AMO and the quality bar has long occupied a special place in the Firefox software ecosystem. It’s the only site in the installation whitelist by default, the default server contacted for update information about add-ons, and where we send users who are looking for hot add-on leads.

That unique position means that there is a lot of value for some add-on developers in being hosted on AMO. Such hosting involves a review process, which I think both reviewers and developers alike would agree is one of the most frustrating parts of the whole system. The intent of the review process is entirely on the side of the angels: help make sure that add-ons are good for users.

The devil, of course, is in the details here. At times, the review bar has been placed entirely too high, in my opinion: otherwise-fine add-on updates rejected because they cause a strict warning to appear in the JS console, for example. In other cases, we’ve had add-ons approved which send some data to a central server, but don’t have a privacy policy listed. The most common and burdensome cases of this latter example tend to be associated with “toolbar-building” services: the ostensible authors of the resultant toolbars typically know very little about what’s being collected or how it’s being managed, which makes for a predictably unsatisfying conversation with reviewers.

(There are other elements of the review process that are inconsistent and difficult, mostly related to needing to reject items for errors in things that the add-on authors can change after the fact without review, but which can’t be helpfully fixed by the reviewers. These are the “easy” implementation artifacts, though, and not really the topic of this post.)

The trade-offs here are painful: adding a standard of “usefulness” or “implementation quality” to the checklist will not only dramatically slow the review process and require more specialized skills among our reviewers, but will also increase the variability between different reviewers’ decisions. Those are all things that I don’t think we can afford to make worse, and both the history and special position of AMO make me tend towards a much more laissez-faire position: if the description accurately describes what the user will get when they install it, especially as far as the collection and management of private information is concerned, then I think we should let the user make the decision about whether they consider the functionality useful. Some popular add-ons duplicate functionality that is already present in the browser, such as preference settings, adding only an alternate means of accessing it, for example, so requiring “significant new functionality” seems to work against the interests of a fair number of users.

At the same time, of course, I think it’s quite desirable to be able to point users at a more “filtered” view of the enormous add-ons space hosted on AMO. We currently have one such view, the recommended list, but that’s not really much of a solution to the broader problem. (It doesn’t try to be, really.)

A minimum rating threshold would be one way to narrow the default search results returned to a user, though it depends on the reliability and resilience of a rating system. Our current one isn’t sufficient to prevent the sort of gaming and distortion that would plague us in such a world, but that’s not to say that a sufficiently robust one couldn’t be developed. (Not “perfectly robust”, mind; just enough to keep the damage well below the gain.)

A simpler system would simply provide a single piece of metadata that could be set by reviewers or administrators using their judgment and likely via some multi-reviewer discussion. This wouldn’t scale as well as the universal rating by users, but would be more resistant to gaming and abuse (and easier to track and remedy if such nefariousness is detected).

This post is already too long, but you can read and write more about various possibilities for rating and approval schemes in the Remora Idea Dump. We’re thinking about and working on ways to help users find good add-ons, in a way that scales across our community, and I suspect it’s something that we’ll be working to improve for some time!


Mitchell posted earlier about my new focus: our developer ecosystem, and helping people produce great new tools and experiences on top of Firefox and the web both. It’s work that lets me combine technology, communication, and helping people solve their problems, and if I end up being even a fifth as good at it as I am excited about it — well, I’ll be really good, that’s what!

One important part of Mozilla’s support for developers in their work with Firefox and the web is the Mozilla Developer Centre Center, and I’ll be working with Deb and Eric to help MDC grow and thrive. In just over a year, MDC has developed a strong community of contributors and a great base of documentation, so I consider my job here to be helping Deb execute, and staying out of her way. (She is modest about it, and truly MDC is a fantastic example of the leverage that our community represents — and I include web developers in that community, very much — but Deb’s work to catalyze and guide and generally be MDC’s “guiding star” is not to be underestimated.) There are things to be fixed and problems to be solved, to be sure, and anyone who’s worked with me before knows that I can’t help but try to help when that’s the case, but the course we’re already on is very promising.

(As an aside of sorts, the recent newsgroup re-re-organization is a problem to which I owe a karmic debt, and I’ll post about that here and there this week, hopefully today.)

A bigger part of what I’m going to be working on, though, is what my favourite MBA calls “the extensions space” (my favourite trapeze artist would call it “the extensions piece”, I think). Working tirelessly, though again with an energetic and powerful community, Mike Morgan has been driving through growing pains and scaling demands — popular stuff is hard! — and policy grey areas and likely some fire-breathing sharks or something too. He thinks deeply about the risks and hard decisions that we face as we try to make extensions — or, more broadly, a personalized web experience — attractive and appropriate for a broader portion of our users, and the users we don’t yet have. Working out a strategy for how to fit extensions into our product plans, how to help extension developers be even more productive and successful and happy, and how to maximally leverage the power of our platform, community, and brand to the benefit of the Web at large is an enormous and, I admit, somewhat daunting challenge. I look forward to drawing on my Mozilla knowledge, impeccable taste, and, especially, the experience and wisdom of people like morgamic to improve this part of our world materially. And I look forward to doing it very soon: while there are definitely long-term projects that deserve our attention, I’m starting to believe that there are some small (hopefully!) but significant changes that can make a positive change in the rather near future.

I’m trying to avoid letting “write a thorough and Frank-worthy post” be the enemy of “write a useful and, you know, posted post”, or something like that, so I think I’ll stop here. I want to thank everyone who has already sent me their (varied, and thought-provoking) thoughts on what’s good and bad today in with our world of extensions, and apologize pre-emptively for what will no doubt be rather tardy replies. I have a lot to absorb here, and nobody is bothering to ask easy questions.

echo reply

By now, everyone and their brother has reblogged Darin’s post about experimental support for <a ping>. And, as I think most people predicted, there was an outcry about privacy concerns, support for non-standard HTML extensions. Others have written lots about what the actual effect on the privacy landscape is (IMO, a slight improvement), so I won’t rehash that, and my feelings on the “divine right” of any one standards-for-a-living body to define the future of the web are pretty well-known among those who care, so you also won’t have to endure that.

What I‘m concerned about is that developers involved in this process were, in the words of at least one of them, “surprised” that there was controversy over implementation of this feature. I agree that, at least so far, the controversy seems to be based mostly on an incomplete understanding of how things are actually tracked on the web today. But there’s a difference between not thinking that the objections are valid and being surprised that people have a reaction to the proposal. The latter worries me a bit, because the emotional and social context in which we operate is pretty important to our success. We ignore that at our own peril, I think, though there would certainly also be peril in swaying with every wind. I guess this is why philosopher kings make the big bucks.

Also, somewhere between the initial bug filing, the trunk landing, the request that it go into the Firefox 2 branch, and Darin’s blog post, the original intent of this work seems to have become obscured, at least in our messaging: this is an experimental implementation to be used to gather feedback from implementors, web authors, users, and the rest of our huge world.

(Aside to the Slashdot submitter: when you link to a blog post that explicitly describes the feature and mentions that people might be nervous due to privacy fears, you might not want to say that it was “quietly” done. This was one of the louder landings for a change of its scale, IMO — which is as it should have been, also IMO.)

high fidelity

(I can only barely forgive myself for that title. I hope you can manage as well.)

After my previous post about Fidelity and Firefox, Rafael pointed me at another article about Fidelity’s adoption of Firefox. A gem from that one, emphasis mine:

Recently the center began testing the open-source Firefox browser, an alternative to Microsoft’s dominant Internet Explorer. Charlie Brenner, a Fidelity senior vice president in charge of the center, says the idea came from engineers in his department who were using it at home and liked Firefox’s advanced features, such as the ability to open new browser windows in tabs rather than in a whole separate browser, and its promise of being more secure from hacker attacks than Explorer.

Someone else agrees with, or is perhaps experiencing, my current theory on enterprises and our software: we’re better off trying to get to enterprises via users, and not the other way around. Dunno if the same logic holds for other disruptive software, especially our open source cousins, but I think that the following three-step plan is probably as useful as many wordier ones that are getting funding and publicity today:

  1. Make it easy for users to try and love your software where they can most comfortably do so (e.g., at home).
  2. Make it them wish they could have it elsewhere (e.g., at work).
  3. Help them sell it to the people who can make that wish come true.

I could easily write paragraphs upon paragraphs about each of those bullet points, talking about things like minimizing change cost and playing to the unique scaling strengths of open source communities, but you can all probably imagine what it’d look like. And I don’t have to type or edit your imaginings, so we all win.

Of course, I am not a millionaire entrepreneur success story, teenage software genius, proven technology futurist, or even venture-funded experimenter, so it’s quite likely that you can get better advice elsewhere.

halos and security holism

A nice article about Fidelity and open source has two things that I find especially nice, in this one paragraph alone:

The Mozilla Firefox browser was an eye-opener, added Mike Askew, who also works in the technology center. A head-to-head comparison of Firefox and Internet Explorer showed that both had about the same level of security vulnerability, but ”the time needed to fix vulnerabilities in Firefox was much less,” Askew said. That experience led Fidelity to look at open source more intently.

First, I do quite like to hear that our success is making people look at other open source offerings more seriously. It’s not a primary goal for the project, but it’s one of the nice unintended consequences that we get as a bonus.

Second, I like to see people evaluating security characteristics of software in a more nuanced way than simple advisory or vulnerability count. Not all bugs are equal (as is perhaps obvious now, in the throes of the WMF vulnerability, though that’s not an IE bug), and even with severity weighting you are still faced with what are likely even more important questions. Chief among them might well be “how long am I likely to be exposed once a bug is found, or publicized?” If you believe that history is a useful, if imperfect, guide, then something like this vulnerability-window study might be of interest. If not, then you’ll have to do more research, which I very much hope you’ll publish.


He resists falling in to the trap of predicting Portland means 2006 will be “the year of Linux desktop,” but is confident it can capitalize on the buzz that Mozilla’s Firefox has created around open source software on the desktop. Firefox has gained 11.51 per cent of the browser market in the year since its release.

I will be very interested, as Mozilla’s representative to the Portland summit, to follow this effort. I don’t think that most of the people in that 11.51% (I love the precision there!) use Firefox because it’s open source, or perhaps even know that it is. Well, I’m being pretty generous here. I’d be surprised if more than 0.51% used Firefox because it was open source, and I’d be very pleasantly surprised to discover that more than a few percent knew that it was, and what that meant.

I do hope that a growing understanding of the value — to more than just the Mozilla project — of the Firefox brand will help alleviate some long-standing issues here, but even more I hope that the “rest” of the open source desktop can learn from what we’ve done well and poorly, and use that to inform their own path. That’s not a guarantee of success for anyone, to be sure, but it seems like something that would be of interest to those projects. (I have a bit of trivia about that very interest from the Summit, but that’s a whole other story.)

As an aside perhaps of interest to nobody, I think that the “open source desktop” is much much more interesting these days than the “Linux desktop”, with the possible exception of OLPC, and that it’s a lot easier to switch the OS after you switch the parts that touch the users. (The flowers, in many cases, remain standing.)

shavermedia microupdate

Point the first: my KCBS nanointerview is online now, lemme know how obvious it is that I had just woken up.

Point the second: a Red Herring interview I did some time ago (a surreal blend of hard-hitting in-depth journalism about security and competitive threats, and fluff questions about my favourite childhood toys, I must say) is now webified as well. The highlight, for me, is the photo; Vlad obviously performed some ILM-grade special effects. And the Red Herring seems to have done their own, simultaneously scaling it down and making it blockier. Guess it looked better in print, though I’ve never seen it to be sure.

Can’t say I really like the way my answers came out, though the fact that they don’t use quote marks does, I suppose, give them license to chop and slice. If you’ve heard me speak extemporaneously, let alone in a press setting, you’ll probably recognize that voice and style as not quite mine.

well, at least that part was nice

I had a very frustrating and angry-making day today, and it took a lot out of me. I don’t want to talk about it, and nobody else wants me to talk about it either

But then Deb pointed me at this wonderful movie about Firefox and IE and people. My favourite part is that most people don’t seem to know quite why they like Firefox. They just do, because it’s comfortable, and it makes them feel good.

And that makes me feel good.

sorry, did you blink?

I’m in Portland this week for a promising meeting about the Linux desktop, and I got to start my day today with a quick little interview on KCBS-AM about yesterday’s thoroughly be-Digged launch of Firefox 1.5. It was live-to-air, which is a great way to get the blood pumping at 0620, I must say.

If you just must have your audio-interview-of-Canadian-Mozilla-Mikes fix, I entreat you to savour the talking-over-each-other glories of the inaugural podcast of “Inside the Net”.

Other shavermedia exploits of questionable note:

  • “The California Report”on KQED ran a segment on Mozilla in general, featuring interviews with myself, Mitchell Baker, and Robert O’Callahan. MozillaZine has some tips on where in the report you can find all the Mozilla goodness. (Especially Mitchell’s and Robert’s ever more goodly goodness.)
  • The Chris Pirillo Show let me eat up some, uh, bitwaves talking about the Extend Firefox contest. I haven’t actually listened to this one yet, but I presume he edited out all the double-entendre from the raw interview.
  • CommandN, everyone’s favourite indie technology internet video series, filmed me slouching for a few minutes. If you have more bandwidth than taste, you can also see me slouching in high-definition video.
  • I also now have a (huge) video of my LinuxWorld keynote, but I’m not sure where or if I’ll put it up. So bad!

« previous page