Random musings on mobile software development...
Application Quality & Numpty Physics
Sorcery-ltd | 24 May, 2008 16:28
In my last post I talked about a smart new S60 application and its implications for Symbian Signing and platform security. I said I'd talk about the other part of Symbian Signing, application quality, in my next post... so here it is already.
My personal opinion is that what is currently Symbian Signed should have absolutely NOTHING to do with application quality. It should be entirely about identity and trust. In addition to this I do believe there should be a signing program that is ALL about application quality. Here's why, the current system basically assumes that there are developers and there are dumb users and nothing in between. There is a quality gate that can actually prevent you from properly distributing many types of application. In the real world there is a sliding scale of user knowledge from the very advanced power-user to those who've never used a computer or smartphone beforeand have no idea what software really is or what it can do. Where those different groups of users discover content is likely to be very different. Software published in some places is unlikely to be found by anyone but the enthusiast - in this way the audience is somewhat self-selecting. On the other hand, the Download client built into Nokia devices and operator portals should only carry content of an appropriate quality - otherwise there are likely to be serious customer service issues.
For open source and freeware developers, very often it is the advanced users that are in fact the alpha and beta testers. You can't really rely on finding them all before you start testing - you just publish your first vaguely usable version and see who wants to play with it and what feedback they give. That's one of the wonders of the internet - it seems there's almost always someone out there who's interested. Release early and often is one of the major practices in the open source world. The current Symbian Signed program and criteria are incompatible with this practice.
Now, to illustrate my point I want to use the example of my new favourite application on the N800 Internet tablet - Numpty Physics. It's based on the concept for the amazing Crayon Physics, here's a video showing the gameplay for the upcoming commercial version of that, Crayon Physics Deluxe:
Numpty Physics is listed as "The pearl" on Maemo.org as I write this (which basically means it's a lot of other people's favourite too) and it's publicly stated that it's only beta quality. In fact I've had it crash so badly I had to take the battery off and also the only way to quit is via the 'q' key which is only available on an N810 - oops. Do I care about these issues - no. I love that I can play it now - I'll like it even more when it's finished. If I had the time and inclination I could get involved and help improve it. If I had to download an unsigned package and submit it to a signing portal would I have installed it and then got excited enough to think about getting involved in the project? Almost certainly not.
And that is really my point. What open source and free software projects need are motivated users and developers to easily access them and give them a quick try.
Signing an application just to enable it to be installed on any device should be both free and without restriction (except some kind of identity/trust chain). I'd be happy to sign other people's open source projects after fairly limited contact with them (because I can see the code after all - I'm not at all so sure about closed source freeware, I'd want to get to know the developer quite well first) if I didn't then have a legal responsibility for any harm they might do. That responsibility has to rest with the end users that choose to install them.
Application quality should be policed at the point of distribution. That can certainly be via a central signing program, it just shouldn't be the same signing program that gates whether on not an application can be installed on a device at all.
What about security for the end users? Well, I think my last post showed that Symbian Signed doesn't really do much about that anyway.
Any thoughts or suggestions?
Mark
General, S60, Symbian C++, Testing, Maemo |
Next | 
Previous |
Comments (6) | 
Trackbacks (0)
Comments
Thanks!
Sorcery-ltd | 25/05/2008, 14:23
Thanks Bogdan, I really hope we get some more progress on this soon too!
Re: Application Quality & Numpty Physics
Damavik | 26/05/2008, 14:59
You're completely right. Really, very often the existing Symbian Signed stuff throws Symbian developers into a rage :(
Re: Application Quality & Numpty Physics
nigel.brown | 29/05/2008, 17:17
I agree. I just made a post on a similar topic.
http://blogs.forum.nokia.com/blog/kiran-patels-forum-nokia-blog/testing/2008/05/27/lost-in-the-dark-quality-and-consistency-with-symbian-signed?ticket=ST-25547-e0j2rVijDwHQ9OaX6qse33lZg0ym2jUJKlZ-20
Re: Application Quality & Numpty Physics
nigel.brown | 29/05/2008, 17:19
The link didn't work, I'll cut n paste:
Yes, in my view there is something slightly wrong with the whole concept.
The way it is all set up the trust relationship is between the Symbian signed and the code. It should be between Symbian signed and the developer.
You can't trust code!
E.g. You write a Trojan which passes all the tests. So, Symbian say they trust this code and allow it on their handsets. Then on July the 4th it deletes all the files it can get its hands on.
It isn't the code that gets slapped in irons and hauled off to a small room at the bottom of the NRC. It is the developer.
You can trust the developers!
They have something to lose. They should be trusted (or not).
But, it is just an opinion.
Yes!
Sorcery-ltd | 29/05/2008, 17:42
Thanks Nigel, yes, you can't trust code, only developers. Hence the need for Publisher IDs. Now for freeware and open source development even the cost of a Publisher ID is something of a barrier. In many cases it's not really the amount it's the principle. Why pay to develop on one platform in your free time when you can work on another for free? However, the amount is likely to be an issue in some countries!
Hence the need for some publisher(s) for freeware and open source. However, what would prevent me from doing that would be that I'd become responsible for the application, even though, as you say - it's impossible to provide any tests that would guarantee it isn't malware. Also, I'd currently be responsible for ensuring that this thing someone developed in their free time passes the Symbian Signed criteria - which just isn't reasonable. Particularly considering a lot of the software may be ported and already full of bugs. It's applying a "final release" criteria to something that in many cases has very valid reasons for being immature. The developer won't know whether it's worth putting more effort into the project and improving features and quality until they've made it available for distribution and seen what the interest in it is like.
I could rant about this for hours so I'll stop now.
Mark
Who am I?
Mobile and embedded software developer. Loves technology and loves to help people.
Calendar
Recently...
- Code Camps - a great way to learn a new environment
- Python for Series 60 Community Edition!
- New Stuff for Symbian C++ Developers
- S60 Under-engineered?
- Open License Manager?
- Symbian Foundation Implications
- The Good, the Bad and the Ugly
- Symbian Signed - a proposal
- Application Quality & Numpty Physics
- Who will guard the guardians?
Categories
- Browsing [1]
- Business Opportunities/Services [0]
- CDMA [0]
- Connectivity [0]
- Enterprise [0]
- Entertainment [0]
- Event [1]
- Flash [2]
- Games [3]
- General [13]
- Java [0]
- Location Based Services [0]
- Maemo [1]
- Messaging [0]
- Open C [1]
- Python [2]
- S60 [6]
- Series 40 [0]
- Series 80 [0]
- Symbian C++ [6]
- Testing [4]
- Web Run-Time (WRT) [1]
- Widget [0]
Re: Application Quality & Numpty Physics
bogdan.galiceanu | 24/05/2008, 19:36
Great post, Mark. You make some very good points.
I have to say I agree with pretty much everything you say (not that I disagree with anything, but I find a few issues confusing as I haven't experienced them yet. So don't worry about that).
As a software developer myself, I know the hassle of getting an application that requires certain capabilities signed just to test it. And I do that because it's my responsibility as the person that made the application, but an end-user will most like just quit after the first encounter with the vicious "Certificate error".
The principles you suggested, allowing non-restricted signing for freeware and open source software and having a "gate" for controlling the quality of commercial software, are very good.
Hope someone with authority in the matter is reading this and will speed up the process of making this system better.
And by the way, that Crayon Physics application is the bomb :)
Best regards,
Bogdan