May Update

I've revamped it by creating a single score to summarize all the tests - the goal is to have some useful predictivate quality - and be easier to track over time. To predict how prepared they are for a "bump" or their "monent", but also provide an idea of how much outside actors might be able to meddle with their campaign.

There are 3 different categories:

• Performance metrics - The top four are donaldjtrump.com, julianforthefuture.com, joebiden.com, and amyklobuchar.com.
• Email security - Top are elizabethwarren.com, hickenlooper.com, corybooker.com, and joebiden.com. They will have a much better time communicating to their supporters.
• and other website security metrics

Today's results:

• 65 - joebiden.com - the highest score. only one with a non-F letter grade, but it's still a D.
• 55,56 - corybooker.com, hickenlooper.com - both substancially improved over last evaluation.
• 48,49 - amyklobuchar.com, elizabethwarren.com
• Low 40s - betoorourke.com, , michaelbennet.com, johndelaney.com
• High 30s - jayinslee.com, marianne2020.com, berniesanders.com, stevebullock.com
• Low 30s - donaldjtrump.com, ericswalwell.com, weld2020.org
• 20s - tulsigabbard.org, kirstengillibrand.com, kamalaharris.org, billdeblasio.com, peteforamerica.com, wayneforamerica.com, timryanforamerica.com
• 18 - sethmoulton.com
• 9 - yang2020.com - Will the math lover stand being last?

All the candidates can definitely do better, my website gets a 79. I don't really see anyone geting out of the race before the first debate, so I can't make any clear predictions at this point.

You can get the full details at the 2020 presidential website tracker. .

---

Original post:

Now it's a tradition (did it in 2016 too)... I'm launching my 2020 presidential website tracker.

I'm being harsh and limiting everyone to a C rating for now. There are some basic things all the candidates really could be doing. If you see a mistake I made or find something new to track, feel free to report a bug/pull request.

First things first. I haven't been a huge fan of Snaps (despite working for Canonical) or Flatpaks. Both I felt initally put convenience over security. I believe both are maturing now, but it again puts the evaluation if a package is secure on users - instead of distros which actually have teams to review items before inclusion.. Anyway, with that said: On to how I am loving the Firefox Snap

Backstory

I'm a long time Beta user of Firefox, but I've been using stable for a while cause it's just easier. I generally preferred getting the tarball from Mozilla directly which has a minor issue. Long story short, Nautilus doesn't want to be a program launcher of files provided in tarballs. In fact, Nautilus just dropped that support entirely - just at the same time where it was worked around in Firefox.

Snap Install firefox beta

sudo snap install firefox --beta

That's it. No unpacking a tarball - no making a desktop entry so you can launch it more easily. Of course, just leave off --beta if you want to get the stable version of Firefox via a snap.

It uses a seperate profile from the deb installed Firefox, but you can only run one at a time. (This is the same if you download a tarball)

Some other steps that will vary based on wha you are doing: 1. Sync your data accross (I use mozilla sync) and setup your extensions, etc. 2. Replace the deb based one from your dock and add the snap based one there. (Right click details in Gnome to see which is which)

Upgrade to 63 beta

So snaps autoupgrade and I soon found myself on Firefox 63 beta and everything looked good until I tried to join a hangout. It didn't work. Since I was using snaps I just tried a: sudo snap revert firefox and I was back on 62 beta in time for my hangout starting in 2 minutes. (Note: it was likely worth just switching to stable instead with sudo snap refresh firefox --stable)

Snaps will automatically upgrade to the next version with the hope that it will have fixed whatever bug made you revert. A few days they released a new version of 63 beta and Hangouts broke again. In this case I determined it was actually a Google Hangouts/Meet bug. One good way to tell when different channels have had releases is to look at https://snapcraft.io/firefox.

Privacy

The snap version does provide more protection from a compromised Firefox. It also seperates the Downloads folder for the snap to a snap specific one at ~/snap/firefox/common/Downloads.

Other issues

• Checkboxes didn't show up for a bit on version 62.
• Multi-account container's has a bug in Firefox 63.

From what I can tell these issues are all Firefox beta issues, not issues specific with the snap version. The only snap specific issue I've ran into is the first time you start a snap it takes a while.

Conclusion

I'm staying on a Firefox snap. It's faster to change between stable and beta channels. It also seems like it gets updates faster than Firefox in the Ubuntu archive.

Give it a try today with (or remove the beta for stable): sudo snap install firefox --beta

Florida, Tennessee, the EU and more are considering one timezone for the entire year - no more changing the clocks. Massachusetts had a group study the issue and recommend making the switch, but only if a majority of Northeast states decide to join them. I would like to see the NJ legislature vote to join them.

Interaction between countries would be helped by having one less factor that can impact collaboration. Below are two examples of ways this will help.

Meeting Times

Let's consider a meeting scheduled in EST with partipants from NJ, the EU, and Arizona.
NJ - normal disruption of changing times, but the clock time for the meeting stays the same.
Arizona - The clock time for the meeting changes twice a year.
EU - because they also change their clocks at different points throughout the year. Due to this, they have 4 clock time changes during each year.

This gets more complicated as we add partipants from more countries. UTC can help, but any location that has a time change has to be considered for both of it's timezones.

Global shift work or On-call

Generally, these are scheduled in UTC, but the shifts people actually work are in their local time. That can be disruptive in other ways, like finding child care.

In conclusion, while these may be minor compared to other concerns (like the potential health effects associated with change the clocks), the concerns of global collaboration should also be considered.

I just finished moving my website from Wordpress to Nikola (static site generator), GitLab (git and hosting), and CloudFlare (CDN, HTTPS and more).

Why Nikola

Their attitude in the handbook is "DON'T READ THIS MANUAL. IF YOU NEED TO READ IT I FAILED, JUST USE THE THING." That's my kind of software methodology. Don't blame the user, make the system better.

It is also a great handbook that has had pretty much every question I've asked. Documentation is still essential, but it's nice if the commands are self explanatory.

It just worked to import my Wordpress site (minus comments which I "inlined" or deleted for various reasons). I did do some manual HTML to markdown conversion for pages I want to edit more.

Why GitLab

I first tried and had Nikola working with GitHub, but GitLab gives me:

• Automatic building - I don't have to have a separate branch for output, I just git push my changes (or change on the website) - and GitLab will run a job to create my website. I know this is possible on GitHub, but GitLab just makes it easy.
• The option to upload SSL Certs. If I need to drop CloudFlare for some reason, I can have GitLab maintain my website using HTTPS (Which I need to because I'm on the HSTS preload list).
• Easier drive by contributions. GitLab lets you sign in with Google, Twitter, GitHub, or BitBucket. I'm thinking for suggesting changes to say a paper (or even this blog post!), that will make for a lower barrier to entry. (Of course, I'd prefer any OpenID but it's better than requiring a new account)

I absolutely love that they have their company handbook maintained in Git and public to the world (with merge request welcome!).

Why CloudFlare

CloudFlare's free plan rocks. And if I ever need to be able to handle more traffic faster, I can upgrade/downgrade as necessary.

• Free (Good) SSL with TLS1.3 Beta too
• Free IPv6
• Free HTTP2

I thought I was being smart.  By not buying through AVADirect I wasn't going to be using an insecure site to purchase my new computer.

For the curious I ended purchasing through eBay (A rating) and Newegg (A rating) a new Ryzen (very nice chip!) based machine that I assembled myself.   Computer is working mostly ok, but has some stability issues.   A Bios update comes out on the MSI website promising some stability fixes so I decide to apply it.

The page that links to the download is HTTPS, but the actual download itself is not. I flash the BIOS and now appear to have a brick.

As part of troubleshooting I find that the MSI website has bad HTTPS security, the worst page being:

Given the poor security and now wanting a motherboard with a more reliable BIOS  (currently I need to send the board back at my expense for an RMA) I looked at other Micro ATX motherboards starting with a Gigabyte which has even less pages using any HTTPS and the ones that do are even worse:

Unfortunately a survey of motherboard vendors indicates MSI failing with Fs might put them in second place.   Most just have everything in the clear, including passwords.   ASUS clearly leads the pack, but no one protects the actual firmware/drivers you download from them.

	Main Website	Support Site	RMA Process	Forum	Download Site	Actual Download
MSI	F	F	F	F	F	Plain Text
AsRock	Plain text	Email	Email	Plain text	Plain Text	Plain Text
Gigabyte (login site is F)	Plain text	Plain Text	Plain Text	Plain text	Plain Text	Plain Text
EVGA	Plain text default/A-	Plain text	Plain text	A	Plain Text	Plain Text
ASUS	A-	A-	B	Plain text default/A	A-	Plain Text
BIOSTAR	Plain text	Plain text	Plain text	n/a?	Plain Text	Plain Text

A quick glance indicates that vendors that make full systems use more security (ASUS and MSI being examples of system builders).

We rely on the security of these vendors for most self-built PCs.  We should demand HTTPS by default across the board.   It's 2017 and a BIOS file is 8MB, cost hasn't been a factor for years.

Bye Tiny

Some recent hacking attempts at my site had convinced me to reduce the number of logins I had to protect on my personal site.   That's what motivated a move from the -still- awesome Tiny Tiny RSS that I've been using since Google Reader ended.   I only follow 13 sites and maintaining my own install simply doesn't make sense.

• None of the hacking attempts appeared to be targeting Tiny Tiny RSS ~ but then again I'm not sure if I would have noticed if they were.

  Enter NewsBlur

  My favorite site for finding alternatives to software quickly settled on a few obvious choices.  Then I noticed that one of them was both Open Source and Hosted on their own servers with a freemium model.

It was NewsBlur

I decided to try it out and haven't looked back.  The interface is certainly different than Tiny (and after 3 years I was very used to Tiny ) but I haven't really thought about it after the first week.   The only item I found a bit difficult to use was arranging folders ~ I'd really prefer drag and drop.   I only needed to do it once so not a big deal.

The free account has some limitations such as a limit to the number of feeds (64), limit to how fast they update, and no ability to save stories.   The premium account is only $24 a year which seems very reasonable if you want to support this service or need those features.  As of this writing there were about 5800 premium and about 5800 standard users, which seems like a healthy ratio.

Some security notes: the site get's an A on  SSLLabs.com but they do have HSTS turned explicitly off.   I'm guessing they can't enable HSTS because they need to serve pictures directly off of other websites that are HTTP only.

NewsBlur's code is on Github including how to setup your own NewsBlur instance (it's designed to run on 3 separate servers) or for testing/development.   I found it particularly nice that the guide the site operator will check if NewsBlur goes down is public.  Now, that's transparency!

They have a bunch of other advanced features (still in free version) that I haven't even tried yet, such as:

• finding other stories you would be interested (Launch Intel)
• subscribing to email newsletters to view in the feed
• Apps for Android, iPhone and suggested apps for many other OSes
• Global sharing on NewsBlur
• Your own personal (public in free version) blurblog to share stories and your comments on them

Give NewsBlur a try today.  Let me know if you like it!

I'd love to see more of this nice combination of hosted web service (with paid & freemium version) and open source project.  Do you have a favorite project that follows this model?   Two others that I know of are Odoo and draw.io.

Comments: Mihai

NewsBlur is awesome. I have been using it since the demise of Google Reader with no issues and almost no downtime. It has been getting better and better, especially the Android app.

teh 1

I tried NewsBlur a blue moon ago. How it may’ve changed I don’t know, but I’ve kept steady with CommaFeed (with a few hiccups in between with service availability in the first few years and loss of all starred items) since the demise of Google Reader. It’s open-source too: https://github.com/Athou/commafeed

https://www.commafeed.com/

Are you running i386 (32-bit) Ubuntu?   We need your help to decide how much longer to build i386 images of Ubuntu Desktop, Server, and all the flavors.

There is a real cost to support i386 and the benefits have fallen as more software goes 64-bit only.

Please fill out the survey here ONLY if you currently run i386 on one of your machines.  64-bit users will NOT be affected by this, even if you run 32-bit applications. http://goo.gl/forms/UfAHxIitdWEUPl5K2

The latest Ubuntu LTS is out, so it's time for an updated memory usage comparison.

Boots means it will boot to a desktop that you can move the mouse on and is fully loaded.  While Browser and Smooth means we can load my website in a reasonable amount of time.

Takeaways

Lubuntu is super efficient

Lubuntu is amazing in how much less memory it can boot in.  I believe it is still the only one with ZRam enabled by default, which certainly helps a bit.

I actually did the memory usage for ZRam to the nearest MB for fun. The 32 bit version boots in 224 MB, and is smooth with Firefox at only 240MB!   The 64 bit boots at only 25 MB more (251), but is needs 384 MB to be smooth.

If you are memory limited, change flavors first, 32-bit won't help that much

Looking just at "Browser and Smooth" because that's a more clear use-case.  There is no significant memory  difference between the 32 and 64 bit varients of: Xubuntu,  Ubuntu Gnome, Ubuntu (Unity).

Lubuntu, Kubuntu, and Ubuntu Mate do have significant deltas, which let's explore: Kubuntu - If you are worried about memory requirements do not use. Ubuntu Mate - It's at most a 128MB loss, likely less.  (We did that to 128MB accuracy). Lubuntu 64 bit is smooth at 384MB.  32 bit saves almost 144 MB!  If you are severally memory limited 32-bit Lubuntu becomes your only choice.

Hard Memory Limit The 32-bit hard memory requirement is 224 MB. (Below that is panics) The 64-bit hard memory requirement is 251 MB.  Both of these were tested with Lubuntu.

Check out the 14.04 Post.   I used Virt-Manager/KVM instead of Virtualbox for the 16.04 test.

Extras: Testing Notes,  Spreadsheet

The race is now down to 5. (From 21!)

What's changed in their website setups?

Donald Trump got rid of Flash, otherwise everything else appears to be the same.

Ted Cruz went from a A+ rating to just an A (lost HSTS?).

Nothing changed for John Kasich.

Hillary Clinton went from an inconsistent server setup with many IPv4 addresses to just 1 IPV4 address.   The www. redirect behavior (from without to it) does mess up HTTPS Everywhere and ssllabs tests.     A major plus is she added HSTS to her site, so her ssllabs rating is now A+.

Bernie Sanders added IPv6 support and HSTS to the main site.  Unfortunately a sha2 intermediate certificate prevents his site from going from A to A+.  And his donation provider has HSTS setup correctly and get's an A+.

At this point in the campaign, only A ratings (ssllabs) are left!  The Democrats seem to have prioritized implementing HSTS, but neither appears to have gone for the preload list.

HSTS - Means you tell the browser to enforce SSL

You can find the raw data in this spreadsheet

I also included sub domains in this list, but it wasn't as interesting as I hoped.

I'm specifically looking for: OS/2 Metafile (.met) PICT (Mac's precursor to PDF) https://en.wikipedia.org/wiki/PICT

Also useful might be: PCD - Kodak Photo CD RAS - Sun Raster Image

I'm trying to evaluate if LibreOffice should keep support for them (specifically if the support is good). Unfortunately I can only generate the images using LibreOffice (or sister projects) which doesn't really provide a great test.

Please either: Provide a link in a comment below Email me B @ (If emailed, please mention if I can share the image publicly)

If I find the support works great I'd try to integrate a few of them into LO tests so we make sure they don't regress.

Feedback:

Thank you!  [Update, files are now part of LibreOffice's test server]