RE: ego website

From: "Dodier-Lazaro, Steve" <s dodier-lazaro 12 ucl ac uk>
To: Emmanuele Bassi <ebassi gmail com>, alex diavatis <alexis diavatis gmail com>
Cc: "Norman L. Smith" <nls1729 gmail com>, gnome-shell-list <gnome-shell-list gnome org>
Subject: RE: ego website
Date: Tue, 22 Apr 2014 15:13:02 +0000

Hi,

On 22 April 2014 15:18, alex diavatis <alexis diavatis gmail com> wrote:

I strongly doubt this will ever be the case, but giving up and just
letting bad extensions find their way in the machines of our users
because somebody, somewhere, may have written an extension that is not
just a reimplementation of something that was available in GNOME 2.x
and wants *all* users to use it is just not going to happen, as long
as extensions are served from a gnome.org machine. the reputation of
the whole project is staked on not harming our users, or letting third
parties harm them by our omission.

a concrete proposal would be to add more people to the pool of
available reviewers, to reduce the waiting time; this means that we
should find a way to contact the active and experienced extension
developers and have them spend some time reviewing other extensions.
maybe have a pre-review process that is meant to reduce the work load
of the Shell developers, so that the obvious, time consuming stuff is
screened first.


What about creating incentives for extension devs to get involved in reviewing?
A first step could be to require that an extension dev reviews others' extensions
as part of getting their own extension reviewed. However that'd put off a lot of
inexperienced developers, so it could be softened by creating a sort of reputation/
points system when active reviewers get the priority for their extensions to be
reviewed and uploaded. This way a developer who is impatient about their extension
being reviewed could actively do something towards it happening. Besides you'd
also need a mechanism to filter out bad reviewers (e.g. malware writers)...

fact is: the amount of people writing code is smaller than the user
base; and the amount of people capable of reviewing code is smaller
than the amount of people writing code. by coupling these two facts
you get that there will always be a certain delay and bottleneck. I'm
not sure how long is the queue for Firefox extensions, but I'm pretty
sure that it's not shorter than the one in the Shell — and Firefox has
more reviewers, as well as more extension developers.


Something else on the topic: if I were an organisation wishing to provide GNOME-based
computers to my employees and with any reasonable security standards, I'd probably
want to know how the extensions my employees use are reviewed, and by whom. Before
reading the original email of this thread I wasn't even aware (as an occasional
GNOME user) that extensions were reviewed at all! There might be a need for
communication around the review process, both to attact contributors and make it
clear to all types of users what levels of security and threats they should expect.

Thanks,
--
Steve Dodier-Lazaro
PhD student in Information Security
University College London
ept. of Computer Science
Malet Place Engineering, 6.07
Gower Street, London WC1E 6BT
OpenPGP : 1B6B1670

References:
- ego website
  - From: Norman L. Smith
- Re: ego website
  - From: Sam Bull
- Re: ego website
  - From: alex diavatis
- Re: ego website
  - From: Emmanuele Bassi
- Re: ego website
  - From: alex diavatis
- Re: ego website
  - From: Emmanuele Bassi

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]