User:Nadavers/FSOSS 2008

From CDOT Wiki
Jump to: navigation, search

FSOSS 2008 Report - Nino D'Aversa

Mozilla Security

Downloading unknown and untrusted code from the internet and running it locally on a client machine; from a security standpoint it seems like a horrible idea, but this is exactly what Mozilla Firefox does. Firefox’s first line of defense is a human shield by the name of Johnathan Nightingale. Johnathan was educated in cognitive science and artificial intelligence and is currently working for the Mozilla Corporation on security, usability and coding for Firefox. Johnathan’s talk The Most Important Thing - How Mozilla Does Security, and What You Can Steal focused primarily on the Mozilla security philosophy and best practices. The essential message was, “Capture expensive knowledge so you don’t have to pay for the same lesson twice!” this is achieved through a feedback loop, always asking the question, “How can we make sure problems like this never happen again?” It sounds simple enough but I can understand where Johnathan is coming from, I agree that security is often does as a last ditch effort and is too often overlooked. The need for a robust security model is essential to the success of a very at risk piece of software like Firefox. I found the concept of bug triage interesting, to dissect a bug and determine its risk factor and impact its correction could have on the code not only in place, but in other areas. Johnathan also discussed the importance of bug post-mortems, emphasizing that they should not be blame finding campaigns but more process related, e.g. who could we have brought in sooner that would have solved this bug quicker? Johnathan also touched on the value of community, particularly the reporter of a bug. Johnathan said it is important to not diminish the reporters as their intention is to make the browser safer, community is essential and without it Mozilla could not survive. Lastly Johnathan emphasized the importance of tests: “NOTHING LANDS WITHOUT TESTS!” says Johnathan. Mozilla runs 75,000 automated tests, in 6 frameworks, on 4 platforms, at least 20 times a day. Now that’s what I call testing! He went on to say that tests that don’t run are a waste of time! Once again it seems obvious once it’s stated, but I myself have seen tests written just to write tests; tests that become stale and out of date. What happens is you avoid running the tests cause you know most of them won’t pass, the point is all tests must pass or it doesn’t land on the tree, that keeps the code tight and ensures fixes don’t break other previously working components. Mozilla also enforces mandatory code review because the philosophy that two people are less likely to make the same mistake and to act as a gatekeeper against “this is little, it’ll be fine”. I found Johnathan quite inspiring, he really makes to see the value of security, community, testing and review. I believe Johnathan sees the open nature of Firefox as invaluable to its success and security. The ability for many eyes to peer deep into the bowels of the beast allow for “all bugs to become shallow”. Johnathan values metrics, but not just for metrics sake. He says to measures things which matter, not what’s easy to measure! I found this both humorous and true, how often do we say we need some sort of metric or benchmark, but only measure what is easy to measure just to feel like we’re doing metrics, rather than spend the time to measure something which impacts performance and productivity. Johnathan suggest some good metrics are: measure the days of exposure to users, reduce the number of regressions, and reduce the number of all nighters. He suggests much of this can be addressed by designing for security up front, being proactive, but never expect to avoid being reactive as bugs will arise you don’t account for. Johnathan says you should always have a steady-state, improving security, never regress, as security should only get better; don’t produce fixes that reduce security in another area. I believe Johnathan holds the community in high regard, he referenced the value of user input and interaction more than once and his delivery told me he appreciated everything that people have to offer. He suggests if you can’t go open source to the world, how about just to your customers? I found this to be an interesting concept and it shows me that Johnathan is passionate about open source even if it’s not being practiced in its purest form.

Mozilla and Mobile

Bringing the real web to a mobile device, not a stripped down “mobile web” but the full real rich web experience as it is found on the desktop. This is the goal of the Fennec browser the latest endeavor from the Mozilla Corporation and the subject of Stuart Parmenter’s talk Mozilla and Mobile. Stuart is leading the charge, as module owner of the Graphics and Image Library systems he was responsible for developing Mozilla’s new graphics and text rendering systems. His work on Firefox’s memory usage has resulted in a significant improvement in Firefox’s memory footprint, and I would like to take this opportunity to say, thank you for that! So why is Mozilla interested in the mobile market? Well there are 1.6 billion internet users and 3.3 billion mobile users. The market is large for mobile expansion. Although not every device is a “Smartphone” or a phone capable of the browsing experience Fennec is being created to offer; but the market is growing and Mozilla wants to be there for it. Stuart says Mozilla wishes to keep the web open as the web itself is based on open standards such as HTML, CSS, DOM, JavaScript and others. Stuarts talk focused on the many challenges of going mobile, primary concerns are processing power, memory and screen size. These three factors are critical to the development of Fennec, and I think that’s why they took their memory management expert and put him on the project that will demand the truest optimization of the browser’s memory usage. They need to have a browser which can run on processors with clock speeds slower then 400MHz and less then 128MB of RAM, no small feat. Stuart says this can be accomplished by simplifying code, building a better architecture, making things interruptible, using the best compilers and CPU specific optimizations. The practical non-existence of swap space means memory management of a mobile browser is critical. Firefox 2 was plagued with memory fragmentation problems, Swiss cheese memory, as Stuart describes it, but a new allocator they discovered allowed them to substantially improve performance, this information will be critical to the success of Fennec on mobile devices. Stuart then went on to talk about the next major concern, screen real estate. How do you manage to show the web on QVGA (320x480) resolution displays? Fennec will hide all controls, access can he had by bringing them in from the edges of the screen. The awesome bar from Firefox 3 will play a key role in reducing text input needed. Mozilla Weave will provide history, bookmarks and password synchronization between mobile browsers and the desktop, seamlessly. Also Stuart brought up the concern of tabs, on a desktop you may open as many tabs as you like, and since memory is cheap and available tabs are all stored in memory, but on a mobile device the memory is so limited that measures must be taken to manage it. The ability to save and store browser state will be essential to making Fennec lightweight and quick. I also found the concerns over the network connectivity to be interesting. Although the 3G network is quick is suffers from high latency which means resolving DNS address becomes costly, therefore Fennec is looking to implement a DNS pre-fetching system to resolve IP addresses needed for links and images once, rather than multiple times when building the page. Finally Fennec wishes to remain extensible just as its big brother Firefox. This means that extensions need to be thought out, graphic placement and interactivity will need to be addressed when dealing with a mobile interface whether it be touch or haptic. The mobile market is exciting and it is something I personally have a great interest in, I thought Stuart’s talk was interesting and thought provoking, it makes me want jump in and work on Fennec! I think Stuart’s attitude towards open source is transparent when he says Mozilla shareholders are its users. He describes Mozilla as a company without a corporate agenda, but rather they ask the users, the community, what would make life easier. I believe he sees open source and Mozilla as uncorrupted by the pursuit of profit, when he describes the addition of the search bar in Firefox prior to the deal with Google. I believe it is important to Stuart that the open source community perceives Mozilla as an untainted leader which offers the freedom for the development of new ideas without the expectation of big business. This tells me he sees the value of community and open source. His call for contribution also tells him he is expecting the community to come in and help out where they can which is the essence of open source.

Johnathan and Stuart - Compared

I feel both Stuart and Johnathan have similar perspectives of open source, both being from the Mozilla Corporation. Although only so much can be gauged from an impersonal presentation I think both highly regard the community as Mozilla’s most value asset, and I agree with them both. The ability for so many people to collaborate on a product as large and visible as Firefox, and soon to be little brother Fennec, is truly remarkable. Coming into my first FSOSS event I didn’t know what to expect, and to be honest I wasn’t too excited going in. That changed for me quite quickly though, the first talk I attended was Johnathan’s talk on security and it was a real eye opener for me. I was very impressed with the delivery and content of the talk, I thought he spoke a lot to my concepts of what security is and isn’t, and opened my eyes to a real world system that is capable of handling security to the highest level. Needless to say after that talk I became excited about FSOSS and what was to come. Stuart’s talk put it over the edge for me, I have such a passion for gadgets and particularly the mobile market and its future. I was one of those who lined up first day for the iPhone as I had been gawking over it for almost a year and half. Although admittedly the iPhone platform itself is the foil to open source model I feel the hardware and software concepts which are stemming from it are critical and present in the approach Mozilla and Stuart are taking to their launch of Fennec. I found the entire talk about the mobile environment: the memory restrictions, the screen real estate, the performance questions to be exhilarating, I wished I could hear more about it and have more discussion because it brings together my personal interests, hobbies with my future career and education. I think the most valuable thing I will take away from FSOSS is a desire to get involved with Fennec in next semesters continuation of DPS, so Dave when you read this, keep me in mind when those Fennec contributions and opportunities pass your desk or inbox!

My Perspective and Closing Thoughts

Although I’m a freshman in the open source world I think FSOSS has affirmed much my perception of what open source is. It’s community involvement; it’s a decentralized chaotic system capable of producing safe and robust software. Both Johnathan and Stuart have instilled in me the value of that community, Mozilla shareholders as Stuart says, are its most valuable resource. It’s the coming together of minds from every corner of the globe to work towards a common purpose; in its chaos it is beauty, like pieces of metal coming together to form a complex watch. I find it remarkable how all the human resources are managed, but not managed as it were. How open source is almost self governing, it is driven by the interests and passions of its community, so it always current and of its time. It is the ultimate in customer satisfaction; customer feedback and interaction fuel the development. I’m not sure if it’s because open source is new to me, but it feels like the movement is new and fresh and a viable model for the future. I can see myself becoming part of something with such passion; as I am passionate. I look forward to contributing to the community wherever capable in the future and hope by this time next year; I can have something of my own to say at FSOSS.