[chromium-dev] Google Chrome Dev Channel: Early Access Releases
Google Chrome now provides a way for people to get early access releases automatically: the Dev channel. The Dev channel lets you test the latest fixes and get access to new features as they're being developed. We will release new builds to the Dev channel about every week so that you can preview --and provide feedback on-- what's coming in Google Chrome. If you want an easy way to help make Google Chrome better, want to test new changes with your website before they're released generally, or just like being on the bleeding edge, please sign up for the Dev channel. You can learn more about the Dev channel and how to subscribe here: http://dev.chromium.org/getting-involved/dev-channel/ We just released 0.2.152.1 to the Dev channel. The release notes are here: http://sites.google.com/a/chromium.org/dev/getting-involved/dev-channel/release-notes/ If you have any questions, please send them directly to me (so I can compile the FAQ). Thanks, Mark Larson Google Chrome Program Manager --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] Chromium Crossover for Mac and Linux.
Here is a wine version of Chrome for Mac and Linux: http://www.codeweavers.com/services/ports/chromium/ It's made by the guys at Crossover. It's slow, but it works. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] SSLClientSocket, TCPClientSocket design choices on linux
Here's what I'm thinking, please yell if it sounds wrong. When we implement SSLClientSocket on linux, we can do it with one-thread-per-connection, or with nonblocking I/O. Since all socket I/O goes through the browser process, one thread per connection would limit us to however many stacks fit in the address space (on my box, with the default stack size, about 380). Seems obvious to me that we want nonblocking rather than one-thread-per-connection, but I figured I'd mention the choice before we start plunging into the port. There's another design choice to make: whether to write an NSPR I/O layer so we can use our own TCPClientSocket for all network I/O, or bypass TCPClientSocket and let nss do its own I/O. Wan-teh suggests the latter is easier in http://developer.mozilla.org/En/PR_ImportTCPSocket but I think that requires us to use http://developer.mozilla.org/en/PR_Poll to do I/O multiplexing in MessagePumpForIO, and to base TCPClientSocket on NSPR. In previous discussion with Darin, it seemed we wanted to use epoll rather than poll. This implies that we want to not use NSPR for our network I/O, and thus implies that we want to write an NSPR I/O layer so we can do our own network I/O rather than letting nss do it via nspr. Happily, Howard Chu recently posted a partial example of how to do the latter, http://groups.google.com/group/mozilla.dev.tech.crypto/msg/af4b5b6c71b70702 I think the next step might be for me to write an app demonstrating how to handle 500 simultanous ssl connections using nss and libevent. Having done this once before with openssl, I expect this will be a pain. But what the heck, it should be fun, too. Whew. Thanks for reading, sorry it was so long. - Dan related issues: http://code.google.com/p/chromium/issues/detail?id=2134 http://code.google.com/p/chromium/issues/detail?id=1317 --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] code reviews and feedback
If I (or anyone) doesn't get back to a code review in a day or so, feel free to send a *ping* message on the code review. I just looked through my review queue and noticed a few patches that are likely ready to go but that slipped off my radar. It's easy for me to think you're working on changing something when you think it's done. It helps if you write something like please look again in your response to review comments to indicate you've uploaded a new patch. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] Re: SSLClientSocket, TCPClientSocket design choices on linux
On Tue, Sep 16, 2008 at 9:42 AM, Dan Kegel [EMAIL PROTECTED] wrote: When we implement SSLClientSocket on linux, we can do it with one-thread-per-connection, or with nonblocking I/O. Since all socket I/O goes through the browser process, one thread per connection would limit us to however many stacks fit in the address space (on my box, with the default stack size, about 380). Seems obvious to me that we want nonblocking rather than one-thread-per-connection, but I figured I'd mention the choice before we start plunging into the port. I think in general we've avoided using threads for networking except where absolutely necessary -- the only instance that comes to mind is DNS resolution. I think nonblocking better matches what we're doing on Windows. There's another design choice to make: whether to write an NSPR I/O layer so we can use our own TCPClientSocket for all network I/O, or bypass TCPClientSocket and let nss do its own I/O. Wan-teh suggests the latter is easier in http://developer.mozilla.org/En/PR_ImportTCPSocket but I think that requires us to use http://developer.mozilla.org/en/PR_Poll to do I/O multiplexing in MessagePumpForIO, and to base TCPClientSocket on NSPR. In previous discussion with Darin, it seemed we wanted to use epoll rather than poll. This implies that we want to not use NSPR for our network I/O, and thus implies that we want to write an NSPR I/O layer so we can do our own network I/O rather than letting nss do it via nspr. Here are some other considerations that might influence your decision: - does about:network monitor only TCPClientSocket connections, or am I at the wrong abstraction level? if it does, then it would be good for SSL to fall into the same category - is there an interaction here with the max-connections-per-host limit? I don't have anything useful to say, really. The latter option sounds better to me. Happily, Howard Chu recently posted a partial example of how to do the latter, http://groups.google.com/group/mozilla.dev.tech.crypto/msg/af4b5b6c71b70702 I think the next step might be for me to write an app demonstrating how to handle 500 simultanous ssl connections using nss and libevent. Above you wrote epoll but here you write libevent. Do you have a preference? If you want libevent, might I suggest libev (http://software.schmorp.de/pkg/libev.html)? It's based on libevent but without the obnoxious advertising clause. But any extra library dependency brings us again to the 64/32-bit library distribution issues that have been super-annoying. Having done this once before with openssl, I expect this will be a pain. But what the heck, it should be fun, too. Aw, I recently did something similar with gnutls and it wasn't bad. Remember that openssl is generally the upper bound on how difficult a library can be to use. :) One final suggestion: since we're nearing completion on the webkit branch merge landing, we'll soon begin poking into more of webkit. It would be useful for parallelization of development if we had a working HTTP stack sooner rather than waiting longer for both HTTP+HTTPS. So if you can land TCPClientSocket before dealing with all the NSS complexity I think that would be useful. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] Re: SSLClientSocket, TCPClientSocket design choices on linux
Happily, Howard Chu recently posted a partial example of how to do the latter, http://groups.google.com/group/mozilla.dev.tech.crypto/msg/af4b5b6c71b70702 I think the next step might be for me to write an app demonstrating how to handle 500 simultanous ssl connections using nss and libevent. Above you wrote epoll but here you write libevent. Do you have a preference? If you want libevent, might I suggest libev (http://software.schmorp.de/pkg/libev.html)? It's based on libevent but without the obnoxious advertising clause. But any extra library dependency brings us again to the 64/32-bit library distribution issues that have been super-annoying. libevent is licensed under the 3-clause BSD. I don't see the harmful 4th clause in either the main page or the explicit license file: http://monkey.org/~provos/libevent/ http://monkey.org/~provos/libevent/LICENSE -- Elliot --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] merge branch status
As Eric mentioned yesterday, we have the merge linking and running. I just synced [EMAIL PROTECTED] back into the the branch (chrome_webkit_merge_branch). If you already had a checkout of the merge, you'll need to delete third_party/{python_24,svn,cygwin} and v8 *before* running gclient sync. This is because we picked up the code shuffles that happened on trunk after the branch was cut. test_shell is still very crashy. If you want to help on the merge branch, there's still a lot to be done. :) tony --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] Re: Missing security feature
You're saying I should use Firefox? The point is that the pop-up blocker works only for JavaScript windows and NOT any other type of window (e.g. - shockwave) able to be put up by JavaScript, that I can demonstrate. These can come from other sites and can be spoofed as safe. The point is to make Chromium SAFE! On Sep 16, 5:38 am, Alwin Garside [EMAIL PROTECTED] wrote: Wouldn't that just be like Mozilla Firefox + NoScript? On Mon, Sep 15, 2008 at 11:35 PM, gbob [EMAIL PROTECTED] wrote: Allowing the user to set the browser security to allow them to set it to ask for permission to run any scripts (Java, Javascript, etc.) and to have a trusted sites list similar to the way IE works. On Sep 15, 7:29 pm, Ian Fette [EMAIL PROTECTED] wrote: I'm not sure what the ask here is. We don't allow active-x to run. On Mon, Sep 15, 2008 at 7:23 PM, gbob [EMAIL PROTECTED] wrote: Hello: I currently use only IE 6 (I know, I know) because it has one of the most important security features that has prevented a number of infections recently. I have three separate OS partitions with XP on each. One is used for my non-web work with ALL data and most programs on another drive. Another is used for my normal Web work and has NO connection to ANY data; documents, projects, etc. And the last is a test partition setup the same way, to test security where I take more risks. So, on my test partition, in the last month, I was infested twice by a number of malware programs that got through all (numerous) defenses. My normal web partition is setup slightly differently. I use only IE and have ActiveX and scripts set to Prompt and add only a few sites I trust to the trusted sites list. Even the trusted sites prompt for permission when scripts from other sites are executed at that site (and I say no, which works fine). It has NEVER been infected. It's a pain, I know, but it's MUCH safer and would be great if Chrome had the same so it was at least as secure IE in that respect. I'll use Chrome for regular web access when it has it. Thanks. May or may not apply... See:http://www.darkreading.com/document.asp?doc_id=162515 Report: Popular Web Attacks Go Stealth -- Alwin Yogarine Garside Development Lead LinFox Serviços de Informatica LTDA.http://www.linfox.com.br Phone: +55 (0xx)83 -9084 Mobile: +55 (0xx)83 91275361 --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] Re: Missing security feature
Okay, I must agree with you, okay? However, don't you think that the pop-up blocker has to work against all pop-ups? I have seen the fakeAV2008 and others get through this way. On Sep 16, 1:36 pm, Ian Fette [EMAIL PROTECTED] wrote: The whole point though is that running or not running script on sites you trust is not sufficient. E.g. you may trust myfavoritesite.com to run script, but then tomorrow it gets hacked and starts including malicious javascript. This is something that Safe Browsing (the anti-malware protection built into Google Chrome) can help with, but is not something that would be stopped if you say I trust myfavoritesite.com to run script. People are hacking sites you trust and that you visit. That's how they get infections. They're not trying to hack sites that nobody visits. This is not something that I think would be a useful feature from a security perspective. On Tue, Sep 16, 2008 at 1:08 PM, gbob [EMAIL PROTECTED] wrote: You say, Wouldn't that just be like Mozilla Firefox + NoScript?. No, as safe as IE6 with prompt for scripts and having a trusted sites list. Automatically run scripts on sites YOU trust and examine all others deciding on a site-per-site basis which you'll give permission to run scripts. Thanks. On Sep 16, 5:38 am, Alwin Garside [EMAIL PROTECTED] wrote: Wouldn't that just be like Mozilla Firefox + NoScript? On Mon, Sep 15, 2008 at 11:35 PM, gbob [EMAIL PROTECTED] wrote: Allowing the user to set the browser security to allow them to set it to ask for permission to run any scripts (Java, Javascript, etc.) and to have a trusted sites list similar to the way IE works. On Sep 15, 7:29 pm, Ian Fette [EMAIL PROTECTED] wrote: I'm not sure what the ask here is. We don't allow active-x to run. On Mon, Sep 15, 2008 at 7:23 PM, gbob [EMAIL PROTECTED] wrote: Hello: I currently use only IE 6 (I know, I know) because it has one of the most important security features that has prevented a number of infections recently. I have three separate OS partitions with XP on each. One is used for my non-web work with ALL data and most programs on another drive. Another is used for my normal Web work and has NO connection to ANY data; documents, projects, etc. And the last is a test partition setup the same way, to test security where I take more risks. So, on my test partition, in the last month, I was infested twice by a number of malware programs that got through all (numerous) defenses. My normal web partition is setup slightly differently. I use only IE and have ActiveX and scripts set to Prompt and add only a few sites I trust to the trusted sites list. Even the trusted sites prompt for permission when scripts from other sites are executed at that site (and I say no, which works fine). It has NEVER been infected. It's a pain, I know, but it's MUCH safer and would be great if Chrome had the same so it was at least as secure IE in that respect. I'll use Chrome for regular web access when it has it. Thanks. May or may not apply... See:http://www.darkreading.com/document.asp?doc_id=162515 Report: Popular Web Attacks Go Stealth -- Alwin Yogarine Garside Development Lead LinFox Serviços de Informatica LTDA.http://www.linfox.com.br Phone: +55 (0xx)83 -9084 Mobile: +55 (0xx)83 91275361 --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] Re: Missing security feature
Sadly, it's hard to block flash popups without breaking flash. I wish there were a better answer. Some people have requested things like noflash, I suspect that once we have an extension mechanism in place this would be a good candidate for that. On Tue, Sep 16, 2008 at 2:01 PM, gbob [EMAIL PROTECTED] wrote: BTW, the only sites in my trusted zone are google, microsoft and just a few others. I have yet to be infected by them. They are VERY quick to fix vulnerabilities. On Sep 16, 1:36 pm, Ian Fette [EMAIL PROTECTED] wrote: The whole point though is that running or not running script on sites you trust is not sufficient. E.g. you may trust myfavoritesite.com to run script, but then tomorrow it gets hacked and starts including malicious javascript. This is something that Safe Browsing (the anti-malware protection built into Google Chrome) can help with, but is not something that would be stopped if you say I trust myfavoritesite.com to run script. People are hacking sites you trust and that you visit. That's how they get infections. They're not trying to hack sites that nobody visits. This is not something that I think would be a useful feature from a security perspective. On Tue, Sep 16, 2008 at 1:08 PM, gbob [EMAIL PROTECTED] wrote: You say, Wouldn't that just be like Mozilla Firefox + NoScript?. No, as safe as IE6 with prompt for scripts and having a trusted sites list. Automatically run scripts on sites YOU trust and examine all others deciding on a site-per-site basis which you'll give permission to run scripts. Thanks. On Sep 16, 5:38 am, Alwin Garside [EMAIL PROTECTED] wrote: Wouldn't that just be like Mozilla Firefox + NoScript? On Mon, Sep 15, 2008 at 11:35 PM, gbob [EMAIL PROTECTED] wrote: Allowing the user to set the browser security to allow them to set it to ask for permission to run any scripts (Java, Javascript, etc.) and to have a trusted sites list similar to the way IE works. On Sep 15, 7:29 pm, Ian Fette [EMAIL PROTECTED] wrote: I'm not sure what the ask here is. We don't allow active-x to run. On Mon, Sep 15, 2008 at 7:23 PM, gbob [EMAIL PROTECTED] wrote: Hello: I currently use only IE 6 (I know, I know) because it has one of the most important security features that has prevented a number of infections recently. I have three separate OS partitions with XP on each. One is used for my non-web work with ALL data and most programs on another drive. Another is used for my normal Web work and has NO connection to ANY data; documents, projects, etc. And the last is a test partition setup the same way, to test security where I take more risks. So, on my test partition, in the last month, I was infested twice by a number of malware programs that got through all (numerous) defenses. My normal web partition is setup slightly differently. I use only IE and have ActiveX and scripts set to Prompt and add only a few sites I trust to the trusted sites list. Even the trusted sites prompt for permission when scripts from other sites are executed at that site (and I say no, which works fine). It has NEVER been infected. It's a pain, I know, but it's MUCH safer and would be great if Chrome had the same so it was at least as secure IE in that respect. I'll use Chrome for regular web access when it has it. Thanks. May or may not apply... See:http://www.darkreading.com/document.asp?doc_id=162515 Report: Popular Web Attacks Go Stealth -- Alwin Yogarine Garside Development Lead LinFox Serviços de Informatica LTDA.http://www.linfox.com.br Phone: +55 (0xx)83 -9084 Mobile: +55 (0xx)83 91275361 --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---
[chromium-dev] Re: Missing security feature
So, you allow scripts from sites you determine known to not distribute malware AND the other (cross) sites that site uses for its flash content? On Sep 16, 2:11 pm, Ian Fette [EMAIL PROTECTED] wrote: Sadly, it's hard to block flash popups without breaking flash. I wish there were a better answer. Some people have requested things like noflash, I suspect that once we have an extension mechanism in place this would be a good candidate for that. On Tue, Sep 16, 2008 at 2:01 PM, gbob [EMAIL PROTECTED] wrote: BTW, the only sites in my trusted zone are google, microsoft and just a few others. I have yet to be infected by them. They are VERY quick to fix vulnerabilities. On Sep 16, 1:36 pm, Ian Fette [EMAIL PROTECTED] wrote: The whole point though is that running or not running script on sites you trust is not sufficient. E.g. you may trust myfavoritesite.com to run script, but then tomorrow it gets hacked and starts including malicious javascript. This is something that Safe Browsing (the anti-malware protection built into Google Chrome) can help with, but is not something that would be stopped if you say I trust myfavoritesite.com to run script. People are hacking sites you trust and that you visit. That's how they get infections. They're not trying to hack sites that nobody visits. This is not something that I think would be a useful feature from a security perspective. On Tue, Sep 16, 2008 at 1:08 PM, gbob [EMAIL PROTECTED] wrote: You say, Wouldn't that just be like Mozilla Firefox + NoScript?. No, as safe as IE6 with prompt for scripts and having a trusted sites list. Automatically run scripts on sites YOU trust and examine all others deciding on a site-per-site basis which you'll give permission to run scripts. Thanks. On Sep 16, 5:38 am, Alwin Garside [EMAIL PROTECTED] wrote: Wouldn't that just be like Mozilla Firefox + NoScript? On Mon, Sep 15, 2008 at 11:35 PM, gbob [EMAIL PROTECTED] wrote: Allowing the user to set the browser security to allow them to set it to ask for permission to run any scripts (Java, Javascript, etc.) and to have a trusted sites list similar to the way IE works. On Sep 15, 7:29 pm, Ian Fette [EMAIL PROTECTED] wrote: I'm not sure what the ask here is. We don't allow active-x to run. On Mon, Sep 15, 2008 at 7:23 PM, gbob [EMAIL PROTECTED] wrote: Hello: I currently use only IE 6 (I know, I know) because it has one of the most important security features that has prevented a number of infections recently. I have three separate OS partitions with XP on each. One is used for my non-web work with ALL data and most programs on another drive. Another is used for my normal Web work and has NO connection to ANY data; documents, projects, etc. And the last is a test partition setup the same way, to test security where I take more risks. So, on my test partition, in the last month, I was infested twice by a number of malware programs that got through all (numerous) defenses. My normal web partition is setup slightly differently. I use only IE and have ActiveX and scripts set to Prompt and add only a few sites I trust to the trusted sites list. Even the trusted sites prompt for permission when scripts from other sites are executed at that site (and I say no, which works fine). It has NEVER been infected. It's a pain, I know, but it's MUCH safer and would be great if Chrome had the same so it was at least as secure IE in that respect. I'll use Chrome for regular web access when it has it. Thanks. May or may not apply... See:http://www.darkreading.com/document.asp?doc_id=162515 Report: Popular Web Attacks Go Stealth -- Alwin Yogarine Garside Development Lead LinFox Serviços de Informatica LTDA.http://www.linfox.com.br Phone: +55 (0xx)83 -9084 Mobile: +55 (0xx)83 91275361 --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Chromium-dev group. To post to this group, send email to chromium-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~--~~~~--~~--~--~---