• From: Tulsa, OK
  • Registered: 2008-08-04
  • Posts: 657

Topic: Developer perceptions

I am starting this as it's own topic, though the impetus is based on a comment in this thread (and many others)...

http://forum.chumby.com/viewtopic.php?pid=22559#p22559

Most specifically this part:

...Some developers have been asking us to allow them to access many of the low-level functions of the device, including volume and the low-level audio subsystem - imagine what would happen if some malicious widget developer could set arbitrary alarms at any time at full volume!

--

This seems to be a real point of contention between developers and Chumby central.  What about the "non-malicious" developers that spend their own free time creating unique widgets for the device?  By repeating this statement ad-nauseum, you would think that we are just a bunch of malicious developers waiting to take down the "system" with our nefarious widgets.

It's a real shame.  If the concern is so high, then why not create a "trusted" developers level?  Give us the ability to help push the boundaries of the device, which only helps it sell.

And from another perspective, if I were a possible customer browsing these forums, and kept seeing these statements based on "FUD", I would be reluctant to purchase.

I apologize if I seem frustrated, but I am.  Many of us have put in countless amount of development hours, and speaking for myself personally, really enjoy and love the Chumby.  Why am I even included in the same paragraph as a "malicious" developer because of the fact that I would like to put even more countless hours of development to provide even more of an awesome experience for the end user?

It's borderline insulting.  Is there any chance for a wider dialog on this topic?

Cheers.

Get -> Chumbyland | Joice | Word Up | Newsdom

cbreeze's Website

  • Duane
  • Duane
  • Blue Octy
  • Offline
  • From: San Diego, CA
  • Registered: 2006-08-24
  • Posts: 8,200

Re: Developer perceptions

It's not meant as an insult to anyone. In the thread I posted that comment in, you'll notice that we basically had a user assigning cause to the alarm system the behavior of a widget that was unilaterally making noise without the user explicitly giving it permission to do so.

Part of my job is to protect users.  It's a responsibility that too many companies fail to take seriously, but we do.

Based on the feedback on this issue, we've started to build in a privileging system that would allow us to grant temporary privileges to subsets of ASnative functionality to well-behaved widgets, so we're not simply ignoring that.  The client side is done - I already showed wrybread how to use it - but the server side is not complete and there are several policy decisions that have to be made in the light of the breakdown in user security this represents.  Among the behaviors that are supported are access to the sound controls and streaming subsystem.

In addition, I'm looking unto allowing widgets to have the ability to send events to the Control Panel just as one can do from the underlying system - that would at least have the Control Panel have some clue what's going on, and the hope is that widget developers will choose to work through that system for streaming so that these things can be properly managed.  That way we can at least give the user some way to block unwanted behavior, which can't really be done with allowing access to ASnatives.

Duane's Website

3 Reply by wrybread (edited by wrybread 2009-08-13 00:08:45)

  • Registered: 2008-03-05
  • Posts: 119

Re: Developer perceptions

An enthusiastic +1 to everything cbreeze said.

It seems to me that if a given widget made some annoying noise, the user would simply not use it anymore.  And they'd leave a comment saying "don't use this, it makes a really loud obnoxious noise", and that would be that.

I understand Chumby Corp wanting to make sure that there's never a destructive program that can delete files on network shares or the like, since it doesn't benefit anyone if people are afraid to put Chumbies on their network. But we're a long long way from that happening, and with protected ASNative calls things could still be completely safe.

What always struck me about the Chumby is how much trouble it got into because of the seemingly minor decision to store the widgets online. To me that's a sort of arbitrary decision, and given the fact that widgets change pretty often, a good and practical one. However that put widgets into this security category of having "come from the internet", not the local device, so the widgets can't access much of the local device. In other words a somewhat arbitrary decision, to store the widgets online, had a massive impact on their functionality. At least that's my read.

The iPhone has a nice if slightly annoying way of handling this sort of thing for GPS. Every time an app launches that wants to access GPS data, the user is asked if that's ok. The widgets could do this, though hopefully there'd be some option to remember the answer so users don't have to click OK every time a given widget appears. If we want to be really careful, the dialog could appear again whenever the widget is modified.

I also like the idea of a trusted developer level.

Anyway just my $.02.

  • Duane
  • Duane
  • Blue Octy
  • Offline
  • From: San Diego, CA
  • Registered: 2006-08-24
  • Posts: 8,200

Re: Developer perceptions

We are thinking about something similar, but server-side - the author would provide a list of desired permissions, and the user is prompted to grant those permissions when they add the widget to a channel.  The widget author would have to accommodate the user choosing not to grant those permissions to their widgets.

With streaming music, I'd still strongly favor the official, documented music source approach - administering multiple different types of music sources (on some devices, music is not handled by btplay), particularly with the alarm subsystem so deeply tied into it, sleep times, resumption, etc, require some central arbiter like the Control Panel to be involved.  Some music sources require deep administration just to transition from one track to the next, or to renew session tokens.  The Control Panel takes care of dispatching that sort of stuff.

Note that Apple is actually more strict than we are - simply reading the GPS doesn't change the machine state, but does have privacy implications, so they block it by default. Apple doesn't even *offer* a mechanism to launch background streaming, while we do, although using a special mechanism.

Duane's Website

  • Registered: 2008-03-05
  • Posts: 119

Re: Developer perceptions

Apple is more restrictive with threading than the Chumby, but other smartphone makers like Palm and possibly Android aren't. And I think all of them except Chumby give apps access to hardware such as wifi and general system status.

As I understand it Apple's decision not to allow background processes isn't a security consideration but rather for stability, to minimize memory leaks and that sort of thing.

  • From: Tulsa, OK
  • Registered: 2008-08-04
  • Posts: 657

Re: Developer perceptions

Thanks Duane!

I don't envy your position. smile

If you need any testing help or feedback, let me know.  Would love to help.

Cheers.

Get -> Chumbyland | Joice | Word Up | Newsdom

cbreeze's Website