Roadmap » History » Version 30
koszko, 10/24/2022 07:12 PM
1 | 26 | koszko | # Haketilo/Hydrilla Roadmap |
---|---|---|---|
2 | 1 | koszko | |
3 | {{toc}} |
||
4 | |||
5 | 26 | koszko | ## Planned tasks |
6 | This section lists tasks on which efforts are going to concentrate. It is not said that all of those tasks are being worked on at any given point in time. They are just considered to be potentially very beneficial when completed. |
||
7 | 1 | koszko | |
8 | 26 | koszko | ### Distribution of Hydrilla and Haketilo in package managers (#106) |
9 | 1 | koszko | |
10 | 20 | koszko | It is beneficial to have tools available in a format specific to various operating system distributions. |
11 | 15 | koszko | While the process of inclusion in official repositories is often a complex and lengthy one, preparing |
12 | 1 | koszko | the actual packages, as is the goal of this task, is a good first step to making that happen. |
13 | |||
14 | 26 | koszko | ##### To do |
15 | 4 | koszko | |
16 | 1 | koszko | * .deb packaging of Haketilo and Hydrilla[^3_debian_packaging] |
17 | 5 | koszko | * Nix packaging of Hydrilla |
18 | 4 | koszko | * Pacman PKGBUILDs for Haketilo and Hydrilla |
19 | 26 | koszko | * ~~Guix packaging of Haketilo and Hydrilla~~ |
20 | 4 | koszko | * RPM packaging of Haketilo and Hydrilla |
21 | 23 | koszko | |
22 | 1 | koszko | [^3_debian_packaging]: [APT repository](http://hydrillarepos.koszko.org/apt/) and debian package git branches ([Hydrilla](/projects/hydrilla/repository/hydrilla?rev=debian-debian) and [Hydrilla builder](/projects/hydrilla/repository/hydrilla-builder?rev=debian-debian)) |
23 | 4 | koszko | |
24 | 26 | koszko | ### Development of Hydrilla website part (#35) |
25 | 1 | koszko | |
26 | 22 | koszko | A project's website makes its first impression, and therefore deserves special care. In our case the |
27 | 23 | koszko | website will be part of our software Hydrilla. |
28 | 4 | koszko | |
29 | 26 | koszko | ##### To do |
30 | 4 | koszko | |
31 | 1 | koszko | * planning a site structure |
32 | * designing a landing page |
||
33 | * cross-reference with Hydrilla to ensure uniformity of design and compatibility with the on-disk format |
||
34 | * crafting of text, graphics, and any other media |
||
35 | 4 | koszko | * assembly of website |
36 | |||
37 | 26 | koszko | ### Permissions system for Haketilo-supplied resources (#73) |
38 | 1 | koszko | |
39 | Custom, user-supplied resources Haketilo may deploy on viewed pages might require looser |
||
40 | restrictions than those normally employed on pages. Or, they might allow for tighter security |
||
41 | mechanisms to be employed. |
||
42 | 4 | koszko | |
43 | 26 | koszko | ##### To do |
44 | 4 | koszko | |
45 | 1 | koszko | * specification of a new revision of Hydrilla API and on-disk format with permissions support[^6_hydrilla_api] |
46 | 26 | koszko | * facility to limit domains for which a Haketilo-supplied script is allowed to perform unrestricted HTTP requests |
47 | 1 | koszko | * facility to specify what custom Content Security Policy should be used on a given pages (#88) |
48 | |||
49 | [^6_hydrilla_api]: [commit 7206db45f277c10c34d1b7ed9bd35343ac742d30](/projects/hydrilla/repository/hydrilla-json-schemas/revisions/7206db45f277c10c34d1b7ed9bd35343ac742d30) |
||
50 | |||
51 | 26 | koszko | ### Further means of user-controlled customization of sites (#108) |
52 | 1 | koszko | |
53 | 4 | koszko | Besides the initial function of replacing sites' JavaScript it is also desired to facilitate supplying |
54 | 16 | koszko | additional data (e.g. images) and replacing other site components. |
55 | 4 | koszko | |
56 | 26 | koszko | ##### To do |
57 | 4 | koszko | |
58 | * facility to make arbitrary bundled data files accessible to Haketilo-supplied scripts (#69) |
||
59 | 24 | koszko | * facility to replace the entire interface of a web page with user-supplied HTML (#70) |
60 | * facility to add user-supplied CSS to a web page |
||
61 | 1 | koszko | * facility to add user-supplied fonts to a web page |
62 | |||
63 | 26 | koszko | ### 50 sample site resources for Haketilo (#109) |
64 | 4 | koszko | |
65 | 1 | koszko | To build the community its purpose depends on, Hydrilla must be clearly ready for use. This |
66 | requires a representative, well-stocked library of packages. |
||
67 | |||
68 | 26 | koszko | ##### To do |
69 | 1 | koszko | |
70 | 4 | koszko | * guide describing how to make and contribute custom site resources to Hydrilla |
71 | 1 | koszko | * at least 5 alternative site interfaces |
72 | * JavaScript of at least 10 free/libre web tools (like Etherpad, Ethercalc) repackaged to be run in a user-controlled way from Haketilo |
||
73 | 4 | koszko | * at least 50 different custom site resources in total |
74 | 1 | koszko | |
75 | 26 | koszko | ### Localization of Haketilo and Hydrilla |
76 | 1 | koszko | |
77 | To truly empower to web users all over the world, Haketilo, Hydrilla, and all associated materials |
||
78 | 24 | koszko | must be able to support languages from across the world. |
79 | 1 | koszko | |
80 | 26 | koszko | ##### To do |
81 | 4 | koszko | |
82 | 24 | koszko | * automatic content language negotiation on Hydrilla pages and the website |
83 | * language selection option on Hydrilla pages and the website |
||
84 | 1 | koszko | * internationalization of Haketilo (#51) |
85 | * language selection option in Haketilo |
||
86 | * Polish translation |
||
87 | |||
88 | 26 | koszko | ### Tighter testing of Haketilo |
89 | 1 | koszko | |
90 | 26 | koszko | Testing in multiple browser environments can help catch problems. |
91 | 4 | koszko | |
92 | 26 | koszko | ##### To do |
93 | 1 | koszko | |
94 | 26 | koszko | * automated tests under each supported extension platform with at least 1 Firefox-based and Chromium-based platform |
95 | * integration tests of communication between Haketilo and a Hydrilla instance |
||
96 | 1 | koszko | |
97 | 26 | koszko | ### Tooling for building of site resources |
98 | 4 | koszko | |
99 | 26 | koszko | Simple scripts don't require building before distribution. Wasm modules and bigger libraries do. We could benefit from a well-defined way of accessing the sources and repeating the build process. |
100 | 1 | koszko | |
101 | 26 | koszko | Hydrilla builder currently allows contents of APT packages to be reused in Haketilo packages. This already partially achieves the goal, since APT/Debian have a well-defined way of building packages. On the other hand, it might be more practical to instead use GNU Guix for the tasks as its package definitions can usually be contained inside a single file and it has a friendlier learning curve. |
102 | 1 | koszko | |
103 | 26 | koszko | ##### To do |
104 | 1 | koszko | |
105 | 26 | koszko | * specification of new version of Haketilo source package format which gives ability to specify other programs the build process depends on |
106 | * Hydrilla builder functionality to automatically build a Haketilo source package |
||
107 | ### Package signing in Haketilo and Hydrilla |
||
108 | 1 | koszko | |
109 | 26 | koszko | Haketilo uses encrypted HTTPS connections to query Hydrilla API. However, to boost the security |
110 | and enable use of mirrors, we plan to also use PGP signatures on site resources served. |
||
111 | 1 | koszko | |
112 | 26 | koszko | ##### To do |
113 | 1 | koszko | |
114 | 26 | koszko | * specification of a new revision of Hydrilla API and on-disk format with PGP signatures support |
115 | * tool for batch signing of site resources |
||
116 | * Hydrilla support for serving PGP signatures |
||
117 | * Haketilo support for downloading and verifying PGP signatures |
||
118 | * facility to manage trusted public keys within Haketilo |
||
119 | 1 | koszko | |
120 | 26 | koszko | ### Support for custom meta-sites in Haketilo/Hydrilla |
121 | 1 | koszko | |
122 | 26 | koszko | Allowing users to modify pages loaded by their browsers is our goal. Allowing them to aggregate |
123 | content from many sites on one page is a natural extension of it. Just as is allowing them to run |
||
124 | static web apps without having to trust some website serving them. |
||
125 | 4 | koszko | |
126 | 26 | koszko | ##### To do |
127 | 1 | koszko | |
128 | 26 | koszko | * specification of a new revision of Hydrilla API and on-disk format with meta-sites support |
129 | * support for meta-sites in Hydrilla and Haketilo (#72) |
||
130 | 4 | koszko | |
131 | 26 | koszko | ### REUSE specification compliance |
132 | 4 | koszko | |
133 | 26 | koszko | License terms of software projects' files should be unambiguous and easy to analyze by humans |
134 | and computers alike. Compliance with the REUSE specification helps ensure that. |
||
135 | 1 | koszko | |
136 | 26 | koszko | ##### To do |
137 | 1 | koszko | |
138 | 26 | koszko | * ~~REUSE compliance in Haketilo&Hydrilla repository~~ (done) |
139 | * REUSE compliance in project website repository |
||
140 | * ~~REUSE compliance in custom site resources repository(ies)~~ (done) |
||
141 | 4 | koszko | |
142 | 30 | koszko | ### Post/Redirect/Get in Haketilo pages |
143 | 29 | koszko | [Post/Redirect/Get](https://en.wikipedia.org/wiki/Post/Redirect/Get) (PRG for short) is a common web development design pattern that makes navigation more convenient to users. It is not currently employed in Haketilo but it is something that should definitely be included in the plans. |
144 | |||
145 | 26 | koszko | ## Extra task ideas |
146 | This section lists tasks that could be considered in the future but which are not currently being worked on. In general, tasks on this list are considered to have higher amount-of-work:usefulness ratio than those in the [[#Planned tasks|Planned tasks]] section. |
||
147 | 1 | koszko | |
148 | 27 | koszko | ### Upstream proxy configurable through Haketilo UI |
149 | 28 | koszko | It is currently possible to use [proxychains-ng](https://github.com/rofl0r/proxychains-ng) to tunnel Haketilo traffic through yet another proxy. This can be for example a [Tor](https://www.torproject.org/) SOCKS proxy. Chaining Haketilo with other proxies could be made more convenient, especially for non-technical users. It can be achieved for example by integrating proxychains into Haketilo as a dependency. |
150 | 27 | koszko | |
151 | 26 | koszko | ### Haketilo site resources available as GreaseMonkey user scripts (when applicable) |
152 | Haketilo in general aims to do something different than GreaseMonkey does. Despite that, some scripts distributed through Hydrilla could probably be also useful to GreaseMonkey users. |
||
153 | 1 | koszko | |
154 | 26 | koszko | ### More thorough documentation of Haketilo and Hydrilla internals |
155 | 17 | koszko | |
156 | With codebase refactored and stabilized, a worthy thing is to have it properly described for others |
||
157 | 1 | koszko | to hack on. |
158 | |||
159 | 26 | koszko | ##### To do |
160 | 4 | koszko | |
161 | 1 | koszko | * graphical diagram(s) describing execution contexts in Haketilo and the way scripts running in various context communicate |
162 | 4 | koszko | * graphical diagram(s) describing the algorithm for querying by Haketilo URL patterns |
163 | 1 | koszko | * comprehensive description of strategies employed and APIs used for replacing scripts and CSP in Haketilo |
164 | * graphical diagram describing how entities (resources, mappings, licenses) depend on each another |
||
165 | * docstring documentation of every Python function |
||
166 | * HTML documentation generated from Python source code |
||
167 | 26 | koszko | * ~~JSDoc description of every Haketilo JavaScript function exported from file~~ (not applicable to Haketilo proxy) |
168 | * ~~HTML documentation generated from JavaScript source code~~ (not applicable to Haketilo proxy) |
||
169 | 1 | koszko | |
170 | 26 | koszko | ### Sample meta-sites for Haketilo/Hydrilla |
171 | 4 | koszko | |
172 | 26 | koszko | Running a static webapp like litewrite by visiting its website relies on the security of TLS and |
173 | network connectivity. Having it packaged as a separate browser extension requires giving it |
||
174 | excessive permissions. Running it from an HTML file is inconvenient. |
||
175 | 4 | koszko | |
176 | 26 | koszko | ##### To do |
177 | 1 | koszko | |
178 | 26 | koszko | * at least 5 existing webapps packaged as meta-sites |
179 | * at least 5 meta-sites aggregating content from various client websites |
||
180 | 4 | koszko | |
181 | 26 | koszko | ### User upload of custom site resources to Hydrilla website |
182 | 4 | koszko | |
183 | 26 | koszko | To be able to easier gather and share custom site resources within the community, we need a |
184 | user-friendly platform. |
||
185 | 4 | koszko | |
186 | 26 | koszko | ##### To do |
187 | 4 | koszko | |
188 | 26 | koszko | * registrations on a Hydrilla instance |
189 | * upload of custom site resources to a Hydrilla instance |
||
190 | * facility to easily and efficiently moderate the content uploaded by users |
||
191 | 4 | koszko | |
192 | 26 | koszko | ### Facility for setting up Hydrilla repository mirrors |
193 | 1 | koszko | |
194 | 26 | koszko | While allowing users to set up independent instances of Hydrilla gives them greater control over |
195 | site content they use, it does not by itself increase the robustness and maximum throughput of |
||
196 | Hydrilla platform. Enabling the use of mirrors does. |
||
197 | 4 | koszko | |
198 | 26 | koszko | ##### To do |
199 | 1 | koszko | |
200 | 26 | koszko | * support for setting up and automatically synchronizing Hydrilla mirrors |
201 | * support for announcing available mirrors in Hydrilla |
||
202 | * support for fetching repository mirrors list in Haketilo |
||
203 | * support for distributing requests over multiple repository mirrors in Haketilo |
||
204 | * documentation |
||
205 | 4 | koszko | |
206 | 26 | koszko | ### Self-documented Haketilo |
207 | 4 | koszko | |
208 | 26 | koszko | Now matter how user-friendly the graphical interface is, an explanation of some of the concepts |
209 | might be needed. The next step, after having the documentation available on the project website, |
||
210 | is bundling it with the extension itself. |
||
211 | 4 | koszko | |
212 | 26 | koszko | ##### To do |
213 | 4 | koszko | |
214 | 26 | koszko | * ~~Haketilo popup self-documented inline~~ (not applicable to Haketilo proxy) |
215 | * Haketilo settings page self-documented inline |
||
216 | * documentation included as extension-bundled HTML pages |
||
217 | 4 | koszko | |
218 | 26 | koszko | ### Automatic generation of independent browser extensions from Haketilo site resources |
219 | 4 | koszko | |
220 | 26 | koszko | Haketilo's rich feature set might also be an inconvenience. It may be overwhelming or irritating to |
221 | some users and has a higher risk of breaking with newer browser versions than a simple extension |
||
222 | would have. Thus, an option to install just a single Haketilo resource in the browser would be |
||
223 | useful. |
||
224 | 4 | koszko | |
225 | 26 | koszko | ##### To do |
226 | 4 | koszko | |
227 | 26 | koszko | * automatic generation of Firefox WebExtensions from Haketilo site resources |
228 | * automatic generation of Chromium ManifestV3 WebExtensions from Haketilo site resources |
||
229 | 4 | koszko | |
230 | 26 | koszko | ### Facility to automatically convert page's "native" scripts to a Haketilo resource (#6) |
231 | 4 | koszko | |
232 | 26 | koszko | Haketilo gives users control over scripts being executed on a given web page. The scripts to be |
233 | used need to be defined in Haketilo as a resource. Doing this manually might be time-consuming |
||
234 | for a user who aims to use mostly the same JavaScript a website normally serves, but served from |
||
235 | within Haketilo. |
||
236 | 4 | koszko | |
237 | 26 | koszko | ##### To do |
238 | 4 | koszko | |
239 | 26 | koszko | * automatic conversion of page's inline scripts in a Haketilo resource |
240 | * inclusion of page's external scripts in generated resource |
||
241 | * inclusion of page's intrinsic JavaScript events in generated resource (#7) |
||
242 | * displaying warnings when a site's JavaScript is known to use mechanisms that might stop |
||
243 | such automatic package from working properly |
||
244 | 4 | koszko | |
245 | 26 | koszko | ### Support for building Hydrilla and Haketilo using Autotools |
246 | 4 | koszko | |
247 | 26 | koszko | The specificity of Haketilo and Hydrilla means a complex build system like Autotools is not |
248 | necessary. It could, however, be added as optional to supplement the Python build system used. |
||
249 | 4 | koszko | |
250 | 26 | koszko | ##### To do |
251 | 4 | koszko | |
252 | 26 | koszko | * Haketilo&Hydrilla buildable with Autotools |
253 | * Haketilo&Hydrilla out-of-source builds possible |
||
254 | 4 | koszko | * Haketilo&Hydrilla tarball producible with a make rule |
255 | |||
256 | 26 | koszko | ## Completed tasks |
257 | Section title leaves no need for additional explanation. |
||
258 | 4 | koszko | |
259 | 26 | koszko | ### Haketilo and Hydrilla 1.0 pre-release (#103) |
260 | Some big code changes to land in Haketilo and Hydrilla 1.0 will be available in a pre-release. The |
||
261 | pre-release will be made before delivery of several other side artifacts planned for 1.0. |
||
262 | 4 | koszko | |
263 | 26 | koszko | ##### To do |
264 | * ~~project plan~~[^1_prplan] |
||
265 | * ~~tentative software bill of materials~~[^1_bom_haketilo][^1_bom_hydrilla] |
||
266 | * ~~use of registerContentScript API in Firefox Haketilo port~~ (#92)[^1_haketilo_buildable_again] |
||
267 | * ~~move to the new Hydrilla JSON API prototyped at [https://hydrillabugs.koszko.org/projects/hydrilla/wiki/Repository_API |
||
268 | ](/projects/hydrilla/wiki/Repository_API)~~[^1_haketilo_buildable_again] |
||
269 | * ~~most WebExtension storage.local uses replaced with IndexedDB~~ (#98)[^1_haketilo_buildable_again] |
||
270 | * ~~Python implementation of Hydrilla~~[^1_python_hydrilla] |
||
271 | 4 | koszko | |
272 | 26 | koszko | [^1_prplan]: [[Roadmap|this very document]] |
273 | [^1_bom_haketilo]: [[Haketilo Software Bill of Materials]] |
||
274 | [^1_bom_hydrilla]: [[hydrilla:Hydrilla Software Bill of Materials]] |
||
275 | [^1_haketilo_buildable_again]: [commit 4c6a2323d90e9321ec2b78e226167b3013ea69ab](/projects/haketilo/repository/haketilo/revisions/4c6a2323d90e9321ec2b78e226167b3013ea69ab) |
||
276 | [^1_python_hydrilla]: [Hydrilla](/projects/hydrilla/repository/hydrilla) and [Hydrilla builder](/projects/hydrilla/repository/hydrilla-builder) repositories |
||
277 | 4 | koszko | |
278 | 26 | koszko | ### Haketilo and Hydrilla 1.0 release (#104) |
279 | This will be the first release since receiving the NLnet grant and the first non-demo |
||
280 | release, hence it includes many improvements in various fields. |
||
281 | 4 | koszko | |
282 | 26 | koszko | ##### To do |
283 | * ~~basic automated Haketilo tests using Selenium and a Firefox-based web browser~~ (#66) |
||
284 | * ~~JSON schemas describing Hydrilla on-disk resource format, Hydrilla HTTP API and other JSON interfaces in use~~[^2_schemas_repo] |
||
285 | * ~~validation of all external JSON data in Haketilo and Hydrilla using included JSON schemas~~ (#105)[^2_schemas_used_haketilo] |
||
286 | * ~~sample Apache2 configuration file for use with Hydrilla~~ (#55)[^2_apache2_configs_added] |
||
287 | * ~~detailed documentation for installation and running of Hydrilla~~ (#55)[^2_hydrilla_user_manual] |
||
288 | * ~~manpage for Hydrilla~~ (#55)[^2_manpages] |
||
289 | 4 | koszko | |
290 | 26 | koszko | [^2_schemas_repo]: [JSON schemas](/projects/hydrilla/repository/hydrilla-json-schemas) repository |
291 | [^2_schemas_used_haketilo]: [commit 57ce414ca81682a71288018a4d9001604002ec23 ](/projects/haketilo/repository/haketilo/revisions/57ce414ca81682a71288018a4d9001604002ec23) |
||
292 | [^2_apache2_configs_added]: [commit ea6afb92048c835752fe1c72ad52f424e2df88a8](/projects/hydrilla/repository/hydrilla/revisions/ea6afb92048c835752fe1c72ad52f424e2df88a8) |
||
293 | [^2_hydrilla_user_manual]: [[hydrilla:User manual]] |
||
294 | [^2_manpages]: [commit 1cb6aaae2055283d04aa0aa581e82addb8049ce4](/projects/hydrilla/repository/hydrilla/revisions/1cb6aaae2055283d04aa0aa581e82addb8049ce4) and [commit 363cbbb6a9fac49a377d8fa13ffede1483feabd5](/projects/hydrilla/repository/hydrilla-builder/revisions/363cbbb6a9fac49a377d8fa13ffede1483feabd5) |
||
295 | 4 | koszko | |
296 | 26 | koszko | ### Development of a user-controlled captcha client (#107) |
297 | 4 | koszko | |
298 | 26 | koszko | Haketilo's goal is to give internet users control over their browsing. Replacing proprietary, |
299 | privacy-hostile client-side programs is part of that. A tool similar to the librecaptcha Python program |
||
300 | is needed, but in the form of a JavaScript library. |
||
301 | 4 | koszko | |
302 | 26 | koszko | ##### To do |
303 | 4 | koszko | |
304 | 26 | koszko | * ~~facility for Haketilo-supplied scripts to bypass CORS~~[^5_bypass_cors] |
305 | * ~~free/libre JavaScript library for solving reCAPTCHA challenges~~[^5_recaptcha_client] |
||
306 | * ~~sample Haketilo resource making use of the library on a chosen website~~[^5_recaptcha_client_sample_script] |
||
307 | 4 | koszko | |
308 | 26 | koszko | [^5_bypass_cors]: [Haketilo release v2.0-beta1](/news/13) |
309 | [^5_recaptcha_client]: [Hacktcha release 2022.6.21](https://git.koszko.org/haketilo-packages/hacktcha/tag/?h=v2022.6.21) |
||
310 | [^5_recaptcha_client_sample_script]: [Hacktcha demo script](https://git.koszko.org/haketilo-packages/hacktcha/tree/captcha-demo.js?h=v2022.6.21) |
||
311 | 4 | koszko | |
312 | 26 | koszko | ### Haketilo LibrePlanet presentation (#110) |
313 | 4 | koszko | |
314 | 26 | koszko | LibrePlanet is a conference organized by the Free Software Foundation (FSF). It is "an opportunity |
315 | to meet and interact with other people with both a technical and non technical background" and to |
||
316 | share experience. |
||
317 | 4 | koszko | |
318 | 26 | koszko | ##### To do |
319 | 4 | koszko | |
320 | 26 | koszko | * ~~applied to LibrePlanet 2022~~ |
321 | * ~~prepared presentation about giving users back the control over web browsing~~ |
||
322 | * ~~made the presentation at LibrePlanet 2022 (if accepted there) or posted a video presentation on Haketilo website (as a fallback case)~~[^lp2022] |
||
323 | 4 | koszko | |
324 | 26 | koszko | [^lp2022]: https://libreplanet.org/2022/speakers/#5790 |
325 | 4 | koszko | |
326 | 26 | koszko | ### Integrity constraints in Haketilo |
327 | 4 | koszko | |
328 | 26 | koszko | One Haketilo custom site resource may depend on another, but initial versions of Haketilo did not |
329 | verify that dependencies are present. This and other sanity checks can be employed. |
||
330 | 4 | koszko | |
331 | 26 | koszko | ##### To do |
332 | 4 | koszko | |
333 | 26 | koszko | * ~~dependency checks when "installing" or upgrading a custom resource in Haketilo~~ |
334 | * ~~dependency checks when removing a custom resource from Haketilo~~ |
||
335 | * ~~facility for cascade removal~~ |
||
336 | * ~~validation of Haketilo URL patterns and other values typed in by the user~~ |
||
337 | 4 | koszko | |
338 | 26 | koszko | ## Tasks that have been put aside |
339 | 4 | koszko | |
340 | 26 | koszko | This section describes tasks that were once in the roadmap but which will not be specifically worked on. Tasks might have landed here for various reasons. It might be that they are too complicated to complete, too far-reaching or that their completion relied on actions of some other party. Regardless of the cause, the tasks are listed here for documentation purposes. |
341 | 4 | koszko | |
342 | 26 | koszko | ### Security vetting of Haketilo and Hydrilla |
343 | 4 | koszko | |
344 | 26 | koszko | As NLNet-funded projects, Haketilo and Hydrilla have the privilege of a security review from |
345 | Radically Open Security. To make use of this opportunity, we will ensure any findings provided are |
||
346 | properly addressed. |
||
347 | 4 | koszko | |
348 | 26 | koszko | ##### To do |
349 | 4 | koszko | |
350 | 26 | koszko | * action on any recommendations or other findings |
351 | * report of how each finding from the vetting was addressed, and why |
||
352 | * note of any key issues in the developer documentation, in order to avoid repetition in the future |
||
353 | 4 | koszko | |
354 | 26 | koszko | ### Accessibility vetting of Haketilo and Hydrilla |
355 | 4 | koszko | |
356 | 26 | koszko | To empower every web user, Haketilo and Hydrilla must support the interfaces they need. |
357 | 4 | koszko | |
358 | 26 | koszko | ##### To do |
359 | 4 | koszko | |
360 | 26 | koszko | * action on any recommendations or other findings |
361 | * report of how each finding from the vetting was addressed, and why |
||
362 | * note of any key issues in the developer documentation, in order to avoid repetition in the future |
||
363 | * certified WCAG accessible |
||
364 | 4 | koszko | |
365 | 26 | koszko | ### Manifest V3 Haketilo port |
366 | 4 | koszko | |
367 | 26 | koszko | Although highly controversial, the Manifest V3 extension format seems unavoidable. |
368 | 4 | koszko | |
369 | 26 | koszko | ##### To do |
370 | 4 | koszko | |
371 | 26 | koszko | * background page replaced with Service Workers |
372 | * blocking webRequest operations replaced with declarativeNetRequest |
||
373 | * Haketilo working under a Chromium-based browser as a Manifest V3 extension |
||
374 | 4 | koszko | |
375 | 26 | koszko | ### Easier content management and editing within Haketilo (I) |
376 | 4 | koszko | |
377 | 26 | koszko | Easy configuring and editing of site resource bundles is Haketilo's raison d'être. To definitively |
378 | meet this expectation, any shortcomings must be identified and rethought. |
||
379 | 4 | koszko | |
380 | 26 | koszko | ##### To do |
381 | 4 | koszko | |
382 | 26 | koszko | * testing with untrained users/consultation with "UX experts" |
383 | * identified annoying quirks/problems |
||
384 | * comparison with UIs of similar extensions |
||
385 | * designed alternatives to identified problems |
||
386 | * user interface mock |
||
387 | * a compiled plan for UI changes |
||
388 | 4 | koszko | |
389 | 26 | koszko | ### Easier content management and editing within Haketilo (II) |
390 | 4 | koszko | |
391 | 26 | koszko | The previously compiled plan and carefully-prepared user interface mocks will direct the |
392 | implementation efforts. |
||
393 | 4 | koszko | |
394 | 26 | koszko | ##### To do |
395 | 4 | koszko | |
396 | 26 | koszko | * new Haketilo settings page interface implementation following the plan |
397 | * new Haketilo popup page implementation following the plan |
||
398 | * automated Haketilo GUI tests |
||
399 | 4 | koszko | |
400 | 26 | koszko | ### Haketilo build system runnable from the browser |
401 | 4 | koszko | |
402 | 26 | koszko | For portability of Haketilo's POSIX shell-based build system we avoided depending on Node.js, |
403 | NPM and similar tools. However, an even more portable alternative exists - to contain the build |
||
404 | system inside a standalone HTML page. |
||
405 | 4 | koszko | |
406 | 26 | koszko | ##### To do |
407 | 4 | koszko | |
408 | 26 | koszko | * JavaScript-based build system in an HTML page (#47) |
409 | * facility to run the JavaScript-based build system from the command line |
||
410 | 4 | koszko | |
411 | 26 | koszko | ### Further development of Hydrilla platform |
412 | |||
413 | Users should be able to share not only custom site resources but also their opinions about them. |
||
414 | |||
415 | ##### To do |
||
416 | |||
417 | * support for user comments |
||
418 | * support for user ratings |
||
419 | * support for flagging site resources that are broken or have other issues |
||
420 | * development of comment quality control systems and policies |
||
421 | |||
422 | ### 150 sample site resources for Haketilo |
||
423 | |||
424 | 4 | koszko | To maintain community growth and participation, Hydrilla's collection must be visibly alive and |
425 | evolve with Haketilo's feature set. |
||
426 | |||
427 | 26 | koszko | ##### To do |
428 | 4 | koszko | |
429 | * at least 20 alternative site interfaces |
||
430 | * at least 20 existing webapps packaged as meta-sites |
||
431 | * at least 150 custom site resources in total |
||
432 | |||
433 | 26 | koszko | ### 200 sample site resources for Haketilo |
434 | 16 | koszko | |
435 | 4 | koszko | To maintain community growth and participation, Hydrilla's collection must be visibly alive and |
436 | evolve with Haketilo's feature set. |
||
437 | |||
438 | 26 | koszko | ##### To do |
439 | 4 | koszko | |
440 | * at least 20 accessibility-improving site changes |
||
441 | * at least 10 meta-sites aggregating content from various client websites |
||
442 | * at least 200 custom site resources in total |
||
443 | |||
444 | 26 | koszko | ### Automated building of Haketilo source packages uploaded to Hydrilla |
445 | 4 | koszko | |
446 | Requiring packagers to upload compiled code places an extra burden on them, and complicates |
||
447 | reproducibility. Hydrilla should be able to build from source packages. |
||
448 | |||
449 | 26 | koszko | ##### To do |
450 | 4 | koszko | |
451 | * Hydrilla automated resource builds feature |
||
452 | * security consultation of the feature |
||
453 | |||
454 | 26 | koszko | ### Displaying Hypothesis annotations for given site |
455 | 4 | koszko | |
456 | Haketilo makes site resources for websites you visit available in only a few clicks. It would be |
||
457 | useful to have the same capacity for comments. The established, libre https://hypothes.is/ provides |
||
458 | a framework for this. |
||
459 | |||
460 | 26 | koszko | ##### To do |
461 | 4 | koszko | |
462 | * support for displaying current site's Hypothesis annotations in the popup |
||
463 | * support for adding adding Hypothesis annotations in Haketilo |
||
464 | |||
465 | 26 | koszko | ### Use of a standalone JavaScript engine to perform unit tests in Haketilo |
466 | 4 | koszko | |
467 | A Selenium-driven web browser is currently used to test parts of Haketilo. Those tests that don't |
||
468 | rely on browser APIs could as well be run outside of browser which would save time during tests. |
||
469 | |||
470 | 26 | koszko | ##### To do |
471 | 4 | koszko | |
472 | * selected the JavaScript engine to use for testing |
||
473 | * facilitated writing Haketilo tests against the chosen engine |
||
474 | * applicable existing tests modified to be run without a web browser |
||
475 | |||
476 | 26 | koszko | ### Supplemental anti-bot measures in Hydrilla |
477 | 4 | koszko | |
478 | Limiting the number of allowed registrations and content uploads is our planned basic way to |
||
479 | prevent Hydrilla instances from being harmed by automated requests. Another measures can be |
||
480 | added to further improve platform's resilience. |
||
481 | |||
482 | 26 | koszko | ##### To do |
483 | 4 | koszko | |
484 | * email-verified registrations |
||
485 | * selected an ethical, privacy-friendly captcha solution |
||
486 | * implementation of the chosen captcha solution |
||
487 | |||
488 | 26 | koszko | ### Support for external user authentication mechanisms in Hydrilla |
489 | 4 | koszko | |
490 | It should be possible to run Hydrilla as part of a bigger web service. Users should be able to use |
||
491 | the same set of credentials for logging in in various parts of such service. |
||
492 | |||
493 | 26 | koszko | ##### To do |
494 | 4 | koszko | |
495 | * selected an authentication mechanism to support |
||
496 | * implementation of the feature |
||
497 | |||
498 | 26 | koszko | ### Evaluation of non-WebExtension platforms for the purpose of porting Haketilo |
499 | 4 | koszko | |
500 | WebExtensions are really a convenient platform for developing software that empowers users. But |
||
501 | this platform is also tightly controlled by big organizations and has some serious limitations and |
||
502 | shortcomings. |
||
503 | |||
504 | 26 | koszko | ##### To do |
505 | 4 | koszko | |
506 | * evaluation of existing Webkit-based browsers |
||
507 | * evaluation of XUL extensions platform still used in some Firefox forks |
||
508 | * prepared evaluation report |
||
509 | |||
510 | 26 | koszko | ### Development of the first non-WebExtension Haketilo port |
511 | 4 | koszko | |
512 | Users suffer a vendor lock-in with few mainstream web browsers. Lack of their favorite extensions |
||
513 | is what stops them from switching to more user-controlled alternatives. Haketilo should not |
||
514 | contribute to that problem. |
||
515 | |||
516 | 26 | koszko | ##### To do |
517 | 4 | koszko | |
518 | * selection of a target platform based on previous evaluation |
||
519 | * specification of tasks |
||
520 | * development roadmap |
||
521 | * prototype |
||
522 | * automated tests |
||
523 | * developer documentation |
||
524 | * user documentation |