

Opera Rejecting Extensions With Minified Code - gantengx
http://leaptouch.com/blog/2013/09/19/opera-rejecting-extensions-with-minified-code/

======
zerovox
This doesn't seem wildly unreasonable to me. If it allows them to perform a
better review and check for malicious code before approving it, I'm all for
it.

Perhaps Opera can perform the minification after reviewing the code and
achieve the performance gains while still being able to prevent malicious code
entering the store.

~~~
rogerbinns
I'm sure malicious code can be hidden in plain site anyway. Automated tools or
human eyeballs won't spot it. For example here is the underhanded C contest
demonstrating the principle with C
[http://underhanded.xcott.com/](http://underhanded.xcott.com/) (static
analysis won't be possible on most JS code)

The only way to be sure is to implement a (bug free) sandbox that the code
runs in, as then it won't matter what the code does.

~~~
adrianN
I guess you don't lock your front door because lock picking is
straightforward?

While it is not possible to spot _all_ malicious code by inspection,
minification certainly makes the job much harder.

~~~
rogerbinns
They will only be able to catch the incompetent bad guys via inspection. Those
are not the ones to worry about.

------
olalonde
There is a lot of cargo culting going on in this thread. There are 2 reasons
to minify Javascript code:

1) Protect your intellectual property by obfuscating code

2) Make web pages load faster by reducing the size of the Javascript file(s)
to transfer

Minifying an extension won't make it run faster since extensions are loaded
from memory or disk, not from the network (ok, maybe it will be faster by a
few nanoseconds?). It could make the initial download of the extension faster
but it's only a one time download. Therefore, the only valid reason to minify
an extension would be #1. However, it seems Opera is more concerned by user
security (it's much easier for a backdoor to go undetected in minified code)
than protecting the IP of extension developers.

~~~
SchizoDuckie
1) Protect your intellectual property by obfuscating code

There is no protection in minifying an interpreted language. This is an
invalid argument.

~~~
proexploit
No, it's not. It's not fool-proof but it makes it slightly more difficult for
other developers to determine what's going on and it certainly makes code re-
use harder. The effort that goes into examining obfuscated code is a
deterrent.

~~~
masklinn
"Slightly" is a good word, it's an extremely low barrier of entry and if
somebody wants to read it they will manage to do it.

------
byoogle
Actually, I think Opera has the same policy as Mozilla. If you reply to the
reviewers (who are very responsive), they seem to let you minify as long as
you show them the unminified sources.

Our extension
([https://addons.opera.com/en/extensions/details/disconnect/](https://addons.opera.com/en/extensions/details/disconnect/))
uses the minified versions of seven libraries, which are about half the size
of the unminified versions. Why not give users a better experience by shaving
a few seconds off the install time?

~~~
jffry
The blog post has been updated, and it seems Opera replied to that effect as
well:

> Hi as I written before "We must be able to review the code in a reasonable
> manner", you can upload somewhere your not-minified code and give us a link
> to it, write what library are you using to minify and write a command which
> will minify your package. As fast as we read your code we will publish your
> extension.

------
Yver
Ideally, I'd want every store to reject minified code but at the same time I'd
want them to automatically minify extensions while making their full sources
available as a separate download.

~~~
sitkack
Why is minification important in this case? How will it effect your execution
of the extension?

~~~
claudius
Well, even though the extension lives on the local hard drive, it could still
make loading it faster: At least with HDDs, people made experiments gzip'ing
the Linux kernel in /boot (or parts thereof) and using the CPU to unzip it on
load, which was faster than loading the uncompressed version (no source at the
moment, sorry).

So since minified code shouldn’t even need uncompressing, I could imagine it
to speed up the time it takes Opera to load the extension – if you always
start a new browser if you want to go to a website, that might even make
sense.

------
dools
I don't think that minifaction will have an impact on execution time or memory
usage will it? It's only advantageous to reduce total size of downloaded code,
and total number of web requests to retrieve all the assets required for the
page. I wouldn't think either of those things would matter in a browser
extension.

------
PhasmaFelis
I'm glad I'm not the only one who thought "good for Opera."

Obfuscated code is for competitions, not functional software. This is not
1978; the space savings from single-character variable names is not
significant. (Or if it is, your code is way too heavy to be running in a
browser extension.)

~~~
josteink
Yeah. As a developer, whenever I see minified code I cry.

It means I work with people who have no sense of reality, and it means all my
debugging sessions are going to be way harder and much less productive.

That's a real loss for a fictional gain. Minifying needs to die.

~~~
njr123
In my experience minified js is 30-40% smaller, which can make a pretty
significant difference in terms of load time. The debugging argument doesn't
really make sense to me, since the code should only be minified in production
anyway.

Still, in the case of a browser extension it wouldn't really make a difference
since the files are coming from the disk.

~~~
zapt02
If we're discussing serving it to the browser, just use gzip and get the same
size savings without any of the minification!

~~~
masklinn
IIRC you can get slightly more gain with a very aggressive minimizer and gzip
than gzip alone.

It's completely pointless for a browser extension though.

------
jfoster
The Opera store looks incredibly similar to the Chrome Web Store, even down to
the effect used to show more information when you hover over a tile.

[https://addons.opera.com/en-gb/extensions/](https://addons.opera.com/en-
gb/extensions/) compared with
[https://chrome.google.com/webstore](https://chrome.google.com/webstore)

------
richo
Did they actually do any kind of benchmark to see if it affects performance?

The memory and parse time argument is invalid imo. Lexing a file with wildly
abudant whitespace is going to take a delta longer that's insignificant
compared to the parse time.

Loading it is normally a concern because of network bandwidth and latency,
especially if it'll push you over MTU.

------
jorde
Mozilla does the same thing for Firefox extensions but the experience is much
worse thanks to volunteer reviewers. This is of course not consistent and your
extension can get rejected based on whatever obscure reason they might have: I
once got hate as I used spin.js instead of a GIF loader animation. Believe me,
Opera has it good.

------
otikik
Their house, their rules. And they don't sound so crazy to begin with.

------
sitkack
Extensions should be in the clear so we can see them. There is ABSOLUTELY no
reason to minify an extension, they get downloaded once. In this scenario
minification == obfuscation == something to hide.

------
antocv
"Is Opera saying they will do a comprehensive code review on every line of
extensions submitted to their store? Will they require documentation on all
design decisions and processes involved? What about any server-side code?"

Well, duh, yes they will do their best even if they may fall short. Props to
Opera.

------
serge2k
The code is stored on device correct? Minifying makes no sense.

~~~
MurrayHurps
The code is loaded into every single page that is loaded. Memory usage and
parsing time are affected.

~~~
eropple
This is a _bad_ argument. They are affected by microseconds and kilobytes, in
proportions insignificant compared to the memory usage and parsing time
already required.

As you're the article author, if you're even remotely interested in being
taken seriously (because right now there's less-than-no reason to) it behooves
you to actually _demonstrate_ a perf or memory delta that anybody would notice
in the first place.

~~~
hvidgaard
In this particular context, it shouldn't be the developers task to minify code
anyway. If the browser engineers deem that there is reasonable speedup to be
gained from minifying extensions, then they should do it as part of chain from
developer to user.

------
SchizoDuckie
Rejecting it for it might be a bit over the top, but I can imagine that
minifiying and linting is just a part of your regular development process.

However, minifying is useless if there is bandwidth overhead (read: file://
URLs.)

I'm really sad though that there's even in the JS community people that are
promoting micro-optimisations like they do in the PHP world..

Opera could just de-uglify the code (and even automate that). still a non-
argument to decline a deployment IMO.

------
V-2
If this is important, why couldn't Opera itself minimify the code when an
extension is added?

------
abcd_f
> Is Opera saying they will do a comprehensive code review on every line of
> extensions submitted to their store?

Clearly, no. But they do probably want to check if your js might be pulling on
some funny URLs behind user's back.

------
jnardiello
+1000 points for Opera.

