Today I set up Travis for Liferea git master. This should reduce mistakes like forgetting to add files or dependencies as well as testing compilation with LLVM.

I also converted the README to Markdown syntax and the new README.md now has a Liferea screenshot and a Travis build status badge looking like this:

Today I closed the ticket tracker at Sourceforge the last remaining project tool there. Several maintainers and users already started using the new one at Github. Please also do!

If I set everything correctly the SF bugs should stay readable for everyone. You just cannot edit them anymore. I plan to close all of them with appriopriate results. In any case if you mind please reopen at Github:

https://github.com/lwindolf/liferea

Moving to Github simplifies my workflow a lot (especially the auto-linking of tickets by commits with ticket id) and less time will be spend on maintaining the tickets and more on the code and the actual issues to solve.

Also feel invited to make many many pull requests!

If you are using Ubuntu Unity as desktop environment and after upgrading to Ubuntu 14.04 the tray icon disappears please workaround by running:

gsettings set com.canonical.Unity.Panel systray-whitelist "['all']"

Git master now features categories support when subscribing to theoldreader.com accounts. As TheOldReader allows only level of folders nested folders are not possible. Still this allows to organize the feeds neatly. If you already have a subscription don't worry your feeds will be automatically reorganized without loosing any items.

The TheOldReader category support will be first included in release 1.11.0

A recent issue of the German iX magazin featured an article on improving end user security by enabling HTTP security headers

• X-XSS-Protection,
• X-Content-Type-Options MIME type sniffing,
• Content-Security-Policy,
• X-Frame-Options,
• and HSTS Strict-Transport-Security.

The article gave the impression of all of them quite common and a good DevOps being unreasonable not implementing them immediately if the application supports them without problems.

This lead me to check my monthly domain scan results of April 2014 on who is actually using which header on their main pages. Results as always limited to top 200 Alexa sites and all larger German websites.

Usage of X-XSS-Protection

Header visible for only 14 of 245 (5%) of the scanned websites. As 2 are just disabling the setting it is only 4% of the websites enabling it.

Usage of X-Content-Type-Options

Here 15 of 245 websites (6%) enable the option.

Usage of Content-Security-Policy

Actually only 1 website in the top 200 Alexa ranked websites uses CSP and this lonely site is github. The problem with CSP obviously being the necessity to have a clear structure for the origin domains of the site elements. And the less advertisments and tracking pixels you have the easier it becomes...

Usage of X-Frame-Options

The X-Frame-Options header is currently delivered by 43 of 245 websites (17%).

Usage of HSTS Strict-Transport-Security

HSTS headers can only be found on a few front pages (8 of 245). Maybe it is visible more on the login pages and is avoided on front pages for performance reasons, maybe not. That would require further analysis. What can be said is only some larger technology leaders are brave enough to use it on the front page:

Conclusion

Security headers are not wide-spread on website front pages at least. Most used is the X-Frame-Option header to prevent clickjacking. Next following is X-Content-Type-Options to prevent MIME sniffing. Both of course are easy to implement as they most probably do not change your websites behaviour. I'd expect to see more HSTS on bank and other online payment service websites, but it might well be that the headers appear only on subsequent redirects when logging in, which this scan doesn't do. With CSP being the hardest to implement, as you need to have complete control over all domain usage by application content and partner content you embed, it is no wonder that only Github.com has implemented it. For me it is an indication how clean their web application actually is.

Dear maintainers and contributing end users,

I plan to switch the bug tracker from SourceForge to Github to the end of the month (31.05.2014) to further simplify the workflow of maintaining Liferea. As a benefit at Github I'll maintain milestones with due dates and assigned issues. The Github bug tracker is already in use by some users. Feel free to use it right now.

Nothing Gets Lost!

I won't ignore the old tickets, they will just become invisible. I promise to process all important SF tickets. I believe you will still get mail notifications on state changes. For the maintainers: if you still need to access the tickets I we can find a solution (admin user role...). I know this pains you guys probably the most and don't want to mess up your valuable work more than absolutely necessary.

If you are in any doubt please drop a short mail on the mailing list or just recreate all the tickets at Github: https://github.com/lwindolf/liferea/issues?milestone=2&state=open

The Future

I plan to entirely stop using the Sourceforge tools in favour of Github. Sourceforge is just not very useable. Code formatting looks funny all the time. One needs to edit tickets to change state. Also the commit correlation with tickets in Github is just a killer feature for me.

For the future I also hope to invite more contributions via Github forking and merging. By also switching more code to Python plugins I can imagine some more users crossing the barrier, that coding in C is, and contribute.

As in the last months let's look into changes visible at the frontend pages of the biggest websites. This time I compared the changes between February to April.

These last two months saw the usual lot of version upgrades, along with some probably unintended un-hiding of server versions, several sites going to CloudFlare as well as a premiere with IPv6 being available on the first adult movie site.

The detailed results can be found here:

• 02/2014
• 04/2014

What Changed?

Note: the website links lead to a history page for the different sites were you can see the change details.

Caution!

All the results listed above are based on a simple scanning script. The results present a snapshot of the websites and a single response only. This is of course not necessarily an indicating for what techniques the site uses in daily operations!

Recent CDN usage for top 200 Alexa ranked sites and major German sites. For measurement method read more here...

Today sees another maintenance release for 1.10. This release addresses TinyTinyRSS updating issues. If you are affected please upgrade and give feedback if it helped!

    * Fixes Github #19: non void function should return value
      (reported by kwm81)
    * Fixes SF #1141: Liferea does not update feeds with TinyTinyRSS
      (reported by Dominik Grafenhofer, denk_mal, Fabian Henze)
    * Fixes SF #1150: subscription prop/source: not all fields and
      buttons visible (reported by David Smith)

Download Liferea 1.10.9

https://github.com/lwindolf/liferea/releases/download/v1.10.9/liferea-1.10.9.tar.bz2