Let’s talk straight with our users
Users of Eclipse trust in its quality. But what happens when they install additional plug-ins that are not part of the original download package? We tend to say that plug-ins only add to the installed system, but by saying so we’re actually spreading a myth:
“Adding plug-ins to an Eclipse install does not affect anything that is already installed.”
This simplest way to falsify this myth is by installing two plug-ins that together produce a deadlock. Each plug-in in isolation may work just perfect, but adding the other will cause Eclipse to freeze.
No zero-risk software install
Sure, in the absence of any correctness proofs, we can never be sure that adding one more plug-in to an already complex system will not break anything. Concurrency is just one of the most cumbersome issues to get right. Other reasons exist, why installing more is not always better.
Install-time risk assement
Actually, the p2 UI already distinguishes two kinds of installs: signed and unsigned artifacts, and warns the user when unsigned content is about to be installed. This is great, because now the user can decide whether s/he accepts unsigned content or not.
But this question is just the tip of the iceberg.
Behind the scenes of p2
When you tell p2 to install a given feature a number of things can happen that a normal user will not be aware of:
- Additional required software may be pulled in, possibly from different projects / vendors / repositories
- New features may replace existing plug-ins (patch features).
- Installation may trigger touchpoint actions that modify central parts of the system
- Installed plug-ins may access non-public classes and members of existing plug-ins
- New plug-ins may hook into the Equinox framework (adaptor hooks)
- New plug-ins can weave into the bytecode of existing plug-ins.
Is this bad?
Don’t get me wrong: I believe all these ways of influencing the installation are very useful capabilities for specific goals (and Object Teams utilizes several of those). However, we may want to acknowledge that users have different goals. If you need to be 100% sure that installing a plug-in does not delete anything on your hard disk you will not be happy to learn about the touchpoint instruction “remove”, while apparently others think this a cool feature.
Touchpoint actions have no ethical value, neither good nor bad.
Negotiation over rules
Drawing the line of how a plug-in may affect the rest of the system can be done up-front, by defining rules of conduct. Thou shalt not use internal classes; thou shalt only add, never modify etc. But that would impose a one-size-fits-all regime over all plug-ins to be published, and installations that can or cannot be created from published plug-ins. This regime would never equally suite the anxious and the daring, users with highest security constraints and users loving to play around with the newest and coolest.
Better than one size would be two sizes (conservative & bleeding edge), but then we still wouldn’t meet en par with our users, with all their shades of goals (and fears). Instead of imposing rules I suggest to enter negotiation with our users. By that I meen:
- Really tell them what’s in the boxes
- Let them decide which boxes to install
Proposing: Install capabilities
I could think of a concept of install capabilities at the core of a solution:
- Each artifact may declare a set of non-standard capabilities required for installing, which could include all items from the above list (and more)
- During install a security/risk report will be presented to the user mentioning (a summary of) all capability requests
- Based on that report a user can select which requests to accept, possibly blocking risky plug-ins from installing
- The runtime should enforce that no feature/plug-in uses any install capabilities which it didn’t declare
In this context I previously coined the notion of Gradual Encapsulation including a more elaborate model of negotiation.
More specifically I filed bug 316702. Where I’d love to read some comments.
I strongly feel it’s time to talk straight to our users: adding new artifacts to an existing Eclipse install is not always purely additive. Installation can indeed modify existing parts. In an open-source community, we should tell our users what modifications are requested, what potential risks are associated with a given artifact. They are grown-up and able to decide for themselves.