Freedombone Blog

Freedom in the Cloud

The Disappearing Firefox Addons

If you are a Firefox user or use one of its derivatives such as Tor browser then it may not have escaped your attention that all your addons disappeared, including even the default ones such as NoScript.

This appears to have been just a mistake with someone at Mozilla not renewing a certificate. Although LetsEncrypt exists TLS certificate expiry is still not all that uncommon even sometimes on well known sites. Disappearing addons has been a big problem with a relatively mundane cause, but it's a problem which reveals the underlying centralized architecture.

In a decentralized or distributed web one person forgetting to renew a certificate wouldn't be a big deal. It would only affect them or anyone accessing their server or peer. But in the web we've actually got one person at Mozilla forgetting something can render all Firefox browsers effectively useless - or at least a lot less secure. If you're relying upon NoScript in Tor browser to defend you then you could suddenly find that your defenses vanish. Welcome to the totalized web.

Checking signatures on installed software is normal. However, Firefox goes beyond this and repeatedly checks signatures every 24 hours even if addon code has not changed. It does this with a hardcoded constant called XPI_SIGNATURE_CHECK_PERIOD and there's also another constant called MOZ_REQUIRE_SIGNING which indicates that at some point the ability to manually turn off signature checking in about:config is going to go away.

Like most people, I was unaware of all this until NoScript disappeared and couldn't be re-enabled, resulting in the inevitable WTF moment. Apparently there was a minor scandal about addon signing a few years ago, but I must have missed that bandwagon and was probably busy with other things.

So how can this be improved? Within the current paradigm I think that signatures should only be checked when the source code changes. This means creating a hash of the code and storing that. If the hash doesn't match only then should the signature check take place. This would have made yesterday's debacle a lot less acute. In most cases things would have continued to work and Mozilla would have had time to update their certificate without any big fuss. Hashes could be stored natively such that they can't be spuriously modified by other addons.

It may also be worth considering whether addons such as NoScript are so essential that they should be built into the browser codebase, rather than being something separate. In the longer term I think that's a better way to go. Mozilla is unlikely to do it, but Tor browser developers could.

Going beyond the current paradigm, the web needs to actually be decentralized or distributed. One company shouldn't be deciding what browser addons people can run and have the ability to turn them off either through malice or oversight. There has been a lot of browser consolidation such that there are now really only two web engines, and this space could do with some disruption - especially with regard to ad blocking. A new browser which has ad blocking as a core feature I think could get quite a lot of traction quite quickly.

The Long Climate Crisis

There have been children protesting today in London as part of the Extinction Rebellion movement. I've been plotting climate change related data for a long time now and indeed there will be trouble ahead. What I think is going to happen in the next few decades isn't going to be a sudden catastrophe but instead is going to resemble what KMO once called The Sucky Collapse.

In the sucky collapse nothing spectacular happens. It's like a no-frills version of austerity. The quality of life just deteriorates slowly over a long period of time. It gets harder to grow crops. Heat waves and other extreme weather events become more common. Food, and consequently everything else, becomes more expensive and a bigger percentage of the population are living in poverty. There will be events which look like tsunamis but where the waters don't subsequently return to previous levels, leaving some areas permanently flooded. Issues resulting from that will affect a significant fraction of the world's population.

Since it's easier to imagine the end of the world than the end of capitalism things like the following are predictable:

Bioengineering of crops to better handle more arid or salt marsh growing conditions

The air conditioning industry booms Maybe there are air conditioning tycoons. Places like England where air conditioning was uncommon become growth areas.

Average food production moves northwards out of equatorial regions

Attempts to grow crops at sea on floating platforms. probably with mixed success because it's a very harsh environment. Maybe bioengineered seaweed becomes a more common type of food, comparable to corn or rice today.

Resource wars over access to water and arable land

Migrations to higher ground This will further embolden anti-immigrant political parties and "fortress Europe" style mentality. "I've got mine".

What should we do about climate change? Will climate strikes and rebellions work?

Strikes and rebellions are an attempt to put pressure on governments. Previous attempts to get governments to agree to anti-pollution policies in the 1990s and 2000s didn't work. The agreements were not legally binding and the biggest polluters carried on regardless, often explicitly with government support. So the rebellion represents an attempt to increase the pressure level. Whether this will work remains to be seen, but we already know roughly what needs to take place. Carbon dioxide pollution needs to fall towards net zero within a couple of decades if the worst of the damage to the planet is to be avoided. Coal fired electricity production needs to either be phased out or there needs to be 100% "carbon capture" and storage. The last time I checked, electricity production is about 20% of all CO2 pollution.

I'm sure that many people won't want to hear it but we can't capitalism our way out of this by selling more stuff to more people. "Cap and trade" didn't work and also doesn't seem like a project which can be revived. The era of endless economic "growth" on a finite planet needs to end. In addition to decreasing pollution we also need to decrease consumption and that necessarily also means decrease in inequality. We can't afford to have ridiculously rich people squandering vast amounts of resources. They will have to live more modestly, like everyone else.

And what, you may enquire, are you doing? I don't have much influence over anything or anyone and I already live "basically like a student" with minimal consumption, but this year I've also reduced my electricity use. I no longer run the traditional desktop computer which takes 200W and instead replaced it with a 10W single board computer. My personal electricity use is now within the range where if I had the money and the realestate I could probably suffice on solar panels.

Integrating RSS

Twenty years after the invention of RSS its fortunes as a protocol appear to be dwindling. The Firefox browser has done an especially lamentable job of making RSS easy to use. The main reason for that seems to be not that it isn't a useful technology but that it doesn't readily enable the kinds of surveillance which largely fund the contemporary web. There is typically no tracking on a list of links and traditionally there havn't been many attempts to insert ads into RSS feeds. RSS feeds are also not subject to any AI-driven timeline algorithms which bias some content above others.

RSS readers have existed within Freedombone for a long time, first with Tiny Tiny RSS then SmolRSS and now there is integration of RSS into the web interface via a system called RSS Garden. The aim is to make subscribing to and reading RSS feeds maximally convenient.

Image description

There's an RSS button you can select on the admin or home screens on the web interface, which lists entries for feeds you're subscribed to and you can add or remove feeds by clicking on the title at the top.

Image description

And of course the web interface is either available on the local network or via an onion address.

Image description

Because the home screen may be available to multiple members of your household adding and removing feeds is only accessible by the admin, so that for example someone can have parental control of what feeds get listed. Later this might be elaborated into a true multi-user reader experience.

RSS integration is currently only available on the buster development branch which is expected to be formally released in one or two months time.

Speeding up Translations

The way that translations happens in Freedombone is maybe not optimal but it's good enough, especially considering that changing the language of the web interface is something which is only going to happen once after setup for the first time. Previously this was quite slow, because behind the scenes what was really occurring was the running of a lot of sed commands on each screen.

To speed things up the script which changes language has been rewritten in python and loads the translation table into memory. This reduces the amount of time to translate all strings on all pages down from multiple minutes to thirty seconds on a Cubieboard with an SSD. That's still an appreciable duration and so additional "please wait" screens have been added. The wait screens make changes of language or theme much nicer and a lot less confusing. Possibly this might also be an opportunity to show some informational images during the wait, similar to installing Ubuntu or some other distros. Without wait screens there is a twilight zone in which some things have changed and some things havn't.

Image description

These changes currently only apply to the unreleased buster branch. With the release of Debian 10 expected soon (within a couple of months) the buster branch is where most of the action is happening.

Community Networks

Although Debian 10 hasn't officially been released yet development on the buster branch of Freedombone is now well advanced. Apart from some new apps some other new features will be integrated VPN using Wireguard and Community Networks which is intended to help set up or join geographically local municipal networks, similar to NYC Mesh, Guifinet or Freifunk.

The community networks screen within the web interface allows you to select a network or start a new one, via "Your Community". You can then enter your geocoordinates and view a map showing other servers (called "nodes") in your area. Since community networks are often implemented via wireless rooftop dish antennas this allows you to judge whether there are any nodes in range which also have line of sight for maximum bandwidth, or where the appropriate places to lay fibre-optic cable might be.

Community Network Screen

The maps are from and are generated using staticmap to avoid the need for javascript. There is also a button to export in KML format so that you can use Marble or other compatible viewers.

In the US and Canada community networks such as NYC Mesh are new and somewhat experimental, but in some areas of Europe they are becoming mainstream and sometimes user-owned network infrastructure is the primary way in which internet is delivered. Historically, such networks emerged because conventional ISPs were unwilling to deploy broadband in poor or remote areas and so users had to do it themselves or go without. As network hardware gets cheaper and easier to deploy the public ownership of networks becomes the logical extension of public ownership of software (FOSS).

This is really just the beginning of community networks integration within Freedombone and there's more which could be done to help guide you through the process of setting up antennas and installing network switches. Probably the 2020s will be the decade when such things become a common aspect of internet access.

Beginning on Buster

In the last couple of days I've started work on the buster branch of Freedombone. "Buster" is the codename for Debian version 10. It's not officially released yet, but is expected to be within the next few months and by the time that happens there should be an equivalent Freedombone version. I expect that it will take a while to get fully working, but I already have an image which builds and a few apps which are confirmed as being installable. Email also appears to work with only a small fix to Dovecot settings. Searx search and the web interface also work.

Based on initial tests I think the upgrade from Debian 9 to 10 is going to be easier than it was from 8 to 9. It will still take quite a while to test the installs for each app, and sometimes different package versions need to be used.

Debian 10 brings PHP version 7.3, and that means that Pixelfed and some other new apps will be installable. It will also be able to support more single board computer models and TLS version 1.3 will arrive.

The future is looking quite good for self-hosting and the stability of the Debian GNU/Linux operating system makes it possible to run a server at home without constant maintenance.