02 May 2009

You should update to NoScript 1.9.2.6

Quick recap:
  1. NoScript is a Firefox extension. Its author makes money from ads on his webpages (from what he says, pretty much his entire income depends on those adsUPDATE: from his bio: "I'm currently teaching Web Programming at the University of Palermo"... yet another blow to his credibility UPDATE: the bio was outdated).
  2. AdBlock Plus is a Firefox extension that stops ads. It also allows users to subscribe to third-party lists of sites to block.
  3. The maintainer of one of those services, "EasyList", took a very zealous approach and targeted NoScript.net (and other sites from the same author) because he found that it implemented some basic workarounds to avoid AdBlock Plus.
  4. Escalation ensued, and after a series of tit-for-tat eventually the NoScript developer went too far. NoScript, when installed in Firefox, would now check if AdBlock Plus was installed, and if so, force it to whitelist its sites... basically "hacking" ABP client-side.
  5. The ABP developer (who up to now was not involved who apparently instigated the whole thing) got angry, and denounced the behaviour in various forums, including Slashdot.
  6. The NoScript author backtracked, removed the offending code in the latest update (NoScript 1.9.2.6) and apologized

Now, I'm sympathetic to the NoScript author's circumstances -- he has a family to feed, he gives his work away for free, and NoScript really is a piece of extremely useful and complex code that most Firefox users enjoy (including me). It seems fair that he should get some compensation for his effort.

However, clearly NoScript can be (and is) used as an ad-blocker, and the developer even runs AdBlock himself, but then he gets all worked up when these technologies are used against his own sites. There is a bit of hypocrisy there.

In any case, client-side modification of other people's extensions is just unacceptable, no matter how "transparent" it is. There is a line, and the NS author crossed it. Kudos to him for the eventual backtracking, but he shouldn't have put himself in that position in the first place. NoScript is a security-related extension, and in the security world trust is precious currency. His reputation is now tarnished, and it will take time for people to forget.

All this, someone pointed out, highlights the need for a mechanism to reward extension authors. I agree. Mozilla could easily implement a micropayment system on addons.mozilla.org (like the iPhone AppStore), or build some sort of subscription infrastructure in FF (so that people can install extensions, then decide if they are worth paying). My guess is that the world of extension development would literally explode, and that would make FF even more attractive.

6 comments:

  1. Indeed, it's not just ADB, but also Ghostery, which I have never used but apparently just reveals things without blocking anything. And the reason for that is just that Ghostery's author didn't do his own programming homework.

    Perhaps you should just disable/uninstall NoScript and try to find a valid alternative while waiting for Maone to change his programming attitude... or at least his photo avatar. :-P

    ReplyDelete
  2. Sh*t, that's even worse :(

    Yeah, I need to investigate alternatives. It's a shame, because NoScript is probably the best "defensive tool" for Firefox.

    I guess that's part of the problem: with great power comes great responsibility, absolute power corrupts absolutely, monopolies are bad, etc etc etc...

    Shame, because it's always nice to see people from the homeland "making it to the big time", and always sad to see them "blowing it" right after.

    ReplyDelete
  3. BTW, Maone apologized. I commented on that post that "the whole incident shows how NoScript and AdBlock are now considered such critical pieces of infrastructure by the Firefox userbase, that their maintenance responsibilities and development process need to be made clearer. A public code repository would be a good step in the right direction — AdBlock is on MozDev already, NoScript should be as well."

    Isn't it incredible how, in 2009, such a popular open-source program still does not have a public VCS repository?

    ReplyDelete
  4. Reagarding the teaching part, thanks for noticing that I neglected updating my old bio page for some years now.

    I gave up teaching about 9 months after NoScript had been launched, because I found myself not patient enough to be a good mentor and out of time since NoScript was becoming a full time occupation.

    Updated now.

    ReplyDelete
  5. Yup, nice to see the apology (your link was missing). I don't know if the Ghostery issue has had any follow-up (no mention about it in Giorgio's post, as far as I can read), but I hope it will be removed as well.

    I agree about the power/responsibility and absolute power/corruption problems. One can always hope to learn by experience.

    We'll see.

    ReplyDelete
  6. Uh, oh, it seems I have to apologize, too. I misread the Ghostery issue. It is a CSS rule on noscript.net that "disable" Ghostery's display. The NoScript plug-in has nothing to do with it. My apologies for the rushed comment, both to you and Giorgio.

    ReplyDelete