←back to thread

Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)
757 points shak77 | 4 comments | 15 Dec 17 13:47 UTC | HN request time: 0.84s | source
Show context
blauditore ◴[15 Dec 17 16:23 UTC] No.15932880[source]
Many people seem to be shocked because Mozilla installed an add-on automatically. In my opinion, it doesn't really matter since the code is coming from Mozilla - they're building the whole browser, so they could introduce functionality anywhere. If someone distrusts their add-ons, why trust their browser at all?

The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.

replies(16): >>15932942 #>>15932953 #>>15932998 #>>15932999 #>>15933001 #>>15933342 #>>15933599 #>>15933649 #>>15933656 #>>15933806 #>>15933901 #>>15934475 #>>15934693 #>>15935133 #>>15935703 #>>15941934 #
skymt ◴[15 Dec 17 16:32 UTC] No.15932953[source]
Speaking for myself here, but I'm not concerned that Mozilla might push malware into Firefox installations. I'm concerned about the lack of judgement in pushing an extension with a vague, scary-sounding name and description simply for a cross-marketing tie-in, and I'm worried that it could have damaged the trust ordinary users have in Firefox.
replies(5): >>15933006 #>>15933291 #>>15934516 #>>15934671 #>>15935418 #
pmlnr ◴[15 Dec 17 16:37 UTC] No.15933006[source]
> I'm not concerned that Mozilla might push malware into Firefox installations

Nobody is concerned about that, in my opinion. I'm concerned someone will push malware through Mozilla into Firefox installations. Pushing addon installs should not be possible at all.

replies(4): >>15933118 #>>15933239 #>>15933501 #>>15936753 #
pilif ◴[15 Dec 17 17:11 UTC] No.15933239[source]
They can also push new browser releases though. They are also auto-installed by default.

The exception is that an addon can do slightly less damage than a compromised browser itself.

replies(1): >>15934388 #
1. Parcissons ◴[15 Dec 17 19:37 UTC] No.15934388[source]
I deeply hate this update methodology. Some hippster fresh from university decides that the gui, approach, functionality i use daily is no longer needed and pushes his rewrite into a release. One click later im stuck with this, because all the bundled crap is hijacking the "security" for a ride.

If any software developer would truely respect users, he would offer updates as seperate packages, where users can opt out of non-security ones- and those updates humanity votes with there feet against, vannish into the bin of useless software.

replies(1): >>15935869 #
2. pilif ◴[15 Dec 17 22:40 UTC] No.15935869[source]
Imagine the complexity of maintaining the software when every patch must anticipate a fragmented mess of different pieces of patches being installed on target systems. Imagine the explosion of testcases required.

At that point, it’s probably better to just stop feature development and do nothing but security patches, which of course will lead to stagnation and which will also lead to fragmentation as many more incompatible releases of the same software will be out in use.

This will make it even harder for developers to adapt new technologies. Imagine how bad the already messy caniuse.com would look when every single browser version would be supported forever and could be individually configured feature by feature.

Especially as people somewhat versed in technology (I think it’s safe to call HN audience that), I think there is advantage in going with the flow and adapting to new releases and UI paradigms.

Otherwise we'd still be running on DOS and us developers would still have to support it.

Relevant XKCD: https://xkcd.com/1172/

replies(2): >>15936577 #>>15937224 #
3. bigbugbag ◴[16 Dec 17 00:43 UTC] No.15936577[source]
Ever heard of debian ? Then maybe you've heard of debian backports ?

I'm asking because debian and backports are doig exactly that: separating security patches from the rest, not for a browser but for a whole OS and every applications including firefox.

also this xkcd is not relevant. the point here is that mozilla has quite a history of breaking userspace earning them the reputation of "making far-reaching and very short-sighted decisions in a vacuum."[1]

[1]: http://forums-test.mozillazine.org/viewtopic.php?p=14736466#...

4. awalton ◴[16 Dec 17 03:18 UTC] No.15937224[source]
> Imagine the complexity of maintaining the software when every patch must anticipate a fragmented mess of different pieces of patches being installed on target systems.

...why imagine? That's life as a Windows/Linux/Android dev. (Apple is sort of a stand-out because it has vastly fewer installable parts and less versions in the wild such that it's actually possible to test every patch level of every supported version of macOS or iOS at any given time).

But none of that makes push updates right or wrong. The reality is that it's less of a push than it is a pull anyway - in this case the client is asking for updates on an interval, and the server says "yep, there's one for you." The client grabs it and installs it. And it's turned on by default because, for the most part, that's the right thing to do for your users: you'd rather them be on the newest patch level. Hell for IT admins though, which is why it's almost always a feature they can disable at will.

So here's where this case differs: it's an "experiment" that's actually just marketing trash pushed through the "experiments" channel which is also armed by default, rather than a security or product update (which anybody reasonable can argue should be on by default - secure by default is the goal, after all). The only "experiment" in this case is seeing how many users will put up with Mozilla continuing to pimp out Firefox to the highest bidder as a grab for a new revenue stream before they reluctantly switch back to Chrome.

And judging by the backlash on patches like this one, it's not going so well...