Open-source Android app for creating and maintaining long-term positive habits. We have more than 5 million downloads, but zero revenue and near zero recurring costs (no servers, since the app is offline-only for privacy reasons).
I see it as a pendulum. In the old times, we used to write web applications in CGI, where there was no fixed structure whatsoever; the application programmer was responsible for creating the entire web stack with their own bare hands. Then the pendulum started swinging towards more structured frameworks and reached a peak with J2EE, where the application programmer only had to write a tiny piece of code (servlet) that went into a massive framework (servlet container), in a language that had a huge standard library (Java), following clear industry standards (e.g. JavaBeans, design patterns). By the time Rails appeared, the pendulum had started swinging back towards less structure and less formalism. Rails was still a framework, with a strong set of conventions, but it was quite simplified compared to J2EE. The pendulum then continued and people switched to Node.js, which was much more barebones and flexible than Rails. Right now, the pendulum seems to be reaching the opposite extreme with Go, where not only there isn't a framework, but there also isn't a virtual machine (everything is compiled to native code), the language itself is almost as simple as C, and there is barely any standard library.
Meanwhile those of us on the JVM/CLR ecosystems, saw it come, influence of some the JEE/Spring/MVC designs, Groovy, coming and going as IronRuby, influence CoffeScript, and eventually fade away we still keep using JVM/CLR ecosystem, and the savy ones will even know how to AOT compile our applications, if needed.
If this is such a great idea, I would recommend the author of this proposal to work instead on a transpiler that converts the proposed javascript-only websites into a mix of HTML+CSS+js. If the idea catches on and, at some point in the future, people start using the transpiler almost exclusively, then the web browser developers could add direct support, and even eventually phase out support for legacy individual HTML/CSS/js files. Another benefit of implementing a transpiler first is that it would make the proposed javascript-only approach usable today.
It's important to progress from impractical debate to practical technology, which needs to be proven.
I think authoring tools for the proposed non-markup would be even more challenging than transpiling tools; tag-based markup (HTML, XML, even SGML), actual JavaScript, TypeScript and variants thereof and CSS are all much more text-editor friendly than this verbose JSON variation.
Apple crafts their sales pitch around being a secure device that has a lot of restrictions (which means you can't install what you want, but it also protects non-tech savvy people from messing up their device or being hacked)
It is a pretty well established model. I don't like it sometimes either, but you know what you are getting when you buy an iPhone. It isn't like they changed policy after you bought the device.
TVs used to come with circuit diagrams so that people could repair it themselves at home using standard parts. I've not seen anything like that in many years, even for far simpler appliances.
> TVs used to come with circuit diagrams so that people could repair it themselves at home using standard parts.
Nowadays a brand new high end +2000€ Samsung TV comes with ads (!) in the menu and the apps feel like they'd be running on a potato. With that kind of Smart TVs, the hardware won't be the issue since it'll be the software that will be obsole way before the hardware. Smart TV is not a promise, its a thread.
I feel like that's a disingenuous comparison, given how complex the electronics of appliances must be nowadays (disclaimer: I have absolutely no idea, my experience is strictly at the software level) - but the general principle should still apply to be able to use products that you own in a (non-harmful) way that you choose.
Still there are components were a schematic would be useful. For example a schematic of the power supply, since 90% of the faults that TVs have are related to that. A power supply is not that complex and having a schematic would mean that repairs would be simpler.
Also nowadays it would be useful to have some sort of debug port, for example a serial port to connect and have a CLI to do diagnostic, upload a new firmware, etc. They have these interfaces in the TVs but most of the time are either disabled or protected so the end user cannot use them.
That would mean you could fix it yourself and cut out their authorized repair program. Better to just not put release the schematics, but also not go after anyone that creates the schematics either.
See dishwashers, microwaves, Apple iPhones, and washing machines. Car manufacturers still publish schematics for their circuitry (for a fee)
Well pointed out, although critics will say, "it is not a bug, it's a feature", e.g. "walled garden life".
Imagine if you bought a Microsoft Surface and you could only use the Windows Store to download apps on your device.. People would be outraged, but since it's Apple it is "expected"...
Hint, if it is expected, that doesn't mean it's still ok..
It’s their store, and they get to pick what’s in it. If you want stuff not available in that store, you need a new store. You own the phone, but you agreed to only load software on it from the one store, as it has been for the last decade.
No, they need to allow other stores with different rules and different pricing models. If not, then their store needs to drop the anti competitive practices. This is what the EU investigation is about.
Until the EU decides, they don’t need to do anything. And when the EU decides, if they decide it’s not anti-competitive, they get to go back to doing nothing. You have a choice of what device you use, and if you don’t like all of the things that come with Apple products, vote with your money and use something else.
When you bought the device, did you expect it to run “Hey”? If Apple promised that, sue them. If not, you’re just confused about what you bought and probably shouldn’t handle your own money.
And neither does Apple. You are free to offer both in app and out of app subscriptions and charge different prices. You don’t have to sell your app in the App Store, you have to distribute it.
This makes me wonder if they could charge $99/year on their website but $999/year via in-app purchase. Basically a price so high that no one would realistically buy it from within the app.
It technically fulfills the requirements specified in the review guidelines but I suspect it would be frowned upon.
Instead of consuming the extra energy, OP could also provide it to another customer through the grid, by selling it back to the utility company. This would reduce the total amount of energy that needs to be generated from non-renewable sources. If OP increases their own consumption instead, those non-renewable kWh are still being generated and causing environmental impact somewhere.
This is being mounted on an RV, which is explicitly off-grid, and would only be intermittently connected at best. In my municipality they only do power buy-back from larger generators.
Also most of it isn't going through an inverter, I'm using direct DC-DC, which is much more power efficient for what I'm doing. So that means more cost for inverters, which I'd consider paying even if at the scale I'm working at it would take years for the equipment to pay for itself, but...
You can't simply tie an inverter into the grid and sell back to the power company, as that could mean that during repairs lines they thought had no power were energized by some residential customer. You need special hardware that the power company can shut down remotely, and that's only available for larger customers.
Also I'm not sure if the price I'd be getting for that power would actually offset the monthly connection fee, making connecting to the grid and selling back extra power very likely cost more than just wasting the power, which is unfortunate.
So unfortunately grid-buyback that isn't really an option for me.
Which is why I'm looking at other options. I like the wood pellet one, in an ideal world I'd be able to do some kind of carbon capture or something, but I'm not seeing any good power-to-gas tech right now.
You can sell it to your local utility company. You will get paid for it, and another power plant somewhere (maybe a coal power plant) will need to produce 1 kW less power.
Unfortunately that won't work in my municipality, as they only do that for larger customers. The problem is that it's not a "smart" grid, and having random customers pump power back into the grid can cause lines that they thought were dead to actually be energized during repairs. They need some way to shut off the buyback during repairs, and right now they don't have that.
Also I'm not sure that the amount of power I'd be putting back would actually pay for the basic connection fee. It would during the summer months, but during the winter it likely wouldn't, and seasonal connections aren't much cheaper.
I think that's generally the best bet if you can do it.
Most net metering arrangements require a manual power disconnect switch for your rooftop generation [1] for utility workers or first responders, and NEC requirements require inverters to shut down ("rapid shutdown") if they can't sync to the utility to prevent backfeeding power during maintenance (caveat: if you have local energy storage, the inverter will island and continue to provide power from local storage). I would encourage you to ask your municipality and their utility department what their net metering arrangements are; I would be happy to make such a phone call/inquiry on your behalf if you would prefer.
Is your utility Nova Scotia Power by chance? It appears they support net metering [2].
Everything I mention above will be cheaper than storage (which will start around $13k CAD).
Looks like an interesting extension, but unfortunately I would never install it given that "this add-on can access data for all your websites". As far as I am aware, this means it can read and record all data in all websites I visit (including emails, banks, etc) and record everything I type anywhere (including usernames and passwords).
Even if the extension's source code is available on GitHub, there is no guarantee that the code hosted at addons.mozilla.org corresponds to the same one found on GitHub; and even if I (or someone else) could verify that the code is indeed the same, and that there is nothing malicious in it right now, there is no guarantee this will still be the case in future (silent) updates.
To be clear, this is more of a criticism to Mozilla Firefox's security model, not to this particular extension.
I used to have this exact same fear and never downloaded any extensions bc of that, until I started making browser extensions. Pretty much any useful extension needs the access that prompts that generic message about accessing all the data.
Any extension that's listed on the web stores have to be reviewed for malicious code, and they must do what the listing say they do. So if your browser extension has your passwords, then that extension would be considered a password manager.
The extension probably listens to the IPs of well-known time wasting websites like HN or reddit, then adds a latency to the browsing. Same with an ad blocker -- they know every site you visit but only to compare them with their blacklist of advertising IP addresses.
Of course, you have to trust they aren't doing anything else with that info, which you can probably assume you're mostly safe if you don't need an account to use the extension.
According to [0], Mozilla requires all extensions to have a source in human-readable format and runs a test suite on them. They mention "code review" there, but don't say whether it's manual or automatic. I'd love to hear about it from someone who has some experience with the process.
Mozilla runs an automatic check on all extension versions before they get published, and Recommended extensions also go through a manual review before publication.
Listings which do not participate in the Recommended extensions program may also get a manual review after they were published, but immediate human review is not guaranteed.
If you're a developer, I'd recommend disabling automatic extension updates in Firefox, and configuring a script to get notified about updates, even if you only use Recommended extensions.
Extension source viewer is excellent for reviewing updates yourself before installing, and it is maintained by Rob Wu, an engineer at Mozilla.
For my extension the review was automatic, and flags things like direct html editing. I only have a few hundred users though, so I'm not sure at what point they decide to do manual reviews.
You are incorrect. You can inspect extensions that you download to compare the source code to the github release, or even audit the specific source you have have downloaded. Please don't spread FUD.
Would it be feasible for browsers to have a console window that enumerates add-on's to display things like URL's contained in the code, what is stored in local storage, session storage, etc? Asking because this topic comes up a lot and might not if the browser had a way to show explicit detailed permissions and capabilities vs. high level abstract permissions. This would be for less than technical people that probably won't be viewing source code, but could click a shiny button in the add-on page and get some idea if the addon shows URL, http(s), number of times the addon has used GET or POST or other methods:
You can literally just save them from addons.mozilla.org and look inside - it's js so it's not compiled, and obfuscated code is against Mozilla policy.
Obfuscated code is not allowed on any of the browser extension stores. Mozilla requires the attachment of the original source code if you use a bundler such as webpack, or if the code is minified.
Only reviewers have access to the source code, unless you configure the listing to make the code public.
Basically, if the addon wants to interact with any kind of urls, this message is unavoidable. Which means that even if the addon doesn't require to access any data of the websites, as long as it wants to be triggered for any websites, this message is not going to be avoidable.
The solution should surely involve more granular permissions?
I'm assuming this permission has no need to read the body of network responses, inject anything into the responses, read cookies etc.
However, it probably has no option than to request the "read and change all network data" permission because there is nothing weaker that will let it do what it needs to do.
Making sources available isn't a scalable option to help with this in my opinion. Who is going to be doing thorough security audits of every extension + every update?
This is exactly the approach taken by F-Droid (for Android apps). All apps available on F-Droid have been automatically built from a publicly available repository, and you can either download the binary (APK) or the source tarball that they used to produce it. Updates are manual.
> To be clear, this is more of a criticism to Mozilla Firefox's security model, not to this particular extension.
It's a fair comment, but this extension works by injecting javascript into every page the browser loads. If this capability were removed or even changed, it would break a ton of existing extensions (and compatibility with the many extensions written for Chrome).
Given the nature of javascript and the web, once you can run a bit of javascript on a page, you can do just about anything, so the phrasing "can access data" sounds scary but it is accurate. Of course, "can" doesn't mean "does", hence all the other commenters suggesting auditing the code.
The problem with trying to cure this security model is that once an extension can rewrite page HTML, it can inject transmission of your data to a third-party, and so any addon that affects pages (such as this one) is correctly labeled as "can access your data", because it absolutely can.
To make any headway on this, you would need to start considering how to prohibit JavaScript from transmitting page content to remote servers if it's been modified by an addon, but that would then break all JavaScript modified by adblockers, and so there's not any easy solution there either.
If you can think of a valid security model here that isn't vulnerable to today's arbitrary JavaScript execution issues, I think you'd find a willing audience. Chrome tried to solve this by nailing down what extensions can do, and the adblockers all flipped out because they won't be able to run arbitrary JavaScript in-page anymore. It remains unclear how this can ever be solved.
> Looks like an interesting extension, but unfortunately I would never install it given that "this add-on can access data for all your websites". As far as I am aware, this means it can read and record all data in all websites I visit (including emails, banks, etc) and record everything I type anywhere (including usernames and passwords).
> Even if the extension's source code is available on GitHub, there is no guarantee that the code hosted at addons.mozilla.org corresponds to the same one found on GitHub; and even if I (or someone else) could verify that the code is indeed the same, and that there is nothing malicious in it right now, there is no guarantee this will still be the case in future (silent) updates.
> To be clear, this is more of a criticism to Mozilla Firefox's security model, not to this particular extension.
Open-source Android app for creating and maintaining long-term positive habits. We have more than 5 million downloads, but zero revenue and near zero recurring costs (no servers, since the app is offline-only for privacy reasons).