Integrate Mellowtel into Plasmos Docs

[daniiba]

Dear Plasmo Community,

Given the recent discussion regarding the Mellowtel docs on Plasmo voiced by some users on the discord server and X, we want to bring up this topic to the attention of the broader community for an open discussion. As a disclaimer: I work for Mellowtel.

Summary of what happened so far:
A few weeks ago I created a PR to add an example to Plasmo. I talked to Louis (founder of Plasmo) beforehand and he liked the idea, so he merged it. After further feedback, we have reverted that PR and are starting this discussion here.

Summary of Mellowtel:
Mellowtel is an open source library that developers can decide if they want to import in their plugin or not. If they import it, the library lets users of a browser plugin decide if they want to support the developer of that plugin by sharing their unused internet bandwidth. This is used by companies to access the web in a credentialless environment (e.g to retrieve publicly available data) and they pay for it. A portion of the revenue is shared with developers of the plugin. All users are opted out by default and they have to explicitly opt-in if they want to support the plugin and the developer. Users can change their settings at any time. The library does not collect or sell users data, unlike ads network, since it relies on using a small portion of bandwidth. It does not affect browsing experience or battery life since it requires just enough bandwidth to open an additional incognito tab and it’s optimized (e.g. rate limiting). Anyone can look at the source code on Github and see how it operates.

While we have now over 100 plugins (from a few hundred users to tens of thousands) using the library and tens of developers using and recommending the library, there has been some valid concerns raised by some users in the plasmo community. Feel free to add further points.

Quick summary of the feedback:

• The title of the integration with the Plasma docs is misleading. The title was “Quickstart with Monetization”. The criticism was on the fact that the title made it seem we are the only possible solution to monetize which is obviously not true. Now the title is in line with the others present on the plasma docs (e.g. Quickstart: Supabase, Quickstart: Firebase Auth): Quickstart: Mellowtel
• The documentation of Mellowtel is not explaining the concept well, which looks shady
• The addition of Mellowtel to the docs was not a public discussion and by being in the Plasmo docs it gives the impression of an endorsement

Obviously, our goal is that these docs are beneficial to Plasmo and its community. While some of the feedback provided was based on misinformation, there also has been a lot of good feedback that we will be adding to our own docs. I hope to kick off a discussion about whether to have an example of Mellowtel in the docs and to get opinions from further community members.

So please vote one of the following using the Emojis:

• 👍 Readd the Mellowtel docs to Plasmo, with the title "Quickstart with Mellowtel"
• ❤️ Create a quickstart called "Quickstart with Monetization", where we add different ways for browser plugin developers to earn: Mellowtel and other suggestions from the community on how they were able to earn thanks to their plugin
• 👀 Make changes to Mellowtel or Mellowtels docs before applying again, based on the feedback of plasmos community
• 👎 Don't Add

Would love to hear the community's opinion and we are happy to clarify further, if needed.

EDIT:
This vote is only open for previous Plasmo contributors, all other votes will be ignored

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 29, 2024 6:01pm

[thomasjamesio]

Key points

• Primary purpose is to circumvent rate limiting and IP blocks as admitted by dev in comments
• No transparency for end user on who's buying traffic
• Following from that, no server source, no way to see any safeguards against turning it into malware (ha ha)
• Simply does not belong as a monetization method, because of these reasons and because it's experimental (if the company stops existing, you have no monetization - except maybe turn to sketchier methods)

Timeline of what happened.

• @louisgv (founder of Plasmo) and @daniiba (employee at Mellowtel) talked in private
• add monetization quickstart #127 was made by @daniiba. Titled "Quickstart Guide: Monetisation" that mentioned his own company, without disclosure of author.
• PR was accepted by @louisgv - cofounder of Plasmo Corp alone
• Mellowtel + Plasmo were widely criticised on X by people in the browser ext community including NithurM here and here, me in 2 long posts here and here. The first was RT'd by Cory Doctorow of the EFF (Electronic Frontier Foundation). The feedback was majority negative towards Mellowtel and it's inclusion in Plasmo's docs, from spookyusr + many more across the discord and X. A couple comments Discord by Tbrockman and others who had quick look at code and raised issues.
• @daniiba has made a new PR with the same article under a different title. At this point people have not yet reviewed Mellowtel's code, security, ethics. Or whether it's appropriate for this to be considered at all considering what transpired.

TLDR - PR came VC funded stealth startup Mellowtel, after their last one was overturned for being misleading and community widely criticising / questioning it on X and Discord. Hopefully, some contributors can please weigh in on this. If it is going to be considered at all, I think a vote of contributors should be taken.

"devKingMe, Zecento, louisgv, and ahmadAK07 reacted with thumbs up emoji"

Of the upvotes on the above - Arslan devKingMe founder of Mellowtel, ahmadAK07 (has never contributed or posted to Plasmo), Zecento (Arslan Ali's other company) and @louisgv the cofounder of Plasmo Corp. @daniiba's post above tried to make a fake election and rig it.

This should make it clear what is going on. This should be rejected. And a foundation and charter should be made for Plasmo, so it can't fall prey to grifters like this again. This issue raises big questions for @louisgv and Plasmo as a whole.

[daniiba]

Updated the comment, only previous contributors will be considered like said in discord.

There is no time limit on this vote yet, so I think people will have enough time to go through mellowtels code and give feedback.
If you want we can also specify a time limit, what do you suggest? @thomasjamesio

[deavial]

This shouldn't be in the codebase in the first place. If a developer wants it, they should have instructions to add it as with any other 3rd party library. It does NOT belong in the core codebase. Pasmo has one job and one job only, to be the foundation tool for extension development. It is not to add functionality such as monetization or third party integrations.

[daniiba]

This shouldn't be in the codebase in the first place. If a developer wants it, they should have instructions to add it as with any other 3rd party library. It does NOT belong in the core codebase. Pasmo has one job and one job only, to be the foundation tool for extension development. It is not to add functionality such as monetization or third party integrations.

This is about adding instructions to add mellowtel, similar to how there are instructions on how to integrate with other 3rd party libraries like supabase, firebase, stripe and Google analytics.

[martenmatrix]

wxt.dev 🧩🚀

[tbrockman]

Thoughts

Without considering the history/background/motivations of the authors (of which I'm not personally familiar):

• I don't think it's appropriate to list guides which encourage extension developers to make questionable security decisions that they very likely don't have the full context and understanding to be making
• We also shouldn't be encouraging extension development practices that will normalize extension users to expect extensions to request host permissions on every webpage

The goal of the framework (and documentation) should be to make it easier for developers to follow best practices, not promote authors to inject potential security vulnerabilities and cryptominers into their apps. Asking for more permissions than necessary will likely hurt developers app adoption, and if your app isn't profitable without turning it into a vector for someone else to profit off of your users compute resources (and IP reputation), maybe you don't have a viable business and need to rethink your approach.

Who benefits from the guide being available in Plasmo docs? Does Plasmo get anything from explicitly condoning the library by including it as a guide? I don't think so. If anything, it seems to open up Plasmo to criticism, while Mellowtel gains publicity, legitimacy, and better SEO.

I think regardless of whether the authors are acting in good faith that this is a decision that would reflect poorly on Plasmo, with no real benefit for the project. Mellowtel can have their own guide on how to integrate their library that extension authors can seek out if they want to, there's no compelling reason Plasmo needs to house it if it's contentious.

Questions

It does not affect browsing experience or battery life since it requires just enough bandwidth to open an additional incognito tab and it’s optimized (e.g. rate limiting).

Do you have benchmarks to support this claim?

As long as the server remains opaque, and the process for which websites are scraped/what requests are performed on the client isn't transparent, this doesn't seem like a guarantee that you can make that developers have any reason to believe.

A portion of the revenue is shared with developers of the plugin.

How much? What's the break down between what Mellowtel is paid vs. what developers receive?

[louisgv]

I'm cheering for https://wxt.dev -- looks neat!

Regarding the vote, I'm just supportive of builders. Tho I should prob stay neutral on this one, toggled all the options cc @thomasjamesio

[devKingMe]

It's Arslan here, the founder of Mellowtel.

First of all, sorry @louisgv and the Plasmo community for having your reputation and the work you have built over the years questioned and ridiculed because of me.

I started Mellowtel to offer developers, if they wanted to, the opportunity to try to earn something from their plugins thanks to users who decide to support them by opting in and sharing their bandwidth (without stuffing affiliate links, unrelated ads, or having to collect personal data). I designed it only for myself. After talking with other developers who wanted to try it, I decided to release it as an open-source project. I never intended to create a controversy in the community or have people doubting Plasmo or louisgv or Rusty's morality and integrity built over years of work.

I want to make clear that we have never paid or offered any other incentive to lousigv or anyone else to promote Mellowtel. Devs who tried it and learned more about the code are recommending Mellowtel organically because they like it. I don't expect everyone to support the idea, but I think it's not fair to accuse anyone who likes the idea of being morally corrupt or shady.

@thomasjamesio, I'm sorry if you think Mellowtel looks shady. It's my fault because it means I haven't done a good job at explaining what we are trying to do. You are right, and I should explain it more clearly. I will update the website and the docs in the coming days to improve it. But this is why it's open-source, and we are building in public. Thanks to everyone's feedback, we can improve.

Regarding the points you raised: 

1. Yeah, the primary reason why companies are paying for the traffic is to access publicly available data from websites in a reliable and cost-effective way.
2. You are right and we will fix it. We had put the logos of some companies that are buying traffic on Mellowtel's landing page, but we will also put them in the docs/show to end users. The server side requests are mainly coming from Olostep where we vet every company. But different companies have reached out to use Mellowtel and they will access it independently. For example, the Internet Archive has expressed interest in using Mellowtel for their Wayback machine. So, the server side will never be safe as different companies will use it, and even if I checked all of them, I could be a malicious actor who shouldn't be trusted unquestioningly. To build a safe product, we need to put safeguards directly in Mellowtel outside any individual's control. This is why we are using (credentialless iframes). Please also read this blog post from Mozilla to understand how they are a good safety measure to avoid that anyone can turn Mellowtel into a malware to steal data: IFrame_credentialless. Thanks to the discussion and the points raised, we are also integrating a library like Google's SafeSearch API in Mellowtel that will allow the community of developers to add any URL that they want to blacklist so it doesn't get handled. In this way, the whole community can help ensure it's a safe product. 
3. Yes, as I said multiple times Mellowtel is experimental. It's hard to predict the future to say if we will still be here in a few years. I started it as a side project a few months ago and didn't know that so many devs will start using it and recommending it. I hope it can help as many devs as possible, but I can't guarantee anything.

Again sorry @louisgv and the plasmo community for having your reputation being questioned because of me. I'm fine with whatever decision you make that will help you keep building this great product and community. 

If someone wants to chat with me to talk more in detail, I'm happy to do so. Here's my calendar and LinkedIn:

linkedin

calendar

Thanks,

[devKingMe]

@thomasjamesio regarding the vote I will stay neutral too like @louisgv and have voted all options since I'm obviously biased

[devKingMe]

Hey @tbrockman thanks for your thoughtful answer. The issues you have raised are all on point.

On the point of permissions, Mellowtel does not ask devs to ask for more permissions if they have not already requested them. The plugins that integrated already had those permissions. Still, it poses the issue for new plugins being created that might not need host permissions on all_urls to work properly.
Right now it requires the storage and declarativeNetRequest on all urls. We are modifying the code to make sure it can work also on just a few urls so even if a plugin works only on certain domains and they want to use Mellowtel they don’t have to ask their users permissions for all urls.

Regarding your questions:

1. Right now we don’t have benchmarks to support this claim. At the moment the claim is based just on the fact that the library uses iframes and they are pretty light and we have a rate limiter that is hard coded in Mellowtel and once it’s reached no requests are accepted. local-rate-limiting/rate-limiter.ts . But we will make sure to expose these benchmarks so anyone can test it on their own in the following weeks.
2. The revenue split is 55% to devs and 45% to Mellowtel. Also here we will make a dashboard so devs can see the cost per request and how much they are making.

We are a really small project and we are aware that we have a lot of work to do to improve the product. This feedback helps a lot. Thanks

[spookyuser]

The first time I came across plasmo I was shocked because it seemed to solve every issue I always had with building chrome extensions and what's more you could tell it had been built by people specifically pained by refreshing their extension for 12 hours only to realize they forgot to add ["storage"] to their manifest.

It solved so many problems in fact that I started porting old extensions that worked fine just because I wanted to see how elegant they looked in plasmo (hint: very)

What's more I owe a decent share of my livelihood right now to the fact that plasmo exists at all, so i'm grateful for all the hard work the devs have done building and maintaining it over the years.

I think it's important to mention this because the problems plasmo solved were so clearly needed for serious chrome extensions and were so obviously better than the alternative that people enthusiastically embraced them, certainly there was no thread about whether or not they were hazards to user's computers.

Personally I think this is malware, and while we're debating if a guide on how to distribute that software is okay - other projects are debating how to make it so that you can call functions in the background from the content script without even thinking about messaging.

[daniiba]

Two weeks have gone by and I'd say its pretty clear that the Plasmo community is against the integration into the docs.
We appreciate everybodies feedback and are implementing it into our product, especially a clientside blacklist and benchmarks.

Thank you for the time and feedback!

[spookyuser]

Hopefully this includes removing the example too PlasmoHQ/examples#72