←back to thread

428 points coronadisaster | 2 comments | | HN request time: 0.417s | source
Show context
jamesgeck0 ◴[] No.23679063[source]
> Web MIDI API - Allows websites to enumerate, manipulate and access MIDI devices.

This API is actually a bit horrifying from a security perspective. In addition to allowing you to use MIDI keyboards as input devices on websites, it also allows websites to send binary firmware updates to MIDI devices. The reason is that it's common to use custom firmware to backup/restore settings and enable neat effects and functionality on MIDI devices.

Mozilla's engineers have reasonably pointed out that an attacker utilizing Web MIDI could use MIDI devices as a stepping stone to launch an attack against the user's PC outside of the web sandbox. One such attack might be by reprogramming the device to appear as a standard USB computer keyboard and "typing" commands to the host.

At least one well known manufacturer has vouched for the technical safety of their musical instruments, noting that they're physically designed in such a way that the MIDI firmware can't alter USB firmware. But there's no way to know that every MIDI device has been similarly well designed.

As neat as Web MIDI is, I think Mozilla and Apple probably made the right security call here.

https://github.com/mozilla/standards-positions/issues/58

replies(11): >>23679155 #>>23679165 #>>23679283 #>>23679303 #>>23679633 #>>23680706 #>>23681158 #>>23681737 #>>23682770 #>>23683437 #>>23683855 #
BiteCode_dev ◴[] No.23679303[source]
Besides, I know they want to turn the browser into an os, but it's not one.

It's sandboxed from the os and limited to some use cases, which is the point. I don't want something capable of hot loading code from any web site to have the capabilities of my OS.

replies(4): >>23679788 #>>23680134 #>>23682636 #>>23683607 #
dheera ◴[] No.23680134[source]
It's kind of sad though because it's still 10X easier to build a browser app than a native app simply because of the wealth of highly-usable stuff written for JS.

Every time I have to build a GUI in Linux I just build a webapp that connects to a TCP backend on localhost because that way I can just build a beautiful UI in HTML/JS/CSS and I don't have to deal with the mess that is GTK, QT, TCL, TK, and all that crap.

Android programming is another can of worms and I'm frankly fed up with Gradle updates breaking my project every update and needing 79+ files, multiple cludgy steps for signing APKs, zipalign (wtf) and other crap just for a Hello World.

What would be nice to have is "installable" apps that use the webkit rendering engine but have full access to the system including directly opening TCP ports and direct access to /dev. These would have to be trusted apps obviously. Websites that load code without consent should be restricted, of course.

replies(2): >>23681824 #>>23684558 #
ogre_codes ◴[] No.23681824[source]
> Every time I have to build a GUI in Linux I just build a webapp that connects to a TCP backend on localhost because that way I can just build a beautiful UI in HTML/JS/CSS and I don't have to deal with the mess that is GTK, QT, TCL, TK, and all that crap.

I suspect this has more to do with the state of native Linux development tools versus Javascript dev tools then it has to do with the general case. Dev tools for Windows and iOS/ MacOs are fairly straight forward. Not sure about Android, since my burning hatred of Java has removed my desire to mess with that platform entirely. (I know Kotlin exists, still not interested)

Update: I'm basing my comment of what it's like based on the quoted comment, not making an assertion about how good/ bad it is.

replies(2): >>23682302 #>>23682472 #
kitsunesoba ◴[] No.23682302[source]
> Dev tools for Windows and iOS/ MacOs are fairly straight forward.

Can't speak much for Windows, but the Apple dev story is pretty good. Platform SDKs are deep and capable, if sometimes not well documented, and there's a clear "right" way to do most things. One can build a "world class" app with nothing but Swift+UIKit and few or no third party libraries. SwiftUI is rapidly improving this too, bringing a fully native "modern" reactive approach that works across all Apple OSes.

Xcode can be a cantankerous beast at times but it's been getting a lot better in recent releases.

> Not sure about Android, since my burning hatred of Java has removed my desire to mess with that platform entirely. (I know Kotlin exists, still not interested)

It's slowly improving but still very much a mess. Jetpack Compose looks to be poising itself as the SwiftUI of Android and that will no doubt improve things, but I have doubts that Android development will ever be as nice as iOS development is.

replies(1): >>23683503 #
cromwellian ◴[] No.23683503[source]
Well, IntelliJ Idea is a fantastically better IDE than XCode from a functionality standpoint, and Kotlin + Compose is IMHO, better than SwiftUI. Compose isn't a SwiftUI clone, it's a pure-functional memoization framework with compiler support.
replies(1): >>23683785 #
ogre_codes ◴[] No.23683785[source]
> IntelliJ Idea is a fantastically better IDE than XCode from a functionality standpoint

This is not my experience, I've never quite cared for all the finicky setup needed to get things right, and it always feels a bit laggy. (Though IntelliJ is a world better than Eclipse).

replies(1): >>23685361 #
1. cromwellian ◴[] No.23685361[source]
It's definitely more laggy, but in terms of everything else, it's light years ahead of Xcode:

1) code navigation, editing, refactoring 2) integration with Git/GitHub, Issue Trackers, Cloud Providers 3) external build system support 4) multiplatform editing (java, js, typescript, kotlin, python, etc) 5) integration with testing, continuous integration, deployment 6) code analysis, finding problems 7) tons of special support for DSLs and third party frameworks

The only thing XCode is better at IMHO is UI building and OSX instrumentation. If you're writing tons of code that doesn't have a UI, especially for cloud backends, I don't think you'd use it.

Even simple things, like language injection, work wonders in the editor window. Having the IDE know how to syntax color, check, and code complete SQL, CSS, HTML, Regex, etc inside strings is a huge help.

I spend 15 years on emacs, and the last 15 on InteliJ, and having an editor that slices and dices code in a myriad a ways with easy to use automation, and actually indexes the code and builds a deeper understanding of the totality of your project is well worth it. I just wish it was less laggy in the UI.

If I was writing an iOS app, sure, I'd use XCode, but I can't envision being it general purpose for anything else, unlike the versatility of other competitors like VSCode.

replies(1): >>23686513 #
2. ogre_codes ◴[] No.23686513[source]
> If I was writing an iOS app, sure, I'd use Xcode, but I can't envision being it general purpose for anything else, unlike the versatility of other competitors like VSCode.

I would never expect Xcode to be the best general purpose editor/ IDE. It's good for Swift/ iOS development which is what its build around. Personally, much of the time I'd rather have a performant editor than one that has a million bells and whistles.