Mozilla’s CEO weighs in on U.S. v. Google

Posted on April 21, 2025April 21, 2025

Some of the remedies proposed in the case risk the future of our Firefox browser and Gecko browser engine—the last remaining non-Big Tech browser engine.

In the coming weeks, we hope to see a shift to focus on remedies that can improve search competition without harming the pro-competitive role that Firefox and other independent browsers play in the ecosystem.

I’ve been saying for a while that I can’t imagine how Mozilla continues without this funding from Google. I’m not particularly opposed to the government breaking up monopolies, but this entire case doesn’t make sense. What does it look like to break out Chrome as a separate company? How could such a company make money without a search deal that has how been deemed to be illegal?

Posted on March 28, 2025March 28, 2025

I’m happy to see WordPress is adopting bcrypt for password hashes. I have been following the trac ticket for over 10 years 🤯 Quite a few people got props on this one.

If you’re not familiar, until now WordPress used a library called phpass for hashing passwords. WordPress has a history of maintaining backwards compatibility with pretty old versions of PHP, which is great for users who don’t know how to upgrade things like PHP, but one of the trade offs is delaying support for things like bcrypt.

We can’t pretend that switching to bcrypt for user-generated passwords is a recent proposal. Ideally the switch would have been made back when the increase to the minimum supported version of PHP facilitated this change. However, this change has now been made and it helps future-proof further improvements to password hashing, including increases to the bcrypt cost in newer versions of PHP.

Many thanks go to the Roots team for maintaining their bcrypt password hashing package for WordPress as well as the many contributors on the Trac tickets and GitHub pull requests.

Also thanks to John and everyone involved for getting this into WordPress 6.8.

Posted on March 9, 2025

Matt Mullenweg on WordPress security:

One problem we’ve had on WordPress.com is we do all these amazing things and don’t tell anyone about it

My favorite example of this is the global CDN that Automattic operates in its own data centers. There are a lot of ways to measure the impact of this, but one way is authoritative DNS latency, which is on par with Cloudflare.

CSS Verified Badge

Posted on March 7, 2025

I’ve always liked the idea of visually differentiating my comments to make it clear when I’m replying. Some sites use a “verified” badge for this, and for a while, I did the same with an icon font. I removed the icon font along with the recent optimization work and found a way to achieve a similar verified badge effect with just a few lines of CSS—no icon font needed.

Simon Willison on “vibe coding” with LLMs:

Most of the work we do as software engineers is about evolving existing systems, and for those the quality and understandability of the underlying code is crucial.

For experiments and low-stake projects where you want to explore what’s possible and build fun prototypes? Go wild! But stay aware of the very real risk that a good enough prototype often faces pressure to get pushed to production.

Indeed, most of the job is understanding and iterating on existing systems. Perhaps there is a future where code quality doesn’t matter–where code is not human readable at all. That’s more than a few years away though.