←back to thread

Firefox 42 will not allow unsigned extensions

(wiki.mozilla.org)
288 points fernandotakai | 2 comments | 11 Aug 15 03:51 UTC | HN request time: 0.001s | source
Show context
userbinator ◴[11 Aug 15 12:02 UTC] No.10040344[source]
Mozilla's hypocrisy is astounding:

https://blog.mozilla.org/security/2013/01/29/putting-users-i...

"Users should have the choice of what software and plugins run on their machine."

https://blog.mozilla.org/theden/2014/12/15/introducing-a-sma...

"Firefox is dedicated to putting users in control of their online experience"

More recently:

https://blog.mozilla.org/blog/2015/06/02/firefox-puts-you-in...

"Firefox Puts You in Control of Your Online Life".

The slogan, as found on https://www.mozilla.org/en-US/firefox/new/ , is now "Firefox is created by a global non-profit dedicated to putting individuals in control online." I believe it used to be "users" - see above - but was silently changed. I suppose these "individuals" are the people at Mozilla...?

replies(6): >>10040466 #>>10040472 #>>10040993 #>>10041265 #>>10041365 #>>10052169 #
soapdog ◴[11 Aug 15 14:26 UTC] No.10041265[source]
WTF people. So much hate for Mozilla these days, this appear pitchfork group.

Lets review what the article says: addons needed to be signed. The process is automated. It takes only seconds. It prevents some malware from spreading.

You can still host your addon wherever you want. This is just an extra step that can actually improve security. It requires more effort by the part of the developer but it also helps prevent some security issues.

Firefox Dev Edition and Nightly will have switches to turn this off. Firefox stable and Beta will not. Do you want to switch this off? Move to more bleeding edge versions. Or pick the unbranded version.

The unbranded version is available only in English and this is a problem that can be solved with language packs which are available in the hundreds.

Heck, this is an improvement to security. You can opt out by moving to a different Firefox version, there are three versions you can use, DevEdition, Nightly and Unbranded. If you opt-in you have an extra level of confidence in the addon you're installing.

Developers take only couple seconds to submit and retrieve back their addons and the added bonus for security is great. This will prevent those pesky spyware/malware from hijacking your browser which is a problem faced by many users that are not as tech savvy as this crowd here.

And yet people throw a tantrum....

replies(4): >>10041474 #>>10041622 #>>10041758 #>>10042924 #
rndgermandude ◴[11 Aug 15 15:12 UTC] No.10041622[source]
Mozilla will certainly continue to sign my piracy-enabling add-on that is perfectly legal in many jurisdictions worldwide, even after an US court ordered them not to sign it explicitly?

I also heard mozilla got an NSL for my "Ed Snowden for president, Find out more on wikileaks" add-on, or rather, I didn't because NSL.

Then again, I hear a brought coalition of human rights, LGBT and feminist groups lobbying mozilla not to sign my "Find nearest public stoning near you - Saudi Arabia Editon" add-on any more, effectively blacklisting it worldwide. But mozilla will keep to their promise not to blacklist my stuff and my regular users can still use my add-on, right? The creator of Javascript and mozilla CEO Brendan Eich will make sure of it... Oh wait...

Speaking of which, what about my "mozilla - not protecting Brendan from harm was shit" add-on, is that compliant with the mozilla trademark policy that I need to abide by per https://developer.mozilla.org/en-US/Add-ons/Add-on_guideline... ?

Yes, those examples are a bit contrived, but actually not that much over the top. Also, please note that I do not necessarily condone these things ;)

My point being: Security through tech-enforce policy is nice and has a lot of upsides as you say, I agree, but it also may have downsides you aren't even aware of.

replies(1): >>10045812 #
1. soapdog ◴[12 Aug 15 03:09 UTC] No.10045812{3}[source]
You understand that the addon signing process is automated right? Addon signing is not the same as AMO review. You can sign your addons and distribute them on other channels if they don't match AMO review criterias.
replies(1): >>10045933 #
2. rndgermandude ◴[12 Aug 15 03:56 UTC] No.10045933[source]
You do understand that mozilla still could reject certain add-ons, even when only to be signed to be hosted elsewhere, and in fact they do:

>Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds. If the file doesn't pass review, the developer will have the option to request a manual review, which should take less than two days.

Right now, the automatic signing will probably only fail if malware is detected. The "Right now" part is what worries me a bit, tho.