←back to thread

Firefox 42 will not allow unsigned extensions

(wiki.mozilla.org)
288 points fernandotakai | 6 comments | 11 Aug 15 03:51 UTC | HN request time: 0.413s | source | bottom
1. soapdog ◴[11 Aug 15 14:49 UTC] No.10041451[source]
Folks,

There are FOUR VERSIONS OF FIREFOX WITH A SWITCH TO DISABLE THIS if you're so inclined. You can use: Nightly, Dev Edition, Unbranded Stable and Unbranded Beta. All of which have a switch that you can set to disable addons signing requirement.

In contrast there are only two versions where this is a requirement, Stable and Beta. If you doubt the usefulness of this you haven't seen a browser being hijacked by malware overriding search results, inserting all types of toolbars and more. This will prevent malware from sideloading extensions. And this is good.

The signing process is not the same as the AMO review process. The process takes only seconds and the signed addon is returned to the developer. They can distribute as they see fit.

Now, lets face the fact: Simple signing process that takes only seconds and will help prevent lots of malware, not the most nasty ones but a huge lot of sideloaded crap. Four versions of the browser for those power users who want to disable this.

Now, can someone explain to me without hate why this is a bad thing?

replies(1): >>10042332 #
2. josteink ◴[11 Aug 15 16:30 UTC] No.10042332[source]
> There are FOUR VERSIONS OF FIREFOX WITH A SWITCH TO DISABLE THIS

While that may be true, requiring that you run a non-standard version of Firefox to be able to use "random" extensions will probably have a chilling effect on the Firefox extension ecosystem.

That, and it reeks of Chromeism.

replies(1): >>10042846 #
3. soapdog ◴[11 Aug 15 17:29 UTC] No.10042846[source]
you will be able to run "random" extension if the developer care enough about it and about the new security procedures to sign it. After all, it takes only couple seconds for the signing to work.

The versions I quoted are not non-standard. They are all versions of Firefox being worked on and with all the relevant teams. All those versions eventually become Firefox Stable and after that becomes outdated and a new release is now current. Versions goes from Nightly -> DevEdition -> Beta -> Stable. Each version has some tweaks, for example DevEdition is where they seed and test new devtools. Which means that for the developers, thats the best edition to develop with (still test on the other versions).

replies(1): >>10044045 #
4. josteink ◴[11 Aug 15 20:16 UTC] No.10044045{3}[source]
They are non-standard in the sense that 99% of Firefox users are not using them.
replies(1): >>10045806 #
5. soapdog ◴[12 Aug 15 03:07 UTC] No.10045806{4}[source]
Do you understand that the Unbranded Stable version and Firefox Stable version have the same codebase? You can use that version for testing or if your users don't want signing they can move to that version. They lose the cute icon and branding but the code is the same.
replies(1): >>10046384 #
6. josteink ◴[12 Aug 15 06:29 UTC] No.10046384{5}[source]
I think you missed my very clear point: now it's not enough to just run Firefox. You need to ask for users to run the "right" version if Firefox.

Telling people what browser to use is user hostile behaviour. Users will not bother. Non-official extensions will get less interest. Authors will see a smaller user base and have less interest in writing new extensions.

This will have a chilling effect all over.