Firefox 42 will not allow unsigned extensions

(wiki.mozilla.org)

288 points fernandotakai | 1 comments | 11 Aug 15 03:51 UTC | HN request time: 0s | source

Show context

nathanb ◴[11 Aug 15 04:41 UTC] No.10039122[source]▶

It's the "no override" part that concerns me.

I created and maintain an extension that is used by visually-impaired people around the world (it has been translated by volunteers into Dutch and Chinese, for example).

Occasionally a Firefox update breaks this extension. OK, fine, that's the cost of doing business. Of course, the automated compatibility report that Firefox creates is utterly useless; it almost never catches the breakage. But that's a side rant....

There can be a decent turnaround lag (sometimes on the order of a few days) to get a new version of an extension reviewed by addons.mozilla.org. In the meantime, I have made a habit of building a new version of the extension and giving it to anyone who asks. Some people rely on it to use the web and can't wait for Mozilla to do their thing (another side rant: I once stupidly forgot to check in a key resource. I've since changed my development process to keep this from happening again. But the non-functional extension that I pushed passed Mozilla's review just fine. Makes me wonder how much value the review process is really adding.)

If I want to be able to continue this process, I will need to sign the extension myself (and who knows what histrionics Firefox will throw if a user tries to replace an extension with one that has the same UUID but a different signature!)

replies(8): >>10039130 #>>10039580 #>>10039659 #>>10039887 #>>10039941 #>>10040621 #>>10040999 #>>10041707 #

brighteyes ◴[11 Aug 15 04:43 UTC] No.10039130[source]▶

>>10039122 #

> There can be a decent turnaround lag (sometimes on the order of a few days)

Actually, the link says

> Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds

You may be thinking of a different type of review process, the signing one sounds almost instantaneous.

replies(2): >>10039139 #>>10039213 #

Animats ◴[11 Aug 15 05:16 UTC] No.10039213[source]▶

>>10039130 #

That's for non-public add-ons. If you submit a public add-on, even a minor update, it has to go through the AMO bureaucracy. I currently have an update that was uploaded on July 10, 2015, and is at queue position of 64 of 137. There are no code changes; it's just being updated because Mozilla changed their build system.

This seems to be part of Mozilla's effort to be more like the Apple and Google stores.

Mozila AMO - Learn to embrace the pain.

replies(3): >>10039667 #>>10039920 #>>10041297 #

kpcyrd ◴[11 Aug 15 09:49 UTC] No.10039920[source]▶

>>10039213 #

Actually, it's their effort to prevent AMO from ending up as malware riddled as the Chrome Store.

Addons are running in the chrome context and are thus pretty powerful. It's trival to compromise the whole computer if they aren't reviewed.

replies(1): >>10042274 #

1. piyush_soni ◴[11 Aug 15 16:23 UTC] No.10042274[source]▶

>>10039920 #

I wouldn't think Chrome Web store is full of Malware. Yes, it's not free of those, but the bad ones are quickly removed by both Chrome's policing, and users' flagging. That's how Mozilla should go forward. The problem with manual reviewing is, it depends on the 'volunteers' time availability, and a stupid Review system which is NOT FCFS. You are told you are 37th out of 150 in the queue, but you see that you either remain at that position while others are being approved, your queue position goes both up and down, and some times your add-on is instantly approved even when you are 100th in the queue. All this takes many days even if your users are waiting for a critical fix. This is the biggest turn off in uploading add-ons for Firefox.

↑