This doesn't seem wildly unreasonable to me. If it allows them to perform a better review and check for malicious code before approving it, I'm all for it.
Perhaps Opera can perform the minification after reviewing the code and achieve the performance gains while still being able to prevent malicious code entering the store.
Agreed. In the end he calls on Opera to "open the store up" but that has little to do with requiring non-minified code. Seems like he's just upset his extension go rejected.
I'm sure malicious code can be hidden in plain site anyway. Automated tools or human eyeballs won't spot it. For example here is the underhanded C contest demonstrating the principle with C http://underhanded.xcott.com/ (static analysis won't be possible on most JS code)
The only way to be sure is to implement a (bug free) sandbox that the code runs in, as then it won't matter what the code does.
This is a bad argument. They are affected by microseconds and kilobytes, in proportions insignificant compared to the memory usage and parsing time already required.
As you're the article author, if you're even remotely interested in being taken seriously (because right now there's less-than-no reason to) it behooves you to actually demonstrate a perf or memory delta that anybody would notice in the first place.
In this particular context, it shouldn't be the developers task to minify code anyway. If the browser engineers deem that there is reasonable speedup to be gained from minifying extensions, then they should do it as part of chain from developer to user.
Do you have any benchmarks to offer as evidence that the effect is significant?
I thought people minified code in extensions just for the two reasons: force of habit (they do it for all their JA that is served online) and obfuscation.
(not sure why you are getting downvoted: your point is valid, though probably insignificant)
Is there something I'm missing, or should someone file a bug report with Opera if their lexer is taking noticeably more time and memory to strip whitespace?
I’d go so far to say that someone should file a bug report with Opera if they are lexing extension code for each page individually, rather than compiling it once on startup and then using the compiled code for the individual pages.
The code is compiled (once) and injected into all pages loaded.
The minified code and original code will look exactly the same at this point unless the minify process does something really clever.
I don't think that minifaction will have an impact on execution time or memory usage will it? It's only advantageous to reduce total size of downloaded code, and total number of web requests to retrieve all the assets required for the page. I wouldn't think either of those things would matter in a browser extension.
Did they actually do any kind of benchmark to see if it affects performance?
The memory and parse time argument is invalid imo. Lexing a file with wildly abudant whitespace is going to take a delta longer that's insignificant compared to the parse time.
Loading it is normally a concern because of network bandwidth and latency, especially if it'll push you over MTU.
Mozilla does the same thing for Firefox extensions but the experience is much worse thanks to volunteer reviewers. This is of course not consistent and your extension can get rejected based on whatever obscure reason they might have: I once got hate as I used spin.js instead of a GIF loader animation. Believe me, Opera has it good.
I'm glad I'm not the only one who thought "good for Opera."
Obfuscated code is for competitions, not functional software. This is not 1978; the space savings from single-character variable names is not significant. (Or if it is, your code is way too heavy to be running in a browser extension.)
In my experience minified js is 30-40% smaller, which can make a pretty significant difference in terms of load time. The debugging argument doesn't really make sense to me, since the code should only be minified in production anyway.
Still, in the case of a browser extension it wouldn't really make a difference since the files are coming from the disk.
Minifying production-deployed code is fine (although gzipping largely eliminates benefits of minifying). If the code is open-sourced, the unminified version is available. If not, the code is not meant to be debugged by you anyway. (I agree, the latter doesn't always apply in non-ideal world.)
More importantly, minifying has no effect on the performance of the app. (unless you're doing some smart stuff like what Google Closure does)
The Javascript engine will JIT it or at least use an intermediate representation as soon as it's loaded, rendering minified or regular code the same. Minifier helps with load times but extensions are local, (and the difference in time is really negligible this first time)
Ideally, I'd want every store to reject minified code but at the same time I'd want them to automatically minify extensions while making their full sources available as a separate download.
Well, even though the extension lives on the local hard drive, it could still make loading it faster: At least with HDDs, people made experiments gzip'ing the Linux kernel in /boot (or parts thereof) and using the CPU to unzip it on load, which was faster than loading the uncompressed version (no source at the moment, sorry).
So since minified code shouldn’t even need uncompressing, I could imagine it to speed up the time it takes Opera to load the extension – if you always start a new browser if you want to go to a website, that might even make sense.
There is a lot of cargo culting going on in this thread. There are 2 reasons to minify Javascript code:
1) Protect your intellectual property by obfuscating code
2) Make web pages load faster by reducing the size of the Javascript file(s) to transfer
Minifying an extension won't make it run faster since extensions are loaded from memory or disk, not from the network (ok, maybe it will be faster by a few nanoseconds?). It could make the initial download of the extension faster but it's only a one time download. Therefore, the only valid reason to minify an extension would be #1. However, it seems Opera is more concerned by user security (it's much easier for a backdoor to go undetected in minified code) than protecting the IP of extension developers.
A source code is not valuable IP ... the people that wrote it are precious. Reading and understanding source code is so hard that it is often cheaper to develop from scratch if you are competitor.
There are exception of course ... but unless a team includes a few Carmacks and the likes its value is often overstated.
No, it's not. It's not fool-proof but it makes it slightly more difficult for other developers to determine what's going on and it certainly makes code re-use harder. The effort that goes into examining obfuscated code is a deterrent.
Extensions should be in the clear so we can see them. There is ABSOLUTELY no reason to minify an extension, they get downloaded once. In this scenario minification == obfuscation == something to hide.
Actually, I think Opera has the same policy as Mozilla. If you reply to the reviewers (who are very responsive), they seem to let you minify as long as you show them the unminified sources.
Our extension (https://addons.opera.com/en/extensions/details/disconnect/) uses the minified versions of seven libraries, which are about half the size of the unminified versions. Why not give users a better experience by shaving a few seconds off the install time?
The blog post has been updated, and it seems Opera replied to that effect as well:
> Hi as I written before "We must be able to review the code in a reasonable manner", you can upload somewhere your not-minified code and give us a link to it, write what library are you using to minify and write a command which will minify your package. As fast as we read your code we will publish your extension.
"Is Opera saying they will do a comprehensive code review on every line of extensions submitted to their store? Will they require documentation on all design decisions and processes involved? What about any server-side code?"
Well, duh, yes they will do their best even if they may fall short. Props to Opera.
42 comments
[ 2.9 ms ] story [ 75.4 ms ] threadhttps://addons.opera.com/en-gb/extensions/ compared with https://chrome.google.com/webstore
Perhaps Opera can perform the minification after reviewing the code and achieve the performance gains while still being able to prevent malicious code entering the store.
The only way to be sure is to implement a (bug free) sandbox that the code runs in, as then it won't matter what the code does.
While it is not possible to spot all malicious code by inspection, minification certainly makes the job much harder.
As you're the article author, if you're even remotely interested in being taken seriously (because right now there's less-than-no reason to) it behooves you to actually demonstrate a perf or memory delta that anybody would notice in the first place.
I thought people minified code in extensions just for the two reasons: force of habit (they do it for all their JA that is served online) and obfuscation.
(not sure why you are getting downvoted: your point is valid, though probably insignificant)
The code is compiled (once) and injected into all pages loaded. The minified code and original code will look exactly the same at this point unless the minify process does something really clever.
The memory and parse time argument is invalid imo. Lexing a file with wildly abudant whitespace is going to take a delta longer that's insignificant compared to the parse time.
Loading it is normally a concern because of network bandwidth and latency, especially if it'll push you over MTU.
Obfuscated code is for competitions, not functional software. This is not 1978; the space savings from single-character variable names is not significant. (Or if it is, your code is way too heavy to be running in a browser extension.)
It means I work with people who have no sense of reality, and it means all my debugging sessions are going to be way harder and much less productive.
That's a real loss for a fictional gain. Minifying needs to die.
Still, in the case of a browser extension it wouldn't really make a difference since the files are coming from the disk.
It's completely pointless for a browser extension though.
The Javascript engine will JIT it or at least use an intermediate representation as soon as it's loaded, rendering minified or regular code the same. Minifier helps with load times but extensions are local, (and the difference in time is really negligible this first time)
So since minified code shouldn’t even need uncompressing, I could imagine it to speed up the time it takes Opera to load the extension – if you always start a new browser if you want to go to a website, that might even make sense.
1) Protect your intellectual property by obfuscating code
2) Make web pages load faster by reducing the size of the Javascript file(s) to transfer
Minifying an extension won't make it run faster since extensions are loaded from memory or disk, not from the network (ok, maybe it will be faster by a few nanoseconds?). It could make the initial download of the extension faster but it's only a one time download. Therefore, the only valid reason to minify an extension would be #1. However, it seems Opera is more concerned by user security (it's much easier for a backdoor to go undetected in minified code) than protecting the IP of extension developers.
There are exception of course ... but unless a team includes a few Carmacks and the likes its value is often overstated.
There is no protection in minifying an interpreted language. This is an invalid argument.
However, minifying is useless if there is bandwidth overhead (read: file:// URLs.)
I'm really sad though that there's even in the JS community people that are promoting micro-optimisations like they do in the PHP world..
Opera could just de-uglify the code (and even automate that). still a non-argument to decline a deployment IMO.
Our extension (https://addons.opera.com/en/extensions/details/disconnect/) uses the minified versions of seven libraries, which are about half the size of the unminified versions. Why not give users a better experience by shaving a few seconds off the install time?
> Hi as I written before "We must be able to review the code in a reasonable manner", you can upload somewhere your not-minified code and give us a link to it, write what library are you using to minify and write a command which will minify your package. As fast as we read your code we will publish your extension.
Well, duh, yes they will do their best even if they may fall short. Props to Opera.
Clearly, no. But they do probably want to check if your js might be pulling on some funny URLs behind user's back.