Security Extensions for Firefox, the final word (for this year) is :(
May 30, 2008 § 4 Comments
As I mentioned a few months ago, two master students of mine have been working for the best part of one year on improving the security of extensions in Firefox and Thunderbird. To sum up the current situation in Firefox, extensions have no protection mechanism from each other, nor is the core of Firefox protected in any way from extensions. The objective of this work was to design and implement a mechanism allowing system administrators to define fine-grained policies for accepting or rejecting interactions between extensions or between extensions and the core of Firefox.
The deadline for projects was yesterday. So, 8 months after the start of this project, I was happy to see… well, actually, I was quite unhappy. No code, no guidelines, no design, no hints, no new insights on security and, in a word, nothing I didn’t put in that project myself, during bootstrapping, last September. This is quite unfortunate, as the task was not very hard — at least getting past the first stage was probably the matter of one hour of work for someone with experience of Firefox, say a few weeks for a newbie with a recent degree in engineering and no knowledge of XPCOM or extensions.
Now, what are the lessons to draw from that failure ?
Open-source student project 101
- When documentation exists, read it. If there’s a tutorial, do it.
- Just like your resume, open-source breeds on visibility. Open a blog. Blog on your progress. Blog on your difficulties. People who are interested in your project will know that you’re alive. People who know the field will know when to help you. Your teacher will know you’re alive. Your teacher will know when you need help.
- Working on a project is not something that should happen only when the teacher is there. The teacher is there to help you determine if you have made errors or to nudge you in the right direction when you have difficulties. Not to watch you code.
- Never try and hide that you have difficulties. Either solve the difficulties or ask for help. Hiding is counter-productive.
- On the other hand, there is a difference between having difficulties and not even trying. Asking for help when you meet a problem is one thing. Asking for help at every single step of the way is a bad sign.
- Many people, including your teacher, are here to help. Not to make your homework.
- Open-source breeds communities, especially for projects as large as Firefox. This means that there are places where you can ask questions.
- Hey, sometimes you’re lucky and people actually volunteer to help you with your project. There’s nothing wrong with accepting help. Or at least answering these people. Especially if they are busy people. Especially if someone has gone to lengths to approach these people and ask them to pretty please be there for you.
- When you’re breaking into new ground, negative results are results, too. Don’t take them as personal failures.
- If you don’t know whether something is going to work, apply the trusted TIAS principle: Try It And See.
- When someone explains something, write it down. The second time people explain the same thing, they tend to wonder if you were listening the first time. The third time, they just stop bothering.
Open-source teacher project 101
Let’s try and draw some lessons from my failures as a teacher, too.
- Force your students to blog.
- Don’t help your students too much at the start. They may take you for granted.
- If you have to explain something twice, make it clear to the students that you’re not going to explain it a third time.
- Don’t bother preparing documents for your project students. They won’t read them.
Well, that’s it for now. Fortunately, my two other student project went better. MLS for Thunderbird works, despite its flaws. And the student version of Extrapol looks quite nice, although it still needs some deugging. Yeah, yeah, I know, I’ll blog on Extrapol soon.
Oh, by the way, don’t hesitate to try and help Firefox get into the Guinness book of records. It’s free, all you have to do is download Firefox on the right day. Provided the servers don’t break under the load…