headers
Colin Snover | 20 May 2013 00:20

GitHub transfer complete

Hi everyone,

I’m happy to report that the upgrade to Trac 1.0 and conversion from
Subversion to GitHub are both now complete and live. The old Git mirror
repositories were renamed with the suffix `-oldmirror` and will be
removed completely in a few days.

Before you start hacking away on the new repositories, please take a
moment to review both the repositories and the upgraded instance of Trac
for any issues that were not discovered during testing. I will make a
wider announcement about the change in a day or so, once it is
established that nothing significant was broken or omitted, at which
point the repositories will be open for new commits. Please do not
commit before then.

The src Subversion repository is now set to read-only.

Once everyone has confirmed that it appears all the commits made it over
successfully, I’ll add README.md and CONTRIBUTING.md to all of the
repositories.

uhop: As per prior discussion, I have temporarily removed your access to
push to GitHub; please let me know when your mirroring scripts have been
turned off and I will re-add your account.

Regards,

--

-- 
Colin Snover
http://zetafleet.com
(Continue reading)

Permalink | Reply | 4 comments |
headers
Dylan Schiemann | 16 May 2013 18:55
Favicon
Gravatar

Decisions


Per suggestions from several people, I am going to attempt to steer the
decision making process a bit more proactively. I suggest that we focus
on one or a few decisions at a time, make progress, resolve them, and
then move on.

The first decision was IE8 support. The majority said no IE8 support:

http://dote.kitsonkelly.com/topic/5494ab8a-739a-4568-aa2f-521bfcf10d9f

I consider the voting and decision final on this one.

The next decision to make is to define whether or not Dojo 2 Core is one
package or many packages. This decision is needed, because there are
many topics proposed asking if something is in the scope of Core or not.
I've listed what a vote means, and my opinion on this at the following
topic:

http://dote.kitsonkelly.com/topic/ff0afc9b-cf6b-4d06-95f7-8455f16a3e4c

After the Core decision is made, I encourage you to think about what DOM
library is our primary library of choice. At the moment, we have
proposals to do the following:

* refine our existing DOM APIs
* adopt jQuery wholesale
* use something like put-selector

These are not mutually exclusive decisions. We could for example choose
to keep our existing APIs, refine them, and also offer jQuery, but the
(Continue reading)

Permalink | Reply | 1 comment |
headers
Dylan Schiemann | 13 May 2013 17:13
Favicon
Gravatar

recent Dojo committers, process for becoming a committer, committer visibility, etc.


It was pointed out to me recently that I've forgotten to announce new
committers. Here are the most recently nominated and approved committers.

Ed Chatelain (IBM). Approved, September, 2012

"Nominated for his work on several 1.8 modules including
dojox/analytics, dojox/mvc, dojox/app, and the todoApp example.

Eric Durocher (IBM). Approved, April, 2013

"He has actively contributed to both to the 1.8 and 1.9 releases of
dojox/mobile module, leading the work starting with the testing phase of
1.8, starting aligning more dojox/mobile & dijit practices, adding new
features, making sure dojox/mobile is compatible with new platforms. In
particular he developed the WP8 compatibility code. He has also shown
his dedication on working with the tutorial and spending a lot of time
on the mailing list. Finally he extended his scope into contributing to
code modules (dojo/sniff, dojo/touch and dojo/aspect for a tricky IE10
issue he was able to pinpoint in there). He also maintains the dojo
mobile tutorials on the Dojo web site"

Paul Bouchon (SitePen). Approved, April, 2013

"Paul is already a committer for OpenCoWeb, he created
http://profile.dojotoolkit.org/ , and he's recently been working on
helping clean-up some long-standing dojox bugs (form manager,
dojox/widget/calendar, etc.). Paul is a recent SitePen hire, and has the
personality of a perfect Dojo committer. Paul goes by the handle bitpshr
(bit pusher). Paul is currently leading the charge on the intern, a new
(Continue reading)

Permalink | Reply | 2 comments |
headers
Tom Trenka | 11 May 2013 16:44
Picon

Let's start using Dote!

Hi all,

As discussed in #dojo-meeting 2 weeks ago, Kitson has created a forum-like tool called "Dote", which we will be using to break down individual discussions about the direction of Dojo 2.  You can find it at:


I've assembled a list of topics to discuss; please feel free to start chiming in sooner than later, and don't hesitate to add your own topics if you feel I missed something.

Cheers--
Tom
_______________________________________________
dojo-contributors mailing list
dojo-contributors <at> mail.dojotoolkit.org
http://mail.dojotoolkit.org/mailman/listinfo/dojo-contributors
Permalink | Reply | 22 comments |
headers
Kitson Kelly | 10 May 2013 10:33
Gravatar

GitHub Workflow

All:

Bryan and myself spent some time yesterday getting a draft together about workflow in GitHub.  We think it reflects the thinking that was discussed at the meeting this week.


If there are any thoughts or comments, please feel to provide them.

Regards,
Kit
_______________________________________________
dojo-contributors mailing list
dojo-contributors <at> mail.dojotoolkit.org
http://mail.dojotoolkit.org/mailman/listinfo/dojo-contributors
Permalink | Reply | 6 comments |
headers
Dylan Schiemann | 8 May 2013 01:15
Favicon
Gravatar

Dojo 1.9 and 1.8.4 officially released


In case you missed it, we announced today the release of 1.9.0 and 1.8.4
at https://dojotoolkit.org/blog/dojo-1-9-released

Both versions are available on the CDNs already (the code was completed
late last week), and the docs are updated (though I believe we still
have another iteration of the reference guide to push live).

As always, please let us know if you have issues and help improve things
where you can.

Thanks to everyone on the team and in the community that made this
release possible! (most are noted in the blog post)

Regards,
-Dylan
Permalink | Reply | 5 comments |
headers
James Burke | 7 May 2013 05:19
Favicon

CSP details (was Re: heya-ctr performance)

Breaking off from other thread:

On Mon, May 6, 2013 at 7:38 PM, Eugene Lazutkin <eugene <at> lazutkin.com> wrote:
> I don't see how using scripts, or XHR correlates with eval(), or its
> derivations.

These are the ways I know of to execute external scripts:

* script tags with src elements
* getting the text of the script somehow (usually XHR, but could be
streamed, say over a web socket), then either evaling it or adding it
via a script tag with inlined content.
* importScripts in a web worker.

AMD loaders generally use (although are not required to use, and some
do not use) script src tags. The define() syntax for modules was
designed for that. If the module does not have a function wrapper+API
call, then it normally means a loader that uses XHR with eval is in
play, so the script can be fetched as text, then some auto-wrapping is
done in the loader before calling eval. eval is nice over an inlined
script tag because it can capture scope.

> Again my knowledge may be outdated, but unsafe-eval option
> was/is a separate flag from everything else. It is quite possible to
> allow eval() while prohibiting scripts, e.g., by restricting their URL
> pattern, protocol, or even disallowing them completely. If I remember
> correctly, it is quite possible to prohibit scripts with script-src,
> while keep XHR open with connect-src.

By specifying a script-src policy, eval is by default turned off
unless explicitly enabled:

https://developer.mozilla.org/en-US/docs/Security/CSP/CSP_policy_directives#script-src

"The script-src section specifies valid sources for JavaScript;
attempts to request or load scripts from other sources are not
allowed. When either the script-src or the default-src directive is
included, inline script and eval() are disabled unless you specify
'unsafe-inline' and 'unsafe-eval', respectively."

So, even though xhr could be allowed to fetch a script, it would be
inert, not very useful with the default use of script-src. They will
likely want to allow some script-src just to be able to load the
script loader itself.

The situation where a script-src based loader would not work: the user
explicitly limits script-src, explicitly enables connect-src and
explicitly enables eval. However the first thing secure JS sandbox
environments do is to disable the use of eval. And not allowing any
script-src tags seems incredibly limiting.

So while it would technically be possible to create a CSP policy that
would cause a script-src based loader to fail, it seems to go counter
to the main reasons for wanting CSP in the first place: better
security from malicious scripts. The percentage of actual real world
CSP usage will favor script loaders that do not rely on eval (which is
usually backed by XHR to fetch the scripts) to work.

James
Permalink | Reply | 2 comments |
headers
Kitson Kelly | 6 May 2013 08:15
Gravatar

Dojo Reference Guide (dojo/docs) for 1.10 live

All:

I have branched the Dojo Reference Guide on GitHub (https://github.com/dojo/docs).  Please be aware that any commits to the "master" branch will only appear in the 1.10 release documentation.  This also means that livedocs.dojotoolkit.org should reflect the 1.10 release (and any web edits will only be in the master branch).

I will do a "final" build of 1.9 and a refresh build of 1.8 and 1.7 reference guide this week for dojotoolkit.org/reference-guide.  If you need to make updates to the 1.9 reference guide, please ensure they are located in the 1.9 branch now.

Regards,
Kit
_______________________________________________
dojo-contributors mailing list
dojo-contributors <at> mail.dojotoolkit.org
http://mail.dojotoolkit.org/mailman/listinfo/dojo-contributors
Permalink | Reply | 0 comments |
headers
Kitson Kelly | 4 May 2013 08:31
Gravatar

heya-ctr performance

As I stated, I was going to dig into this deeper and as I mentioned to Bill share my results.


So the provided unit tests, simply recreated provides this:
$ node perf
test1_manual: 40
test1_pipe: 57
test1_extra: 3900

As I mentioned before though, JavaScript is unreliable for timings less than 150ms.  Obviously though _extra is slower than the other two.

I am going to do some more experimentation.  In particular this is one case and may not reflect overall performance (and some might argue a 10 member array being filtered, mapped and reduced isn't very "real world").  Eugene, I don't know if you can think of any more use cases for Pipe (and ctr) that might be interesting to analyse from a performance perspective.

On 24 April 2013 22:36, Eugene Lazutkin <eugene <at> lazutkin.com> wrote:
>>> Can you please provide real-world benchmarks? Assertions without
>>> evidence don't really do any of us any good.
>>
>> I believe Bill posted his results in this thread today. But obviously
>> you are free to verify. In fact I encourage you to verify it.
>
> The only link about benchmarks I see from Bill is
> http://jsperf.com/jquery-vs-dojo-dom-manipulation. I don't think this is
> about heya-pipe vs. JIT.

I attached my old benchmark code. This is an output:

$ node perf.js
test1_manual: 35
test1_pipe: 33
test1_extra: 1719

All numbers are in ms. "manual" is the manually optimized code (I would
appreciate it, if you guys can improve it). "pipe" is what pipe
generated as is. "extra" uses array extras, and models "pipe".

BTW, "pipe" being faster than "manual" above is a fluke. Usually it is
slightly slower than "manual", but the numbers, and their order of
magnitude are typical.

Don't forget to rename pipe.js.txt to pipe.js, place it in a folder of
your choice and install "pipe": "npm install heya-pipe". Then run like
above.

_______________________________________________
dojo-contributors mailing list
dojo-contributors <at> mail.dojotoolkit.org
http://mail.dojotoolkit.org/mailman/listinfo/dojo-contributors
Permalink | Reply | 24 comments |
headers
Colin Snover | 3 May 2013 00:08

Let’s get to git!

Hey everyone,

Yesterday I spent a little time with my pal git-svn and created new
clones of the Subversion repositories which contain all the branches
from the original svn plus all the tags plus author mapping to
everyone’s GitHub accounts that I could find plus backreferences to the
original commits in the commit messages (for dcommit, and just in case
things need to be reverse-migrated later for some reason):

https://github.com/csnover/dojo-dojo
https://github.com/csnover/dojo-dijit
https://github.com/csnover/dojo-dojox
https://github.com/csnover/dojo-util
https://github.com/csnover/dojo-demos

As such, I’d really like to push these to the Dojo organization,
replacing the existing incomplete mirrors, and transition to actually
performing development on GitHub for the 1.10/2.0 release cycles. What
do people think? What else needs to happen for this to happen?

Thanks,

--

-- 
Colin Snover
http://zetafleet.com

_______________________________________________
dojo-contributors mailing list
dojo-contributors <at> mail.dojotoolkit.org
http://mail.dojotoolkit.org/mailman/listinfo/dojo-contributors
Permalink | Reply | 21 comments |
headers
Colin Snover | 2 May 2013 03:15

Dojo 1.8.4/1.9.0

Hi all,

I’ve tagged 1.8.4 and 1.9.0 and pushed CDN builds for approval to
Google, so trunk is unfrozen for new features now. I will withhold
performing wide announcement and updating dtk.org until someone (Kitson?
Brian Arnold? Bali?) has confirmed that documentation on dtk.org is
final and ready.

Thanks,

--

-- 
Colin Snover
http://zetafleet.com

_______________________________________________
dojo-contributors mailing list
dojo-contributors <at> mail.dojotoolkit.org
http://mail.dojotoolkit.org/mailman/listinfo/dojo-contributors
Permalink | Reply | 0 comments |

Gmane