use XPCOM and XSLT to build a full web application BUT use different users to request subsets of the same content.
For example... My primary psuedonym could request the first part of my document (cars) then on the second part it could request contra-band like DeCSS et al. This without having my car psuedonym exposed.
Good stuff. Here comes the semantic web!
Nifty. Should make it easier to extend Mozilla with new protocols. Mozilla could well become the browser of choice for file sharing.
IE can already do this in the beta .NET stuff.. Not only that, it can run ASP, do all sorts of database stuff, etc, locally without needing a real web server.
bug.gd: error search engine. Humanity working together to solve all errors.