Final Review: allow Shared Modules on stable channel

[Elijah Taylor]

Hi everyone,

ARC (App Runtime for Chrome) and Google Cast API have been using this feature for a long while with shipping products. Hotwording has also recently shipped a Shared Module.  It's been available in dev channel for over a year while we've been iterating on it.

The interface has been stable for months now, so I'd like to make this available to all developers in stable channel in M42.  When this was up for review originally it was decided to restrict to dev channel until it got more internal customers to firm up the API.

Original documentation (it's been updated a bit): https://docs.google.com/document/d/1xBHTyztvZV62uZ_n4oR8bqoy9KAZReGJPC-b8U38ess/edit?usp=sharing

Live documentation: https://developer.chrome.com/extensions/shared_modules

There are a few security related questions around the webstore and malware that should be discussed as part of this review which were brought up in an internal bug: http://b/18904766

Thanks!

-Elijah

[Benjamin Kalman]

From an API perspective it's great to see this launch. My main questions are about update:

- Pushing a bad update could break a lot of extensions/apps, and that would be very damaging. Old news, and there's not a whole lot you can do about that without introducing a lot of complexity, but are there any mitigations in place?

- Is there a way for shared module developers to push out trial or dogfood versions of their modules, or at least test their changes locally?

[Elijah Taylor]

On Tue, Feb 3, 2015 at 2:42 PM, Benjamin Kalman <kal...@chromium.org> wrote:

From an API perspective it's great to see this launch. My main questions are about update:

- Pushing a bad update could break a lot of extensions/apps, and that would be very damaging. Old news, and there's not a whole lot you can do about that without introducing a lot of complexity, but are there any mitigations in place?

Not really.  One of the only things I can think about on the client side is to keep around old versions of shared modules side-by-side and somehow allow apps/extensions to use the older one.  Anything else I think involves keeping around many versions in the store and special logic to request specific versions of Shared Modules.  All of these are cumbersome.

The individual app/extension developer can potentially bundle an older version of a Shared Module's resources directly into their extension, as long as they have the right to distribute those files, but otherwise I think this is just the kind of relationship they're entering into if they're using a 3rd party Shared Module.

 

- Is there a way for shared module developers to push out trial or dogfood versions of their modules, or at least test their changes locally?

What we've done occasionally on ARC is to override a webstore version with a local unpacked version (with a "key" manifest field to match IDs).  To get back on the webstore version is a bit of a pain because we disable manual uninstall for Shared Modules, you have to get rid of all dependent extensions to clear it out.  There's an old bug filed about this that hasn't been tackled: http://crbug.com/274847

[Elijah Taylor]

Hi everyone,

It's been 2 weeks with no comments, just wondering what the timeline normally is for security review and approval for something like this (moving an existing dev feature to stable).  What are the next steps?

-Elijah

On Tue, Feb 3, 2015 at 8:01 AM, Elijah Taylor <elijah...@chromium.org> wrote:

[Benjamin Kalman]

You should have a launch bug with various labels awaiting approval.

[Elijah Taylor]

Filed (thanks Josh!): https://code.google.com/p/chromium/issues/detail?id=459742

[Adrienne Porter Felt]

Make sure to fill out the surveys at the bottom of the launch bug too. :)

[Elijah Taylor]

I always forget some mundane detail :)

Done

[Daniel Herr]

The bug (crbug.com/459742) is private. Did this happen? In what release?

[Benjamin Kalman]

It should be in stable channel now, actually.

[Daniel Herr]

In 42? The CAEDT gives me an error "'export' is not allowed for specified extension ID", without an extension whitelist. The docs say no whitelist should allow any extension to import it.

[Benjamin Kalman]

No, 43. It just went stable.

[Daniel Herr]

I guess that explains it. I'm on 42. Waiting for the Chrome OS version. Also, the docs don't say anything about export.resources, which is in the android app runtime.

[Elijah Taylor]

While this feature is going stable on the Chrome side now/soon, there is a matching change I'm working to push forward on the Chrome Web Store, where uploading Shared Modules is restricted to a whitelist of developers still.  I hope this can be sorted out in the next couple weeks.

On Thu, May 21, 2015 at 6:54 PM, Daniel Herr <danielst...@gmail.com> wrote:

I guess that explains it. I'm on 42. Waiting for the Chrome OS version. Also, the docs don't say anything about export.resources, which is in the android app runtime.

export.resources is deprecated, the only option is to allow all resources to be exported.  We just haven't removed it from ARC yet.

[Daniel Herr]

Alright, will there be an announcement when that happens, or will you post back here?

[Elijah Taylor]

I don't think there will be an announcement, but I will post back here when the webstore side is sorted out (still working on it).

[Daniel Herr]

Export is still not allowed. Any progress?

[Elijah Taylor]

Thanks for the ping, this fell off my radar.  The current status is that it should work for local development on all Chrome channels, but that you still cannot upload these to the webstore.  The main concern is malware and making sure we don't enable a path for undetectable extension malware.  I have put in feature requests with the webstore to implement the minimum requirements to enable this.

[Matt Murphy]

Has this been canceled? Getting export not allowed in the webstore after searching for module functionality as I need to share code between extensions, and finding information about it today. Sorry for bringing up an 18 month old thread, but I can't find any definitive answers elsewhere.

Thanks.