From javier at lufte.net Fri Oct 2 17:40:21 2020 From: javier at lufte.net (Javier Ayres) Date: Fri, 02 Oct 2020 12:40:21 -0300 Subject: [qutebrowser] Dependabot pull requests in qutebrowser forks Message-ID: <3f17fadf-6422-4d59-8cef-f4558bc32c58@www.fastmail.com> Hi everyone. Has any of you started getting pull requests from Dependabot in your qutebrowser fork repository? These are supposedly disabled for forks (and I double checked) but this month I got two already. From me at the-compiler.org Fri Oct 2 20:39:15 2020 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 2 Oct 2020 20:39:15 +0200 Subject: [qutebrowser] Dependabot pull requests in qutebrowser forks In-Reply-To: <3f17fadf-6422-4d59-8cef-f4558bc32c58@www.fastmail.com> References: <3f17fadf-6422-4d59-8cef-f4558bc32c58@www.fastmail.com> Message-ID: <20201002183915.gbmpk6dgfnobqdxo@aragog.localdomain> Hey, On Fri, Oct 02, 2020 at 12:40:21PM -0300, Javier Ayres wrote: > Has any of you started getting pull requests from Dependabot in your > qutebrowser fork repository? These are supposedly disabled for forks > (and I double checked) but this month I got two already. That's odd... Can you check whether you can disable them similar to what's documented here: https://docs.github.com/en/free-pro-team at latest/github/administering-a-repository/enabling-and-disabling-version-updates#enabling-version-updates-on-forks If that doesn't work, I suggest you contact GitHub Support, they're usually quite helpful in my experience. Please let me know how things go - I've thought about disabling it again as it doesn't really work like I want it to, and this might just be the final straw. Florian -- me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From javier at lufte.net Sun Oct 4 01:46:57 2020 From: javier at lufte.net (Javier Ayres) Date: Sat, 03 Oct 2020 20:46:57 -0300 Subject: [qutebrowser] Dependabot pull requests in qutebrowser forks In-Reply-To: <20201002183915.gbmpk6dgfnobqdxo@aragog.localdomain> References: <3f17fadf-6422-4d59-8cef-f4558bc32c58@www.fastmail.com> <20201002183915.gbmpk6dgfnobqdxo@aragog.localdomain> Message-ID: When I go to that page I don't see an "Enable Dependabot" button and instead I see a link to this github action https://github.com/lufte/qutebrowser/blob/master/.github/workflows/ci.yml. I just realized this feature is in Beta though, so it's probable that it is misbehaving. I sent them some feedback, let's see how it goes. On Fri, Oct 2, 2020, at 15:39, Florian Bruhin wrote: > Hey, > > On Fri, Oct 02, 2020 at 12:40:21PM -0300, Javier Ayres wrote: > > Has any of you started getting pull requests from Dependabot in your > > qutebrowser fork repository? These are supposedly disabled for forks > > (and I double checked) but this month I got two already. > > That's odd... Can you check whether you can disable them similar to > what's documented here: > https://docs.github.com/en/free-pro-team at latest/github/administering-a-repository/enabling-and-disabling-version-updates#enabling-version-updates-on-forks > > If that doesn't work, I suggest you contact GitHub Support, they're > usually quite helpful in my experience. > > Please let me know how things go - I've thought about disabling it > again as it doesn't really work like I want it to, and this might just > be the final straw. > > Florian > > -- > me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org > https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ > GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc > I love long mails! | https://email.is-not-s.ms/ > > Attachments: > * signature.asc From minshall at umich.edu Tue Oct 13 04:35:52 2020 From: minshall at umich.edu (Greg Minshall) Date: Tue, 13 Oct 2020 05:35:52 +0300 Subject: [qutebrowser] determining current URL from qtwebengineprocess PID? Message-ID: <1445614.1602556552@apollo2.minshall.org> hi. is it possible, given a process ID of a QtWebEngineProcess, to determine which actual window/tab it is mapped to, or, more immediately useful, what URL it is currently displaying? (i am running on arch linux.) cheers, Greg From me at the-compiler.org Thu Oct 15 14:14:01 2020 From: me at the-compiler.org (Florian Bruhin) Date: Thu, 15 Oct 2020 14:14:01 +0200 Subject: [qutebrowser] Dependabot pull requests in qutebrowser forks In-Reply-To: References: <3f17fadf-6422-4d59-8cef-f4558bc32c58@www.fastmail.com> <20201002183915.gbmpk6dgfnobqdxo@aragog.localdomain> Message-ID: <20201015121401.toeskl3cby2u5csr@aragog.localdomain> Hey again, On Sat, Oct 03, 2020 at 08:46:57PM -0300, Javier Ayres wrote: > I sent them some feedback, let's see how it goes. Thanks! In the meantime, I ended up disabling Dependabot - other people with forks asked me about it as well, and it also doesn't really do what I'd like it to do... https://github.com/qutebrowser/qutebrowser/commit/fa5e04fdaf8af9230c4cd9c386c5d8e0307655ca Florian -- me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From javier at lufte.net Thu Oct 15 14:19:11 2020 From: javier at lufte.net (Javier Ayres) Date: Thu, 15 Oct 2020 09:19:11 -0300 Subject: [qutebrowser] Dependabot pull requests in qutebrowser forks In-Reply-To: <20201015121401.toeskl3cby2u5csr@aragog.localdomain> References: <3f17fadf-6422-4d59-8cef-f4558bc32c58@www.fastmail.com> <20201002183915.gbmpk6dgfnobqdxo@aragog.localdomain> <20201015121401.toeskl3cby2u5csr@aragog.localdomain> Message-ID: <299f1470-87b6-499d-93ef-e7b5715bad10@www.fastmail.com> Right! They never replied, and today it sent me a new PR, so it seems nothing has changed. On Thu, Oct 15, 2020, at 09:14, Florian Bruhin wrote: > Hey again, > > On Sat, Oct 03, 2020 at 08:46:57PM -0300, Javier Ayres wrote: > > I sent them some feedback, let's see how it goes. > > Thanks! > > In the meantime, I ended up disabling Dependabot - other people with > forks asked me about it as well, and it also doesn't really do what I'd > like it to do... > > https://github.com/qutebrowser/qutebrowser/commit/fa5e04fdaf8af9230c4cd9c386c5d8e0307655ca > > Florian > > -- > me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org > https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ > GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc > I love long mails! | https://email.is-not-s.ms/ > > Attachments: > * signature.asc From me at the-compiler.org Thu Oct 15 15:24:55 2020 From: me at the-compiler.org (Florian Bruhin) Date: Thu, 15 Oct 2020 15:24:55 +0200 Subject: [qutebrowser] qutebrowser v1.14.0 released Message-ID: <20201015132455.4i434fqstna4qszx@aragog.localdomain> Heya! It's been a while since the last feature release (v1.13.0 was in June), so it was more than time for another qutebrowser release! Nothing too spectacular in there, but a variety of smaller changes, improvements and fixes. Notably, there's now a long requested ":undo --window" ('U') as well as completion for the :undo, :back and :forward commands. Other than v1.14.x releases and a possible small v1.15.0 with a Qt upgrade (which includes a newer Chromium), the next "real" release is planned to be v2.0.0 with various breaking changes: https://github.com/qutebrowser/qutebrowser/issues/5749 https://github.com/qutebrowser/qutebrowser/milestone/42 Here's the full changelog for v1.14.0: ----------------------------------------------------------- Note: The QtWebEngine version bundled with the Windows/macOS releases is still based on Qt 5.15.0 (like with qutebrowser v1.12.0 and v1.13.0) rather than Qt 5.15.1 because of a https://bugreports.qt.io/browse/QTBUG-86752[Qt bug] causing frequent renderer process crashes. When Qt 5.15.2 is released (planned for November 3rd, 2020), a qutebrowser v1.14.x patch release with an updated QtWebEngine will be released. Furthermore, this release still only contains partial session support for QtWebEngine 5.15. It's still recommended to run against Qt 5.15 due to the security patches contained in it -- for most users, the added workarounds seem to work out fine. A rewritten session support will be part of qutebrowser v2.0.0, tentatively planned for the end of the year or early 2021. Changed ~~~~~~~ - The `content.media_capture` setting got split up into three more fine-grained settings, `content.media.audio_capture`, `.video_capture` and `.audio_video_capture`. Before this change, answering "always" to a prompt about e.g. audio capturing would set the `content.media_capture` setting, which would also allow the same website to capture video on a future visit. Now every prompt will set the appropriate setting, though existing `content.media_capture` settings in `autoconfig.yml` will be migrated to set all three settings. To review/change previously granted permissions, use `:config-diff` and e.g. `:config-unset -u example.org content.media.video_capture`. - The main window's (invisible) background color is now set to transparent. This allows using the alpha channel in statusbar/tabbar colors to get a partially transparent qutebrowser window on a setup which supports doing so. - If QtWebEngine is compiled with PipeWire support and libpipewire is installed, qutebrowser will now support screen sharing on Wayland. Note that QtWebEngine 5.15.1 is needed. - When `:undo` is used with a count, it now reopens the count-th to last tab instead of the last one. The depth can instead be passed as an argument, which is also completed. - The default `completion.timestamp_format` now also shows the time. - `:back` and `:forward` now take an optional index which is completed using the current tab's history. - The time a website in a tab was visited is now saved/restored in sessions. - When attempting to download a file to a location for which there's already a still-running download, a confirmation prompt is now displayed. - `:completion-item-focus` now understands `next-page` and `prev-page` with corresponding `` / `` default bindings. - When the last private window is closed, all private browsing data is now cleared. - When `config.source(...)` is used with a `--config-py` argument given, qutebrowser used to search relative files in the config basedir, leading to them not being found when using a shared `config.py` for different basedirs. Instead, they are now searched relative to the given `config.py` file. - `navigate prev` (`[[`) and `navigate next` (`]]`) now recognize links with `nav-prev` and `nav-next` classes, such as those used by the Hugo static site generator. - When `tabs.favicons` is disabled but `tabs.tabs_are_windows` is set, the window icon is still set to the page's favicon now. - The `--asciidoc` argument to `src2asciidoc.py` and `build_release.py` now only takes the path to `asciidoc.py`, using the current Python interpreter by default. To configure the Python interpreter as well, use `--asciidoc-python path/to/python --asciidoc path/to/asciidoc.py` instead of the former `--asciidoc path/to/python path/to/asciidoc.py`. - Dark mode (`colors.webpage.darkmode.*`) is now supported with Qt 5.15.2 (which is not released yet). - The default for the darkmode `policy.images` setting is now set to `smart` which fixes issues with e.g. formulas on Wikipedia. - The `readability-js` userscript now adds some CSS to improve the reader mode styling in various scenarios: * Images are now shrinked to the page width, similarly to what Firefox' reader mode does. * Some images ore now displayed as block (rather than inline) which is what Firefox' reader mode does as well. * Blockquotes are now styled more distinctively, again based on the Firefox reader mode. * Code blocks are now easier to distinguish from text and tables have visible cell margins. - The `readability-js` userscript now supports hint userscript mode. Added ~~~~~ - New argument `strip` for `:navigate` which removes queries and fragments from the current URL. - `:undo` now has a new `-w` / `--window` argument, which can be used to restore closed windows (rather than tabs). This is bound to `U` by default. - `:jseval` can now take `javascript:...` URLs via a new `--url` flag. - New replacement `{aligned_index}` for `tabs.title.format` and `format_pinned` which behaves like `{index}`, but space-pads the index based on the total numbers of tabs. This can be used to get aligned tab texts with vertical tabs. - New command `:devtools-focus` (bound to `wIf`) to toggle keyboard focus between the devtools and web page. - The `--target` argument to qutebrowser now understands a new `private-window` value, which can be used to open a private window in an existing instance from the commandline. - The `:download-open` command now has a new `--dir` flag, which can be used to open the directory containing the downloaded file. An entry to do the same was also added to the context menu. - Messages are now wrapped when they are too long to be displayed on a single line. - New possible `--debug-flag` values: * `wait-renderer-process` waits for a `SIGUSR1` in the renderer process so a debugger can be attached. * `avoid-chromium-init` allows using `--version` without needing a working QtWebEngine/Chromium. Fixed ~~~~~ - A URL pattern with a `*.` host was considered valid and matched all hosts. Due to keybindings like `tsH` toggling scripts for `*://*.{url:host}/*`, invoking them on pages without a host (e.g. `about:blank`) could result in accidentally allowing/blocking JavaScript for all pages. Such patterns are now considered invalid, with existing patterns being automatically removed from `autoconfig.yml`. - When `scrolling.bar` was set to `overlay` (the default), qutebrowser would internally override any `enable-features=...` flags passed via `qt.args` or `--qt-flag`. It now correctly combines existing `enable-feature` flags with internal ones. - Elements with an inherited `contenteditable` attribute now trigger insert mode and get hints assigned correctly. - When checkmarks, radio buttons and some other elements are styled via the Bootstrap CSS framework, they now get hints correctly. - When the session file isn't writable when qutebrowser exits, an error is now logged instead of crashing. - When using `-m` with the `qute-lastpass` userscript, it accidentally matched URLs containing the match as substring. This is now fixed. - When a filename is derived from a page's title, it's now shortened to the maximum filename length permitted by the filesystem. - `:enter-mode register` crashed since v1.13.0, it now displays an error instead. - With the QtWebKit backend, webpage resources loading certain invalid URLs could cause a crash, which is now fixed. - When `:config-edit` is used but no `config.py` exists yet, the file is now created (and watched for changes properly) before spawning the external editor. - When hint mode was entered from outside normal mode, the status bar was empty instead of displaying the proper text. This is now fixed. - When entering different modes too quickly (e.g. pressing `fV`), the statusbar could end up in a confusing state. This is now fixed. - When qutebrowser quits, running downloads are now cancelled properly. - The site-specific quirk for `web.whatsapp.com` has been updated to work after recent changes in WhatsApp. - Highlighting in the completion now works properly when UTF-16 surrogate pairs (such as emoji) are involved. - When a windowed inspector is clicked, insert mode now isn't entered anymore. - When `:undo` is used to re-open a tab, but `tabs.tabs_are_windows` was set between closing and undoing the close, qutebrowser crashed. This is now fixed. - With QtWebEngine 5.15.0, setting the darkmode image policy to `smart` leads to renderer process crashes. The offending setting value is now ignored with a warning. - Fixes for the `qute-pass` userscript: * With newer `gopass` versions, a deprecation notice was copied as password due to `qute-pass` using it in a deprecated way. * The `--password-store` argument didn't actually set `PASSWORD_STORE_DIR` for `pass`, resulting in `qute-pass` finding matches but the underlying `pass` not finding matching passwords. ----------------------------------------------------------- Enjoy, and as always, let me know if something seems broken :) Florian -- me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Wed Oct 21 22:20:58 2020 From: me at the-compiler.org (Florian Bruhin) Date: Wed, 21 Oct 2020 22:20:58 +0200 Subject: [qutebrowser] CVE-2020-15999: heap overflow in freetype Message-ID: <20201021202058.2laryurpqzdio5ao@aragog.localdomain> Hey, Recently, a security issue in freetype made the rounds, as its being actively exploited in Google Chrome: https://nakedsecurity.sophos.com/2020/10/21/chrome-zero-day-in-the-wild-patch-now/ https://security.archlinux.org/CVE-2020-15999 QtWebEngine (the backend used by default by qutebrowser) can use either a system-wide or a bundled freetype. The binary releases for Windows/macOS are likely affected (as they ship with a Qt build which comes with a bundled freetype, as far as I can tell). It looks like there's a fix already merged for Qt 5.15.2: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/318220 The release of that is planned for November 3rd - after that, there will be an updated PyQt release (usually takes 1-2 days or so), and as soon as that happens I'll be able to release a new qutebrowser release. As for Linux distributions, I'd hope most of them use a system-wide freetype which can be updated independently. Archlinux does, I have no idea about others. If you're using another distro, check via something like: ldd /usr/lib/libQt5WebEngine.so | grep -i freetype If you see a line pointing to something like /usr/lib/libfreetype.so.6, it should be fixed as soon as your distribution updates freetype. If you don't see such a line, it might be good to open a bug against your distribution to make the respective package maintainers aware of the issue. Florian -- me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Mon Oct 26 16:35:19 2020 From: me at the-compiler.org (Florian Bruhin) Date: Mon, 26 Oct 2020 16:35:19 +0100 Subject: [qutebrowser] master branch is now v2.0.0 / Python 3.5 support dropped Message-ID: <20201026153519.oqx64uubfe4xekgn@aragog.localdomain> Heya, Just a FYI mostly for people contributing to qutebrowser: The master branch is now headed towards a v2.0.0 release and I dropped Python 3.5 support today: https://github.com/qutebrowser/qutebrowser/commit/685a66280aff600a83aa30da814aea63f0116c31 More breaking changes will follow soon-ish: https://github.com/qutebrowser/qutebrowser/issues?q=is%3Aopen+is%3Aissue+milestone%3Av2.0.0 (some of those changes will likely still be moved to a later milestone, I haven't really looked through them yet) This means if you're contributing to qutebrowser, you can now finally use variable annotations and f-strings: https://docs.python.org/3/whatsnew/3.6.html#pep-526-syntax-for-variable-annotations https://docs.python.org/3/whatsnew/3.6.html#pep-498-formatted-string-literals I've been waiting for this moment ever since f-strings were announced somewhen back in 2015 :D Florian -- me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Fri Oct 30 13:28:06 2020 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 30 Oct 2020 13:28:06 +0100 Subject: [qutebrowser] determining current URL from qtwebengineprocess PID? In-Reply-To: <1445614.1602556552@apollo2.minshall.org> References: <1445614.1602556552@apollo2.minshall.org> Message-ID: <20201030122806.m6p522htniq2hjge@aragog.localdomain> Hey Greg, Sorry for the late answer, this got lost in my inbox for a while. On Tue, Oct 13, 2020 at 05:35:52AM +0300, Greg Minshall wrote: > hi. is it possible, given a process ID of a QtWebEngineProcess, to > determine which actual window/tab it is mapped to, or, more immediately > useful, what URL it is currently displaying? (i am running on arch > linux.) cheers, Greg I added the API to do those kind of things upstream in Qt 5.15: https://codereview.qt-project.org/c/qt/qtwebengine/+/286981 However, I didn't get around to actually implementing something to e.g. show the PID inside qutebrowser - currently tracked here: https://github.com/qutebrowser/qutebrowser/issues/4984 Right now, the easiest thing you can do is to send a SIGSTP to the process and see which tab is frozen; or send a SIGTERM and see which tab crashes. Also, @toofar wrote a slightly crazy script to find the offending tab automatically: https://gist.github.com/toofar/33cd9baf420f327472f7eb7d7b2e3f6a Florian -- me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From minshall at umich.edu Fri Oct 30 14:26:06 2020 From: minshall at umich.edu (Greg Minshall) Date: Fri, 30 Oct 2020 16:26:06 +0300 Subject: [qutebrowser] determining current URL from qtwebengineprocess PID? In-Reply-To: Your message of "Fri, 30 Oct 2020 13:28:06 +0100." <20201030122806.m6p522htniq2hjge@aragog.localdomain> Message-ID: <916683.1604064366@apollo2.minshall.org> Florian, thanks. i'm glad the feature, thanks to you, exists upstream. when you do implement it, that will be useful, when some page is consuming the machine. (and, until it is implemented, i will keep @toofar's script in mind!) cheers, Greg