Page 2 of 3

Re: NoScript Source and build environment

Posted: Thu Aug 06, 2009 10:36 pm
by GµårÐïåñ
@loquax, I have to agree with Giorgio here, I think you are not quite understanding how the whole process works. The fact is that the source is COMPLETELY open and accessible and just because it might not be spoon fed in a 'source by numbers' format, its there and openly available and does satisfy its license fully and completely.

What you are asking for is a matter of courtesy done as a favor and the fact is that Giorgio has repeatedly said when he has more time he will put it up in the dummy proof format, which if he needs to do that, then the people looking at it really don't have the requisite skill set. But in the meantime the source is and has always been available and with appropriate level of skill (even a novice) can open and review it anytime you like.

I think this subject has been pushed a bit ridiculously too much and he has been quite polite and patient in response but let's just say I have much less tact and I am far less diplomatic, so let me be the blunt one. There is an entire historical archive of every single release along with the source in each and every release, so what more does everyone want?

Re: NoScript Source and build environment

Posted: Thu Aug 06, 2009 11:38 pm
by Foam Head
Yes, I totally agree that NoScript has always been GPL compliant. I personally would prefer some direct links to something that describes how to get the source from the XPI (e.g. About NoScript... | License makes no reference to accessing the source), but the source is available which, I believe, is the litmus test.

However, I don't agree that the goal of the source repository is to present a "dummy proof format" for the source. There are many reasons why you'd want a source repository, but the two big ones for me are to recreate the development/test/build environment and to allow others to submit patches.

For a FireFox add-on, the development and build environments might be a non-issue, but the test environment includes debug modules, test drivers, and test cases. These shouldn't be included in a release, but they are essential for proper development.

Once others can completely reproduce the NoScript dev/test/build environment, it is possible that they could create patches and enhancements for NoScript. No one panic! I'm not suggesting that the source repository be opened up for submissions from anyone; GM would still be the gatekeeper for all changes. And in truth, I don't think very many people would be good contributors to the security related inner-workings of NoScript. However, there have been numerous forum discussions about improvements in non-security related areas like the Options UI and the left/right-click menu that are on the back burner because GM is focusing on security related things like ABE. It seems like it'd be a win-win if users could submit non-security related improvements to NoScript.

So... back to the original question: is there any news about a NoScript source repository?

-Foam

Re: NoScript Source and build environment

Posted: Thu Aug 06, 2009 11:56 pm
by GµårÐïåñ
Foam, I agree with you from that perspective completely and it has been in the works and it has been worked on and will be released in good time when higher priority improvements are not in the works or hindered by it. What bothered me was the suggestion that its absence is somehow a violation of release license or to suggest that its less than Open, its not fair to the developer who works very hard to provide a quality tool at great expense to his own time and resources. Thank you again for your perspective as always, thanks for the support and I'd be happy to put together instruction on how to extract and review the source from the XPI if you'd like or if Giorgio asks me to. In fact I recently put together a very brief walk through for a friend who was reviewing an old extension that has been abandoned and I can expand on that and even provide screenshots. It was just always so elementary to me that I never thought of it much.

Re: NoScript Source and build environment

Posted: Fri Aug 07, 2009 4:18 am
by Alan Baxter
Foam Head wrote:For a FireFox add-on, the development and build environments might be a non-issue, but the test environment includes debug modules, test drivers, and test cases. These shouldn't be included in a release, but they are essential for proper development.

Since when are open source developers supposed to release all this other stuff on demand? Can you list very many -- if any -- extensions that release their test environment including debug modules, test drivers, and test cases?

Cheeky!

Re: NoScript Source and build environment

Posted: Fri Aug 07, 2009 4:32 am
by GµårÐïåñ
I haven't seen any that do but wanted to give it the benefit of a doubt.

Re: NoScript Source and build environment

Posted: Fri Aug 07, 2009 4:39 am
by therube
I believe the OP & Foam were looking for, expecting more then simply to be told "UNZIP *.XPI | CD CHROME | UNZIP *.JAR".

Though you do realize that if you wanted to make a UI change, you could always make it based upon the "UNZIP" & then post it somewhere & ask for it to be made official. (Not clean, but if accepted, it still gets the job done. There have been posters in the past who have found problems in the JS sources, posted "patches" in the forum discussion & had the "patch" implemented.)

Re: NoScript Source and build environment

Posted: Fri Aug 07, 2009 9:21 am
by al_9x
It seems there is currently a source file not included in the xpi, ABE.g, the ABE rule grammar from which ABELexer.js and ABEParser.js are generated, is that right, Giorgio?

It doesn't really belong in the xpi, but it is part of the source, so it would be in source control.

Re: NoScript Source and build environment

Posted: Fri Aug 07, 2009 10:49 am
by Giorgio Maone
al_9x wrote:It seems there is currently a source file not included in the xpi, ABE.g, the ABE rule grammar from which ABELexer.js and ABEParser.js are generated, is that right, Giorgio?

Yes, it's included verbatim in the public ABE specification ("3. EBNF Grammar Reference") and I was sure the XPI packaged it as well (it's just a few bytes), but apparently it went missing there. I'll double check in next release.
It would be in source control.

Of course it would. BTW, I didn't give up creating a public repository, it's just I didn't find the time yet. As anyone here can testify, it's not like development/support/bug fixing is stagnating a bit...

Re: NoScript Source and build environment

Posted: Fri Aug 07, 2009 10:15 pm
by Foam Head
Alan Baxter wrote:Since when are open source developers supposed to release all this other stuff on demand? Can you list very many -- if any -- extensions that release their test environment including debug modules, test drivers, and test cases?

I agree if the source for a project is unavailable that an "On demand" request is unlikely to get a response. And that's not what me or anyone else is asking for. GM has already volunteered to transition to a publicly visible source repository when his time allows.

Also, I can't speak to the source visibility of NoScript extensions, but it is extremely common (and arguably necessary) for an open source project to fully document their development/test/build environment as well as providing all debug/trace modules, test drivers/harnesses, and individual test cases.

One important caveat here: GM has *not* said that NoScript will be an open source project in any sense of the word. AFAIK GM and InformAction will continue to own and control everything about NoScript. Aside from dispelling any trust factor issues, the major benefits of a public source repository are better support for NoScript extensions to remain current as well as _potentially_ allowing up-to-date patches to be submitted from others.

therube wrote:I believe the OP & Foam were looking for, expecting more then simply to be told "UNZIP *.XPI | CD CHROME | UNZIP *.JAR".

Though you do realize that if you wanted to make a UI change, you could always make it based upon the "UNZIP" & then post it somewhere & ask for it to be made official. (Not clean, but if accepted, it still gets the job done. There have been posters in the past who have found problems in the JS sources, posted "patches" in the forum discussion & had the "patch" implemented.)

Yes, I can do this now, but let's say it takes me two weeks to put together that patch. In those two weeks, how many times has the NoScript source changed? How many development and public releases were made? Without a source repository to help me identify and merge the changes, it is a major PITA for me to make my patch current and/or for GM to inspect the impact of my patch against an old snapshot of code. Also, if we are talking about NoScript extensions, then those authors need a way to reliably track and absorb all changes to NoScript's source because their code will depends it.

Giorgio Maone wrote:
al_9x wrote:It seems there is currently a source file not included in the xpi, ABE.g, the ABE rule grammar from which ABELexer.js and ABEParser.js are generated, is that right, Giorgio?

Yes, it's included verbatim in the public ABE specification ("3. EBNF Grammar Reference") and I was sure the XPI packaged it as well (it's just a few bytes), but apparently it went missing there. I'll double check in next release.

This is a good example of what I've been talking about. IMHO ABE.g does not belong in the release XPI, but it does belong in the source repository. Even with ABE.g in the repository, tho, you need some documentation to indicate how ABELexer.js and ABEParser.js are generated. What version of what tool is used? What options do you give the tool? Are you using some kind of script or makefile to build these files? Will that script/makefile be included in the source repository?

Giorgio Maone wrote:Of course it would. BTW, I didn't give up creating a public repository, it's just I didn't find the time yet. As anyone here can testify, it's not like development/support/bug fixing is stagnating a bit...

Of course. And I we love that NoScript is getting such good support. The questions about a public source repository are just because of eagerness. :D

Thanks,
-Foam

Re: NoScript Source and build environment

Posted: Tue Sep 15, 2009 7:05 pm
by user78
Is there any news about uploading sources to mozdev?

Re: NoScript Source and build environment

Posted: Thu Sep 24, 2009 4:25 pm
by mikhail
Giorgio, could you possibly clear the situation with source code uploading? As I remember, just after adblockplus scandal you agreed that providing convenient access to NoScript code is the good way to convince users of undocumented features absence in future. Have you changed your mind?

Re: NoScript Source and build environment

Posted: Thu Sep 24, 2009 4:35 pm
by Alan Baxter
The source code is and always has been available. Feel free to examine it for any undocumented features you might be concerned about. Aren't you convinced yet? Please read Giorgio's explanation of source code access again.
viewtopic.php?p=9212#p9212

Edit: By the way, posting as both user78 and mikhail makes you look like a sock puppet and a troll. Please drop one or the other of your personas. IMHO, "mikhail" has a more authentic sound. ;)

Re: NoScript Source and build environment

Posted: Thu Sep 24, 2009 5:49 pm
by GµårÐïåñ
Agreed, this subject has been asked and answered repeatedly and is now becoming ridiculous. If you have to ask for the source, it means you don't know what you are doing or to do with it, since its already available. So if you really know what you are doing and want to check the code, you are free to do so, it has always been available. Stop acting like fools and just move on and stop trying to start something.

Re: NoScript Source and build environment

Posted: Thu Sep 24, 2009 6:48 pm
by mikhail
Alan Baxter wrote:The source code is and always has been available. Feel free to examine it for any undocumented features you might be concerned about. Aren't you convinced yet? Please read Giorgio's explanation of source code access again.
viewtopic.php?p=9212#p9212

Edit: By the way, posting as both user78 and mikhail makes you look like a sock puppet and a troll. Please drop one or the other of your personas. IMHO, "mikhail" has a more authentic sound. ;)


I know about availiability of source code. The problem is that there is no convenient way to follow its changes. And to provide such possibility is what Giorgio agreed with himself. I asked only for the clarification of his actual position.

And thank you for encouraging me to expand my vocabulary (now I know what a "sock puppet" is) :)

Re: NoScript Source and build environment

Posted: Thu Sep 24, 2009 7:30 pm
by Giorgio Maone
@mikhail:
My position did not change. I think a public repository is a valuable resource, but you just need to follow the development through the changelog to understand why I did not find the time yet :(