To Trust an Extension

“Voice hoarse, I heaved a huge shoulder-slumping sigh. I’d just wanted to maximize the thing. Instead there I was yelling at all the kids on my lawn, throwing rocks at a cloud, ranting on about non-existent terms like Trust-Driven-Development. Who hurt me, you ask?”

It was the forth annual company campout and we were huddled around the fire pit swapping horror stories gathered from the dark depths of the software industry, holding the fire at bay with an array of steely s’more forks.

“Desire,” I continue, leaning forward slightly on my log perch. “It started with a single desire. I was watching a tutorial video embedded on webpage X. ‘If only it were a little bigger,’ I thought. Sadly, the only sizing option was full screen. That’s right — all or nothing, tiny or gargantuan. If only I could maximize the video to the width of the current tab, not the entire screen.”

A few heads nod in understanding. They’d been there before too.

“This is where it started to get spooky. You see, the search for a solution led me to a few…” I rummage around in my knapsack and retrieve a flashlight, holding it under my chin to illuminate my face ominously. “…to a few… browser extensions!”

A collective gasp rises around the campfire. Even the fire shudders slightly.

“Looking at a new browser extension is like walking into an abandoned barn in the woods — you never know what, or who, you’ll find. ‘Hello…? Anybody in here?’ I imagined an assortment of rusty hooks hanging from sagging rafters, swinging slightly.”

A few people rub their arms to soothe their goosebumps. Bob silently mouths something. It looks like, “browser extensions.”

“As usual, the browser extensions in question required some hefty privileges, including the ability to read everything on every site you visit. How would I know that this extension wouldn’t turn into an extension of my bank account and maximize my expenditures instead of my videos?”

“Preach it, man!” Jerry ribs me.

Smiling, I carry on, “Being a developer, I had a few more tools up my sleeve. I know, I know, this was when I used to keep tools up my sleeve. They kept falling out, so now I keep them in a proper tool belt.”

Sandy groans audibly, “Are you finished?”

“Okay, okay.” I laugh, forging ahead. Finger raised, I exclaim, “Light bulb! That’s when it hits me: Let me check the source code! The extension had a homepage link. Progress wuut! But that’s when I hit a brick wall. Hard. Scars hard.”

“Let me guess… no source?”

“Yep. You guessed it, Sandy. The project “homepage” listed absolutely nothing about the project, let alone the source code. The license listed was GPLv3, which was super ironic — illegal even? — the developer didn’t even share their own code.

“At that point I considered ripping open the extension to examine the source, but that’s when the sheer — I dunno — “ludicrosity?” of the whole thing hit me like a spooked barn owl in the face. Why in the world was I spending so much time on a snipe hunt?, I remember thinking as I attempted to spit out a mouthful of imaginary owl feathers.”

A nearby dove cooed into the nigh air and Jerry chuckled around a mouthful of beer.

“I thought, even if I gain trust in this version of the extension, what prevents a future update from turning evil and leaving me and my data swinging from the rafters? For that matter, what if there’s a vulnerability in the current version that opens me up to attacks from malicious sites? I’m no forensic code analyst.”

“No you are not. Decent code reviewer though,” Sandy said with a smile and a raised bottle of beer.

I smile back, then muster my energy for the closer:

“Back in the creepy code barn, I whisper into the dark musty stillness, voice shaky, ‘No… thanks.’ The only movement comes from the floaters in a nearby shaft of light. Louder, ‘No! I don’t trust you!’ Finally, I screamed at those dusty rafters and their creepy rusty hooks, ‘I’ll keep my clunky full-screen video, thank you very much!!’ The barn said nothing in reply. I grabbed my full-screen browser-supported video, and I ran for my life!”

Courtesy applause erupts around our welcoming fire. Jerry even stands up. The fire crackles and pops.

And somewhere, deep in the dark forest, a barn owl hoots, and a hooded coder cackles.

So how do we develop trust in an open-source software developer? What sort of practices either build or undermine that trust? Indeed, how can we as developers practice TRUST-Driven-Development? Heh, heh. Well, that’s a discussion for another time, another campsite.