美國政府應該已經取得大量原始程式碼,而且 CEO 不知情

Bruce Schneier 這邊看到的:「Companies Handing Source Code Over to Governments」。

直接對員工下法院命令,並且不得告知任何其他人有這個命令 (包括 CEO):

These orders are so highly classified that simply acknowledging an order's existence is illegal, even a company's chief executive or members of the board may not be told. Only those who are necessary to execute the order would know, and would be subject to the same secrecy provisions.

跟中國企業的情況類似。

吉卜力將放出作畫所使用的軟體原始碼

在「造福同人,吉卜力使用的动画制作软件宣布开源化」這邊看到的,搜了一下相關的新聞,可以在「Open-Source Animation Production Software OpenToonz Available March 26」看到說明。

而「アニメーション制作ツールの オープンソースプロジェクト」這邊也有相關的消息,預定在 3/26 舉辦的 AnimeJapan 2016 有進一步的發表,到時候再來追進度...

Google 發表了三個 Hash 演算法的實作

Google 發表了三個 Hash 演算法的實作:「New algorithms may lower the cost of secure computing」。

第一個是 SipHash 的加速實作,透過 AVX-2 指令集加速,看維基百科的資料,2011 後的 Intel/AMD CPU 似乎都有提供這組指令集:

Our first hash function produces the same output as SipHash, but 1.5 times as quickly thanks to AVX-2 instructions.

第二個是 SipHash 的改良版,但輸出不同 (所以不是 SipHash),但速度比 SipHash 更快:

The second improvement uses j-lanes tree hashing to process multiple inputs in parallel, which is 3 times as fast. This technique is known to be secure, but produces different output than the original SipHash and is slightly slower for short inputs.

第三個則是新的 Hash,速度比前兩者又更快了,但還需要有更多人分析才能確認安全性:

HighwayHash is based on a new way of mixing inputs with just a few AVX-2 multiply and permute instructions. We are hopeful that the result is a cryptographically strong pseudorandom function, but new cryptanalysis methods might be needed for analyzing this promising family of hash functions. HighwayHash is significantly faster than SipHash for all measured input sizes, with about 7 times higher throughput at 1 KiB.

三者的程式碼都可以在 GitHub 上的「google/highwayhash」找到,看 LICENSE 檔案是 Apache License 2.0

GitHub 加上 +1 與 -1 功能 (順便加上表情符號)

這是回應之前社群對 GitHub 的請願 (or 抱怨?) 而生的新功能,(參考先前的文章「GitHub 對 Open Source Community 請願的回應」):「Add Reactions to Pull Requests, Issues, and Comments」。

這避免了在討論時大量的 +1 與導致混亂的情況。

GitHub 對 Open Source Community 請願的回應

大約一個多月前 (2016 年一月 15 日),一群用 GitHub 發展 Open Source 軟體的人對 GitHub 提出請願,要求重視 Open Source Community 在 GitHub 平台上遇到的問題:「An open letter to GitHub from the maintainers of open source projects」。

這個請願在卡了將近一個月後,陸陸續續有相當多要搬出 GitHub 的討論,像是 eslint 就直接在 GitHub 開了 issue,討論搬出 GitHub 會遇到的問題以及可能的解決方法:「Investigate switching away from GitHub」。

在二月 13 日的時候,GitHub 透過 pull request 發出回應說「我們在處理了」,但也沒講正在處理什麼,看起來就是個很 PR 的回應:「Dear Open Source Maintainers」。

直到昨天,三個主要的請願中關於 issue 範本的問題 (也就是下面這段) 總算有進展了:

Issues are often filed missing crucial information like reproduction steps or version tested. We’d like issues to gain custom fields, along with a mechanism (such as a mandatory issue template, perhaps powered by a newissue.md in root as a likely-simple solution) for ensuring they are filled out in every issue.

為了解決使用者在開 issue 時有時會忘記給出完整的環境資訊 (以及其他有用的資料),GitHub 推出了新的功能,在開 issue 或 pull request 時利用 template 讓使用者有個範本可以照著填寫,同時 template 也支援 Markdown,讓填寫的方式會更豐富一些:「Issue and Pull Request templates」。

這總算開始有進展了。但也開始感覺到 GitHub 的動作已經開始慢下來了...

CloudFlare 有計劃要放出對 nginx 的 HTTP/2 + SPDY patch

nginx 在 1.9.5 後移除了對 SPDY 的支援,只支援 HTTP/2,剛剛找其他資料的時候在「HTTP/2 is here! Goodbye SPDY? Not quite yet」這邊發現 CloudFlare 的人有打算放 patch,讓 nginx 可以同時支援 HTTP/2 與 SPDY:

同時也可以看到有人抱怨 caniuse 上面的資料與實際使用的情況有蠻大的差距,拿 caniuse 來說服人不太準確。

另外也發現我自己的 blog 有時候 HTTP/2 不會啟用 (透過「HTTP/2 and SPDY indicator」觀察),不知道是什麼原因,也許 nginx 的時候還是有 bug?

微軟的 CodePush

看到微軟推出的 CodePush,針對 CordovaReact Native 類透過 WebView 跑的程式提出的方案。原因是 Apple 的 App Store 審核都要很久,透過 CodePush 可以直接更新程式:

CodePush is a cloud service that enables Cordova and React Native developers to deploy mobile app updates directly to their users’ devices. It works by acting as a central repository that developers can publish certain updates to (e.g. JS, HTML, CSS and image changes), and that apps can query for updates from (using our provided client SDKs). This allows you to have a more deterministic and direct engagement model with your end-users, while addressing bugs and/or adding small features that don’t require you to re-build a binary and/or re-distribute it through any public app stores.

FAQ 文件裡提到了這點:(Frequently Asked Questions · CodePush)

Does the Apple App Store allow developers to perform these types of updates?

According to section 3.3.2 of Apple’s developer agreement, as long as you are using the CodePush service to release bug fixes and improvements/features that maintain the app’s original/presented purpose (i.e. don’t CodePush a calculator into a first-person shooter), then you will be fine, and your users will be happy. In order to provide a tangible example, our team published a (pretty cheesy!) CodePush-ified game to the Google Play Store and Apple App Store, and had no problems getting it through the review process.

Because Cordova apps are executed within a WebView, and React Native apps are executed within JavaScriptCore, from a technology perspective, these runtimes are unique in their ability to leverage dynamic code downloads according to the aforementioned Apple developer agreement.

同樣的想法如果真的可行,應該會有其他更開放的 open source 方案可以用 (而非綁定性的服務,而是可以掛到自己的 CDN 上下載更新),先觀察一陣子...

TPP (The Trans-Pacific Partnership) 對 GPL 的影響

TPP (The Trans-Pacific Partnership跨太平洋戰略經濟夥伴關係協議) 的黑箱作業在 Wikileaks 揭露後 (TPP Treaty: Intellectual Property Rights Chapter - 5 October 2015) 才被大量解讀,而與預期的一樣,既然會黑箱當然就是見不得人,違反公眾利益的事情。

EFF 有導讀專欄分析,有興趣的可以從這邊下手:「Trans-Pacific Partnership Agreement」。

這邊要講的是 TPP 裡對 GPL 的影響:「TPP has provision banning requirements to transfer of or access to source code of software」。

其中這組條款對原始程式碼 (source code) 的約束直接衝擊 GPL 類強制要求 open source 的約束:

Article 14.17: Source Code

  • No Party shall require the transfer of, or access to, source code of software owned by a person of another Party, as a condition for the import, distribution, sale or use of such software, or of products containing such software, in its territory.
  • For the purposes of this Article, software subject to paragraph 1 is limited to mass-market software or products containing such software and does not include software used for critical infrastructure.
  • Nothing in this Article shall preclude:
    (a) the inclusion or implementation of terms and conditions related to the provision of source code in commercially negotiated contracts; or
    (b) a Party from requiring the modification of source code of software necessary for that software to comply with laws or regulations which are not inconsistent with this Agreement.
  • This Article shall not be construed to affect requirements that relate to patent applications or granted patents, including any orders made by a judicial authority in relation to patent disputes, subject to safeguards against unauthorised disclosure under the law or practice of a Party.
  • 使用 WordPress 的內容佔有全 Web 的 25% 比率

    WordPressMatt Mullenweg 在他的 blog 上提到了 WordPress 的內容建構了 Web 上的 25% 內容:「Seventy-Five to Go」,出自 W3Techs 的「 Historical yearly trends in the usage of content management systems for websites 」這邊的資料。

    WordPress 從 2004 年 MovableType 的 license 爭議事件後崛起 (Commitment to a Free Version, while getting our pricing right),後來就愈站愈穩了,而 MovableType 在 2007 年又宣布 open source (Movable Type Open Source),但也已經無法挽回了...

    而且 WordPress 的比率目前還在緩緩攀升...

    Google Chrome 上面的畫面截圖套件

    記得之前有提到最多人裝的那幾個 extension 都有嵌入各種 malware 或 spyware,所以試著找有哪個是正常的... 後來想到用 GoogleGitHub 上的 open source 專案,找到這個:「One-click full page screen captures in Google Chrome」,官方說明頁面在「Full Page Screen Capture Chrome Extension」:

    It’s open source (on github) and malware free.

    看起來這個應該是可以用的... 看起來很久沒更新了,不過實際測試還是會動的 :p