TPP (The Trans-Pacific Partnership) 對 GPL 的影響

TPP (The Trans-Pacific Partnership跨太平洋戰略經濟夥伴關係協議) 的黑箱作業在 Wikileaks 揭露後 (TPP Treaty: Intellectual Property Rights Chapter - 5 October 2015) 才被大量解讀,而與預期的一樣,既然會黑箱當然就是見不得人,違反公眾利益的事情。

EFF 有導讀專欄分析,有興趣的可以從這邊下手:「Trans-Pacific Partnership Agreement」。

這邊要講的是 TPP 裡對 GPL 的影響:「TPP has provision banning requirements to transfer of or access to source code of software」。

其中這組條款對原始程式碼 (source code) 的約束直接衝擊 GPL 類強制要求 open source 的約束:

Article 14.17: Source Code

  • No Party shall require the transfer of, or access to, source code of software owned by a person of another Party, as a condition for the import, distribution, sale or use of such software, or of products containing such software, in its territory.
  • For the purposes of this Article, software subject to paragraph 1 is limited to mass-market software or products containing such software and does not include software used for critical infrastructure.
  • Nothing in this Article shall preclude:
    (a) the inclusion or implementation of terms and conditions related to the provision of source code in commercially negotiated contracts; or
    (b) a Party from requiring the modification of source code of software necessary for that software to comply with laws or regulations which are not inconsistent with this Agreement.
  • This Article shall not be construed to affect requirements that relate to patent applications or granted patents, including any orders made by a judicial authority in relation to patent disputes, subject to safeguards against unauthorised disclosure under the law or practice of a Party.
  • Facebook 更新 iOS 應用程式,修正吃電問題

    在「在 iOS 上不使用 Facebook App 時要完全砍掉 process」這邊提到了 Facebook 在 iOS 版的應用程式會在背景播放無聲音樂,導致吃電特別兇的問題,Facebook 的 Ari Grant 出來澄清是 bug 造成的,而非故意行為。

    修正了兩個 bug,第一個是 network code 的部分:

    The first issue we found was a “CPU spin” in our network code. A CPU spin is like a child in a car asking, “Are we there yet? Are we there yet? Are we there yet?”with the question not resulting in any progress to reaching the destination. This repeated processing causes our app to use more battery than intended. The version released today has some improvements that should start making this better.

    第二個則是之前提到無聲 audio 的問題:

    The second issue is with how we manage audio sessions. If you leave the Facebook app after watching a video, the audio session sometimes stays open as if the app was playing audio silently. This is similar to when you close a music app and want to keep listening to the music while you do other things, except in this case it was unintentional and nothing kept playing. The app isn't actually doing anything while awake in the background, but it does use more battery simply by being awake. Our fixes will solve this audio issue and remove background audio completely.

    同時澄清並沒有要在背景更新取得地理位置資訊:

    The issues we have found are not caused by the optional Location History feature in the Facebook app or anything related to location. If you haven't opted into this feature by setting Location Access to Always and enabling Location History inside the app, then we aren't accessing your device's location in the background. The issues described above don't change this at all.

    理論上新版應該會省一點電了?

    2006 年的 jQuery 程式碼...

    對於現在變成 Web JS 代名詞 jQuery 的誕生。

    John Resig (jQuery 的發明人) 的懷舊文:「Annotated Version of the Original jQuery Release」。

    重點在「Annotated jQuery Release」裡他寫了不少註解 (以 2015 年現在的觀點來寫),有很多感嘆啊 XDDD

    Google 宣佈關閉 Google Code

    Google 公告後馬上傳遍:「Bidding farewell to Google Code」。

    幾個時間點:

    • 2015 年 3 月 12 日:停止新的 project 的申請。
    • 2015 年 8 月 24 日:唯讀。
    • 2016 年 1 月 25 日:停止操作服務,不過 2016 年整年還是提供一整包 tarball 下載回去。

    Google 有提供「Export to GitHub」這個服務轉換到 GitHub 上,或是透過手動轉換:Git 的部份比較簡單,直接推上新的 hosting 即可,而其他的需要工具轉換。

    Mozilla 與 Tor (EFF) 申請 Google Summer of Code 2015 被拒

    Mozilla 申請 Google Summer of Code 2015 被拒絕:「Mozilla not accepted for Google Summer of Code 2015」。

    不過以 Mozilla 的能量來看感覺還好?反倒是 Tor (EFF) 也被拒絕就讓人很訝異了...

    Don't be evil 啊...

    Apple 首次自動強制更新:NTP 安全問題

    Apple 第一次的自動強制更新就給了這次的 ntpd 安全性問題 CVE-2014-9295:「Apple pushes first ever automated security update to Mac users」。

    A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.

    這次的問題比較刺激...

    AWS 的 CodeDeploy、CodeCommit、CodePipeline

    這次 re:Invent 的另外一個重大發表:「New AWS Tools for Code Management and Deployment」。

    講的簡略一點,AWS CodeDeploy 是處理程式的 deployment,CodeCommit 是 Git hosting,CodePipeline 是 hook。

    不過目前只有 CodeDeploy 可以用,其他兩個還沒好:

    CodeDeploy is launching today and you can start using it now. Please stay tuned for more information on CodeCommit and CodePipeline!

    以往是自己兜這些方案出來,現在是 AWS 直接包好提供...

    PHP-CS-Fixer 1.0 出版!

    PHP-CS-Fixer 正式釋出 1.0 版:「PHP CS Fixer finally reaches version 1.0」。

    原作者提到了之前的版本以 regular expression 為底,而這三個月有了大改變,現在的版本是以 token 來判斷:

    The current stable version of PHP-CS-Fixer was released in August 2014 and it is still based on regular expressions, two years after the first public release. But in the last three months, things got crazy mainly because of Dariusz Ruminski. He did a great job at rewriting everything on top of a parser based on the PHP tokens, helped by 21 other contributors.

    這邊寫一下用法:

    php-cs-fixer fix /path --level=psr2

    這樣會把目錄下的所有 .php 檔都清過一次。目錄的部份也可以用檔名,表示只處理一個檔案。

    Windows 10 都市傳說的佐證...

    續上篇「Windows 10 的都市傳說...」,先不管微軟內部的 code 如何,以及跳過 Windows 9 的真正原因,但 open source 專案的確有不少人這樣判斷 Windows 95 與 Windows 98:

    還有各種變形的:

    		} else if (osName.startsWith("Windows")) {
     			if (osName.indexOf("9") != -1) {
     				jvm = WINDOWS_9x;

    這該怎麼說呢...

    Bash 遠端執行安全漏洞

    這讓人無言了,Bash 的遠端執行安全漏洞,CVE-2014-6271

    GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

    可以在 oss-sec 上面看到說明「Re: CVE-2014-6271: remote code execution through bash」:

    Debian and other GNU/Linux vendors plan to disclose a critical, remotely exploitable security vulnerability in bash this week, related to the processing of environment variables. Stephane Chazelas discovered it, and CVE-2014-6271 has been assigned to it.

    透過環境變數打進去... Redhat 的「Bash specially-crafted environment variables code injection attack」這篇也給了不少例子。

    Linux 下通常最常用的 shell 應該還是 Bash 吧?(雖然也看到不少人用 Zsh...)

    然後 Twitter 上看到非常邪惡的 Google Hack:

    大家可以自己加上 site: 去掃...