This is a project that I've been working really hard on for a while, and it's the first time I'm properly releasing something into the wild. I'm still figuring out how to publish it, but I wanted...
This is a project that I've been working really hard on for a while, and it's the first time I'm properly releasing something into the wild. I'm still figuring out how to publish it, but I wanted to start by sharing it on Tildes before offering myself as fodder to less polite forums.
I'd love to hear feedback, if you have any! I actually made a post where I asked for advice on this project, and if you were involved in that, you might notice that Oildrop isn't drop-in compatible with TamperMonkey/GreaseMonkey scripts. I'm still thinking about adding that feature, perhaps in a separate branch, but have been hesitant to because it'll likely increase the codebase size a lot.
I think that if you’re going to audit this yourself, you should probably also install it manually and not subscribe to automatic updates through the Firefox Addon store, because that invalidates...
I think that if you’re going to audit this yourself, you should probably also install it manually and not subscribe to automatic updates through the Firefox Addon store, because that invalidates the auditing you did.
It might make sense to sync by pulling from github and reading the diffs before you install the update. Maybe there could be a nice tool for doing this. (But then you have to audit the tool.)
Yup! The GitHub readme contains a section on how to do exactly that, and it's actually my recommended method of installation. I wanted to put in on the Firefox add on store for the sake of...
Yup! The GitHub readme contains a section on how to do exactly that, and it's actually my recommended method of installation. I wanted to put in on the Firefox add on store for the sake of convenience.
I really wish there was a better compromise between automatic updates and security. It would be awesome if the Firefox store would show you diffs on extension code, because I imagine most updates aren't more than a hundred lines of tweaking.
Thanks for checking the project out - it means a lot. :)
Well, I just read the page you linked to and thought about the implications. I haven’t really checked it out. It seems like this kind of code review is something we do when we are suspicious. By...
Well, I just read the page you linked to and thought about the implications. I haven’t really checked it out.
It seems like this kind of code review is something we do when we are suspicious. By contrast, we simply trust the browser (Firefox for example), which means trusting that the organization’s code reviews will keep us safe. And we do this because there is no practical alternative; there is too much code in a browser to review. We just hope someone else did a good job.
There actually is a review process for Firefox adding and if it were as trustworthy as Firefox itself then we wouldn’t need to do the review ourselves.
It seems like if reviews were taken seriously then smaller, easy-to-review addons would have the advantage while authors of more complicated addons would have trouble publishing them at all.
This is a project that I've been working really hard on for a while, and it's the first time I'm properly releasing something into the wild. I'm still figuring out how to publish it, but I wanted to start by sharing it on Tildes before offering myself as fodder to less polite forums.
I'd love to hear feedback, if you have any! I actually made a post where I asked for advice on this project, and if you were involved in that, you might notice that Oildrop isn't drop-in compatible with TamperMonkey/GreaseMonkey scripts. I'm still thinking about adding that feature, perhaps in a separate branch, but have been hesitant to because it'll likely increase the codebase size a lot.
I hope some of you like it!
I think that if you’re going to audit this yourself, you should probably also install it manually and not subscribe to automatic updates through the Firefox Addon store, because that invalidates the auditing you did.
It might make sense to sync by pulling from github and reading the diffs before you install the update. Maybe there could be a nice tool for doing this. (But then you have to audit the tool.)
Yup! The GitHub readme contains a section on how to do exactly that, and it's actually my recommended method of installation. I wanted to put in on the Firefox add on store for the sake of convenience.
I really wish there was a better compromise between automatic updates and security. It would be awesome if the Firefox store would show you diffs on extension code, because I imagine most updates aren't more than a hundred lines of tweaking.
Thanks for checking the project out - it means a lot. :)
Well, I just read the page you linked to and thought about the implications. I haven’t really checked it out.
It seems like this kind of code review is something we do when we are suspicious. By contrast, we simply trust the browser (Firefox for example), which means trusting that the organization’s code reviews will keep us safe. And we do this because there is no practical alternative; there is too much code in a browser to review. We just hope someone else did a good job.
There actually is a review process for Firefox adding and if it were as trustworthy as Firefox itself then we wouldn’t need to do the review ourselves.
It seems like if reviews were taken seriously then smaller, easy-to-review addons would have the advantage while authors of more complicated addons would have trouble publishing them at all.