Firefox 42 will not allow unsigned extensions

(wiki.mozilla.org)

288 points fernandotakai | 2 comments | 11 Aug 15 03:51 UTC | HN request time: 0.001s | source

Show context

kragen ◴[11 Aug 15 06:17 UTC] No.10039371[source]▶

This is deeply disappointing.

Two details: the extensions need to be signed by Mozilla, and only US English speakers will be allowed to disable this requirement.

The point of free software is that users, individually and collectively, are free to modify it as they wish, without requiring approval from third parties. (And of course to use, copy, and redistribute.) This is a sharp turn away from the free-software ethos that made Firefox possible in the first place.

I understand the issue of users being tricked into downloading and installing malicious extensions. If you let someone program, they will be able to paste malicious code. I just don’t think that taking away users’ ability to modify their own browsers is an acceptable solution to that.

If this disturbing move sticks, Mozilla will become an increasingly tempting target for whatever group wants to control what software you can install on your own computer — whether that’s Sony Pictures, the NSA, or Amazon.

The old free software movement has died. We need a new free software movement.

replies(9): >>10039538 #>>10039732 #>>10039770 #>>10040303 #>>10040371 #>>10040382 #>>10040490 #>>10041316 #>>10042478 #

1. WireWrap ◴[11 Aug 15 08:57 UTC] No.10039770[source]▶

>>10039371 #

In addition to the "en-US locale only" restriction, I wonder if unbranded builds will be made available for non-desktop platforms. I would like to run my own extension, or that of the company I work for, on multiple platforms and especially without having to share proprietary source code with Mozilla et al.

I think they removed alternate signature checks from the base code (may affect other browsers), and the preference to disable Mozilla signature checks is a global switch. So they've made things even harder than they have to be for those who don't want to comply with the new model.

According to Mozilla, they have to do this because a user who has control of their OS might install malware and might grant it root/admin privileges. Such malware could not only tamper with extensions, it could tamper with the permission and preference systems and other key components and files. IOW, if Mozilla continues to pursue this policy, we may be looking at the beginning of a more comprehensive lockdown of Mozilla applications.

It might be wise to try to hold the line somewhere. In general, we aren't going to be more secure if we allow ourselves to be locked into simplified configurations that suit the mass market.

replies(1): >>10040484 #

2. TazeTSchnitzel ◴[11 Aug 15 12:33 UTC] No.10040484[source]▶

>>10039770 (TP) #

> might install malware

Might? This happens very frequently.

> might grant it root/admin privileges

They don't need to, if you have the browser you have all the good stuff.

↑