惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
V2EX
C
Check Point Blog
博客园 - Franky
月光博客
月光博客
T
Tenable Blog
博客园 - 聂微东
Cyberwarzone
Cyberwarzone
The GitHub Blog
The GitHub Blog
C
CERT Recently Published Vulnerability Notes
Scott Helme
Scott Helme
IT之家
IT之家
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CXSECURITY Database RSS Feed - CXSecurity.com
F
Full Disclosure
博客园 - 司徒正美
Project Zero
Project Zero
Y
Y Combinator Blog
A
Arctic Wolf
美团技术团队
博客园 - 叶小钗
S
Securelist
F
Fortinet All Blogs
T
Threatpost
T
Threat Research - Cisco Blogs
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
酷 壳 – CoolShell
酷 壳 – CoolShell
MyScale Blog
MyScale Blog
大猫的无限游戏
大猫的无限游戏
Recorded Future
Recorded Future
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
Schneier on Security
Apple Machine Learning Research
Apple Machine Learning Research
L
LangChain Blog
P
Privacy International News Feed
博客园_首页
S
SegmentFault 最新的问题
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
腾讯CDC
P
Proofpoint News Feed
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
阮一峰的网络日志
阮一峰的网络日志
G
Google Developers Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
雷峰网
雷峰网
P
Proofpoint News Feed
Latest news
Latest news
G
GRAHAM CLULEY

David Baron's Weblog

Software engineering, responsibility, and ownership Software engineering, responsibility, and ownership David Baron's weblog: Security and Inequality Running animations on the compositor thread David Baron's weblog: Tying ecosystems through browsers David Baron's weblog: Payments on the Web Thoughts on migrating to a secure Web David Baron's weblog: The need for government David Baron's weblog: Priority of constituencies How browser developers should seek feedback from Web developers A possible approach to shorter release cycles David Baron's weblog: Fifteen years Why debug builds (and assertions) are important Ten years of the Mozilla Foundation Open licensing at the W3C Why adding compositing and blending to CSS is harder than it looks How you can help with removing -moz- prefixes Moving bug history out of the primary display of a bug report Beware of locale-specific behavior in the C library Eating dogfood and shipping software Specification style and the future of the Web The bug system I wish I had CSS border-image changes and unprefixing Improving font size readability on Firefox for Android David Baron's weblog: CSS Animations, part 2 Hue-preserving color inversion with SVG filters Changes to handling of @-moz-keyframes David Baron's weblog: window.matchMedia() David Baron's weblog: CSS Animations What does a blur radius mean? Crash analysis in the future David Baron's weblog: calc() David Baron's weblog: colorDepth David Baron's weblog: Hidden complexity in specifications The most important field in a bug report: the summary WOFF font format submitted to W3C David Baron's weblog: :-moz-any() selector grouping setTimeout with a shorter delay Faster repainting in SVG foreignObject David Baron's weblog: Distributed Extensibility David Baron's weblog: Broadening crash analysis Correlating crashes with binary extensions or plugins David Baron's weblog: ex-HTML Downloadable font formats for the Web Web Accessibility as a Political Movement David Baron's weblog: CSS priorities David Baron's weblog: Bug priorities David Baron's weblog: Semi-vacation Some new CSS features in Firefox 3 David Baron's weblog: New selectors David Baron's weblog: The age of bugs Seeking a good Linux distribution David Baron's weblog: Teaching to the test David Baron's weblog: March 2008 David Baron's weblog: February 2008 David Baron's weblog: January 2008 David Baron's weblog: October 2007 David Baron's weblog: September 2007 David Baron's weblog: August 2007 David Baron's weblog: June 2007 David Baron's weblog: April 2007 David Baron's weblog: March 2007 David Baron's weblog: January 2007 David Baron's weblog: September 2006 David Baron's weblog: August 2006 David Baron's weblog: July 2006 David Baron's weblog: May 2006 David Baron's weblog: February 2006 David Baron's weblog: December 2005 David Baron's weblog: October 2005 David Baron's weblog: September 2005 David Baron's weblog: June 2005 David Baron's weblog: May 2005 David Baron's weblog: April 2005 David Baron's weblog: March 2005 David Baron's weblog: February 2005 David Baron's weblog: October 2004 David Baron's weblog: September 2004 David Baron's weblog: August 2004 David Baron's weblog: June 2004 David Baron's weblog: May 2004 David Baron's weblog: April 2004 David Baron's weblog: March 2004 David Baron's weblog: February 2004 David Baron's weblog: January 2004 David Baron's weblog: November 2003 David Baron's weblog: October 2003 David Baron's weblog: September 2003 David Baron's weblog: August 2003 David Baron's weblog: July 2003 David Baron's weblog: June 2003 David Baron's weblog: May 2003 David Baron's weblog: April 2003 David Baron's weblog: March 2003 David Baron's weblog: February 2003 David Baron's weblog: January 2003 David Baron's weblog: December 2002 David Baron's weblog: November 2002 David Baron's weblog: September 2002
David Baron's weblog: January 2006
David Baron · 2006-01-23 · via David Baron's Weblog

The danger of extensions (16:25 -0800)

I've been concerned for a while about the quality of Firefox extensions, and I'd like to explain why.

To start, I think one of the original motivations for having an extensions system in Firefox was to reduce demands for feature additions that are only used by a small number of people or are experimental. I have no problem with this. What I'm concerned about is that extensions are being promoted to large numbers of users as one of the advantages of Firefox. I think this may come back to haunt the Mozilla community.

I'm under the impression that extensions are used quite commonly, perhaps even beyond the more technical users of Firefox. This means that problems with extensions change user perception of quality of Mozilla products as a whole. But extensions are not of the same quality as the applications they extend.

But what do I mean by quality? Everybody has different definitions. And that's actually the key point here. It could mean that the program does what it's supposed to do. Or that its interface is easy for users to understand. Or that it is free of security holes. Or that it doesn't use excessive amounts of memory, or leak memory over time. Or that it is fast. Or that it fits well with the conventions of the operating environment (Windows, MacOS, GNOME). Or many other things.

The Mozilla applications are developed in an environment with tools and conventions that lead to openness and accountability. This helps different people work on improving different measures of quality and thus improves user perception of overall quality. The source tree is accessible in many ways, people can easily monitor changes being made to it (while keeping in mind the reputations of those making the changes), and most of those changes have been discussed publicly on bugs and code reviewed by reviewers who are accountable for their reviews. It's generally clear what's changing, why it's changing, and who is responsible for those changes. And enough people (eyeballs) with these different ideas of quality pay attention to current changes that lapses below the expected quality in many of these areas are often caught quite quickly.

Furthermore, with the Mozilla source code all in one repository, it is possible to improve the level of quality in one of these areas or in a new area. It's easy to search the entire tree for uses of strcat that cause buffer overflows. It's easy to search the entire tree for memory leaks caused by calls to addObserver not matched by calls to removeObserver. And so on, for many of the measures of quality that I listed above.

Extensions don't benefit from these community mechanisms. There's no central source code repository for all the extensions hosted on addons.mozilla.org. There's no general mechanism for monitoring all the changes. There's no way of knowing who reviewed the code of an extension, although I've heard there is a review process before extensions can be listed. (Review for what? But remember that formal pre-checkin review is only a small part of the review that happens for the Mozilla core and applications.)

Thus the pressures to improve extension quality come from fewer sources: the programming knowledge of just the author and the reviewer, and feedback about issues the extension's users know are related to the extension rather than the application (generally only its correct operation and user interface). Thus many dimensions of quality will be missed. And many of these dimensions can be spoiled by one rotten apple. If a user has ten extensions installed, one of them crashes often, and one of them leaks a lot of memory, then the user's perception of the application as a whole will be that it crashes a lot and leaks a lot of memory.

There are further problems with testing. Just as some people look over source code for a specific type of problem, other people test in specific areas, such as speed, memory use, various types of testing for security problems, or just basic functioning and usability. Extensions pose a different problem here: there's a combinatorial explosion of configurations to test. The person who cares enough about memory leaks to do a bit of memory leak testing might not have the leakiest extension installed. The person who tests for security bugs using mangleme might not have the extension with the most serious vulnerabilities installed.

And this problem gets even worse because extension versions are separate from application versions. There's no need to test the View Source window from Firefox 1.0.3 with the browser from Firefox 1.5. But users can use different versions of an extension with the same version of the browser, so each combination might get only a fraction of the total combined testing.

And it's worse still because extensions can interfere with each other. In the most obvious case, two extensions might try to add a button in the same place and cause broken user interface, if only because the buttons don't all fit anymore. But the same thing could happen with memory leaks, or slowdowns loading pages, or any of the other measures of quality. I doubt there's been much, if any, serious testing of memory leaks, performance, and many other important dimensions of quality across combinations of extensions.

This combinatorial explosion leads to large numbers of small problems. And large numbers of small problems are less likely to be noticed and fixed than small numbers of large problems.

I worry that these aren't just theoretical concerns. How many of the reports of huge memory leaks in Firefox 1.5 are because N of the M different versions/forks of AdBlock leak every page you visit? (I've been told N is nonzero, but haven't tested it for myself.) And I worry that the Mozilla community is staking too much of its communal reputation on something that the community as a whole has too little control over.