Mozilla Unblocks Microsoft's .NET Addon

bonch writes "Mozilla previously blocked the Firefox addons Microsoft included with .NET, citing security concerns. After talking with Microsoft, they have now unblocked the .NET Framework Assistant addon and are working on a way for enterprise users to unblock the Windows Presentation Foundation addon as well."

They're just sayin'...

[ZekoMal]

...what we're all thinkin'.

Re:They're just sayin'...

[visualight]

I'm thinking "damn, I was hoping the internet already sucks as much as it can..."

Microsoft's updated advisory

[lseltzer]

MS09-054

FAQ for HTML Component Handling Vulnerability - CVE-2009-2529

If I use Firefox, which Internet Explorer update do I need to
install?
If a computer system is configured for Automatic Update, the
correct update will be downloaded and made available for installation depending
on the Automatic Update configuration. In the event that a computer system is
not configured for Automatic Update, users should verify which version of the
Windows operating system and Internet Explorer is on their system and download
the appropriate update.

If I install this security update, do I need to disable the Windows
Presentation Foundation Plug-in in Firefox to be protected from this
vulnerability?
No. Customers who have installed the security updates
associated with this security bulletin are protected from this
vulnerability.

If I have not yet applied this security update, how do I disable the
Windows Presentation Foundation plug-in in Firefox?
If you have not yet
applied this update, you can disable the Windows Presentation Foundation plug-in
in Firefox to block this vulnerability. To do this, launch the Firefox browser,
select the Tools pull-down menu, and then click Add-ons. Select
the Plugins icon at the top of the Add-ons window. In the list of
Plugins, select Windows Presentation Foundation 3.5.30729.1 and click
Disable.

If I uninstall the .NET Framework Assistant extension, does it disable or
remove the Windows Presentation Foundation plug-in?
If the .NET
Framework Assistant extension is uninstalled it does not disable or remove the
Windows Presentation Foundation plug-in. The .NET Framework Assistant and
Windows Presentation Foundation plug-in are controlled through different screens
in the Firefox Add-ons management window.

Re:Microsoft's updated advisory

[ThePhilips]

If I install this security update, do I need to disable the Windows Presentation Foundation Plug-in in Firefox to be protected from this vulnerability?
No. Customers who have installed the security updates associated with this security bulletin are protected from this vulnerability.

Uhm... "Protected from this vulnerability"?? What the hell?

Somebody has to file a bug against FireFox that plugins/add-ons are even allowed to prevent user from disabling them.

Re:Microsoft's updated advisory

[El_Muerte_TDS]

If I use Firefox, which Internet Explorer update do I need to install?

Now that's just plain funny. It's like saying that I need to make sure my car doors are locked when I'm using public transport.

Re:Microsoft's updated advisory

[Stray7Xi]

Somebody has to file a bug against FireFox that plugins/add-ons are even allowed to prevent user from disabling them.

There's a name for programs that prevent the OS from modifying their files, rootkits. Firefox is not a rootkit. Microsoft update installed the plugin by modifying the filesystem, it didn't use firefox API's.

If you don't trust microsoft update, frankly you shouldn't be using windows.

Re:Microsoft's updated advisory

[kantos]

That too has been a focus of this whole fiasco, the fact that the plug-in exists isn't a problem, nor is the functionality it provides, which is critical to many enterprise FF users. The core of the whole thing and what has pissed most people off on both sides is that both MS and Mozilla took action without customer consent, effectively choosing for us. First MS for installing it, then Mozilla for disabling it. The resounding consensus has been: "Could you at least ask first?" By acting without consent both Microsoft and Mozilla have shown that they don't think their users can make an informed consenting decision about how they wish to use their browsers. Such an action is disrespectful and disgraceful of both parties. Microsoft should know better having been burned before, and Mozilla because such an action is against the core principles on which Firefox was marketed.

Re:Microsoft's updated advisory

[TJamieson]

Nope.

If I use Firefox, which Internet Explorer update do I need to install?

Replace Firefox with Honda Civic and Internet Explorer with Ford Focus.

"If I use Honda Civic, which Ford Focus update do I need [to install]?"

Re:Microsoft's updated advisory

[IntlHarvester]

Somebody has to file a bug against FireFox that plugins/add-ons are even allowed to prevent user from disabling them.

This whole scandal brings up an interesting point. For "Plug-ins", Firefox has no obvious way to disable the feature. However, because MS's stuff was an "Add-on", people are angry there isn't a one-click UI. (The difference between the two is some technical nonsense which is of no interest to the end user.)

So the moral of the story is if you want to make it hard to uninstall, write a plug-in (like Apple/Adobe) and not an add-on.

Anyway, if anyone knows of an easy way to permanently disable Apple's crappy QuickTime plugin, please let me know. I'm sick of rooting it out every time iTunes has an update.

Re:Microsoft's updated advisory

[Abreu]

+1 Car Analogy

In similar notes, I notice that IE8 refused to install in my work machine (where I installed Firefox since day one)

Re:Microsoft's updated advisory

[azior]

The core of the whole thing and what has pissed most people off on both sides is that both MS and Mozilla took action without customer consent, effectively choosing for us. First MS for installing it, then Mozilla for disabling it.

MS installed it without asking

Mozilla asked if you wanted to disable it

Re:Microsoft's updated advisory

[mindstrm]

It did? I seem to recall it simply poppuped a window a couple of days ago and said "This has been disabled. Okay?" and your option was 'Okay"

Re:Microsoft's updated advisory

[azior]

That's still a question

Re:Microsoft's updated advisory

[AmiMoJo]

To disable a plugin permanently you have to prevent it writing it's files into the plugin directory, and preferably it's registry entries too.

The simplest way to do that is to create dummy files and registry entries with the same names as the plugin's ones and then protect them from deletion and being overwritten with file/registry permissions.

The was dome debate on Mozillazine and probably a bug or two submitted to create a proper UI for this stuff and have a way of blocking new plugins, but the devs seem to be ignoring it for now. The have made a schoolboy error here - trying to blacklist all "bad" plugins instead of just having a UI and allowing the user to whitelist plugins as they see fit.

Re:Microsoft's updated advisory

[nmb3000]

Somebody has to file a bug against FireFox that plugins/add-ons are even allowed to prevent user from disabling them.

Mark it up as another example of how the Firefox developers don't understand a multi-user, restricted-user environment. It is often desirable to install programs on a machine-wide basis so that all users, regardless of their local security access, can use them. In Firefox, plugins that are installed in this manner cannot be disabled by the user, even if the user has local administrative rights on the computer.

It's the same deal with Firefox's automatic updater allowing normal users to download and try installing browser updates but then failing over and over because the user doesn't have write access to C:\Program Files\Mozilla or the HKLM portion of the registry.

Re:Microsoft's updated advisory

[TubeSteak]

There's a name for programs that prevent the OS from modifying their files, rootkits. Firefox is not a rootkit. Microsoft update installed the plugin by modifying the filesystem, it didn't use firefox API's.

If you don't trust microsoft update, frankly you shouldn't be using windows.

I'm wondering how Mozilla updates the FireFox add-on blocklist.
Because if it does so even when automatic updates are off, that would be awfully sneaky in my book.

Re:Microsoft's updated advisory

[cyber-dragon.net]

They only missed the options piece of this whole thing. Their base assumptions were correct, that disabling a faulty plugin was what most people would want to do. Most would not even be aware of the fact it had been done nor that they had this plugin in the first place. Releasing a bulletin telling people to disable it is worthless.

What they DID need to do is introduce a warning saying "this plugin has been disabled for security reasons, would you like to re-enable it?" that will come up each time it's loaded until fixed, giving the user a choice.

To not disable it would be as irresponsible on Mozilla's part as not patching the hole was on Microsoft's. They just need better communication with users.

Re:Microsoft's updated advisory

"If you don't trust microsoft update, frankly you shouldn't be using windows."

That's the problem...I USED to trust Microsoft Update, right up until they started abusing that trust for market gain.

Re:Microsoft's updated advisory

[Khyber]

Microsoft installed it without asking, without me even knowing.

They modified a third-party software installation without my permission.

The third-party software maker was within perfect rights to put a stop to that bullshit. They even notified you about it. That's damned good service.

However, through that very same system I see something that could have the potential for severe exploit.

Re:Microsoft's updated advisory

[Thinboy00]

The was dome debate on Mozillazine and probably a bug or two submitted to create a proper UI for this stuff and have a way of blocking new plugins, but the devs seem to be ignoring it for now. The have made a schoolboy error here - trying to blacklist all "bad" plugins instead of just having a UI and allowing the user to whitelist plugins as they see fit.

According to the (very long!) discussion on the bug in question, Mozilla is working on such a UI.

Re:Microsoft's updated advisory

[Thinboy00]

Somebody has to file a bug against FireFox that plugins/add-ons are even allowed to prevent user from disabling them.

Mark it up as another example of how the Firefox developers don't understand a multi-user, restricted-user environment. It is often desirable to install programs on a machine-wide basis so that all users, regardless of their local security access, can use them. In Firefox, plugins that are installed in this manner cannot be disabled by the user, even if the user has local administrative rights on the computer.

It's the same deal with Firefox's automatic updater allowing normal users to download and try installing browser updates but then failing over and over because the user doesn't have write access to C:\Program Files\Mozilla or the HKLM portion of the registry.

The fact that Firefox disables the "Disable" and "Uninstall" buttons instead of just breaking shows that, as a matter of fact, the developers are checking permissions on the various files prior to trying to modify them. Obviously, if you don't understand a "multi-user, restricted-user environment", you won't be checking permissions. So in other words, you're wrong. The fact that these buttons are disabled isn't a bug, it's a feature. That way, sysadmins can set up Firefox to behave in a certain highly consistent fashion (i.e. they can stop the user from fucking with it).

Re:Microsoft's updated advisory

[Kalriath]

A question with only one answer is a statement.

Re:Microsoft's updated advisory

[nog_lorp]

You are wrong.

At the very least, when someone is logged in as an admin, the Disable/Uninstall buttons should work, perhaps with warnings that this will affect all users.

Re:Microsoft's updated advisory

No it isn't?

[Click Okay to Continue]

Re:Microsoft's updated advisory

[Pechkin000]

Thats not how it played out on my install, it popped up a windows and gave me an option to uncheck "disable"

Question is...

Will they allow users to uninstall it normally at any point?

Re:Question is...

Of course not, this is MS we're talking about.

Re:Question is...

[Deathlizard]

http://slashdot.org/~Deathlizard/journal/238961

Re:Question is...

[srmalloy]

My Firefox Add-ons window shows "Microsoft .Net Framework Assistant", version 1.1, with 'Options', 'Disable', and 'Uninstall' buttons. I'm still up in the air about whether I want to disable it completely, although I did open the options and set it to prompt before running ClickOnce applications.

Re:Question is...

[shutdown+-p+now]

Will they allow users to uninstall it normally at any point?

Uninstall has been enabled for several months now. There had been a /. story about that

Re:Question is...

[Blakey+Rat]

That was fixed ages ago. How did this get modded up?

Re:Question is...

[jack2000]

You want to disable it. You do not, i repeat, DO NOT want to have anything to do with .NET in firefox. Put a stop to this plugin madness now!

Re:Question is...

[nog_lorp]

It hasn't been "enabled". It is just the awful registry hacks / obscure files (like, extremely shadey made up system folders just for holding Microsoft Firefox plugins) that were released early on by random people.

What they should have done is made it an uninstall-able item in the add/remove programs dialog, but they are too shady for that.

In related news

[tokul]

Enterprise users are working on removing those f##ked up plugins completely.

Re:In related news

[Canazza]

"Enterprise" users aren't... EnterprisING users are. There's a difference

Re:frsot

Don't mistake your browser for the KDE dictionary applet.

Still can't uninstall?

[dschuetz]

Mozilla should block the plugin simply on the grounds that a user can't uninstall it from within the approved Mozilla add-ons panel. That should be the case for any plugin that doesn't play by the rules, no matter who it's from or what its use is.

If I can't delete it, it's malware. Oh, wait, I *can* delete it, if I google for some crazy instructions that involve registry editing? Isn't that how I delete malware?

Re:Still can't uninstall?

[sakdoctor]

'Ubuntu firefox modifications' plugin also can't be deleted from within firefox.
I'm not arguing for or against your proposal, just that it would need to be consistently applied.

Re:Still can't uninstall?

[Malc]

Does uninstalling .Net remove it?

If you don't like this plug-in, don't install .Net. It's part of that package. You have a choice, which although you might argue you didn't know about before, you certainly do know. Or disable the plug-in yourself.

Re:Still can't uninstall?

[Jimmy_Slimmy]

Parent says it all.

Just because Mozilla caves, do not shut up. Make MicroSloth play by the rules.

Please: Post how to make Microsloth get out of my Firefox.

Mod parent up.

Re:Still can't uninstall?

[xigxag]

Oh come on. As anyone who's following this story is aware, Mozilla has an "approved" method of installing plugins without using the add-ons panel. So pick your bone with them.

Re:Still can't uninstall?

[BarMonger]

I can uninstall my .Net plug-in from within the standard FF add-ons panel just fine.
I don't know about the WPF one, I don't have that installed at work.

Re:Still can't uninstall?

[aetherworld]

Is this a failed attempt at trolling?

It's a PLUGIN, not an ADD-ON. There is no way to uninstall ANY Plugins in Firefox. You can disable Add-Ons, you can uninstall Add-Ons and you can disable Plugins. But you cannot uninstall Plugins from within Firefox. Firefox simply loads all files in a specific Internet Plugins folder (not a Firefox-only plugin folder) and if it detects a plugin, it uses it.

Delete the file and you're good to go.

Re:Still can't uninstall?

[sosume]

> If I can't delete it, it's malware.

It's a component of your OS. Whether it's crucial to you is an entirely different discussion - if you want your OS to be as bare as possible, Windows is not for you. MS has decided that it is needed on every system so they can make certain assumptions on system usage and updates. Would you like to be able to delete, say, your kernel executable? Is that malware too?

Re:Still can't uninstall?

[SanityInAnarchy]

It can, however, be removed via the package manager.

Can the .NET addon be removed at all, without hacking the registry?

No, using the package manager is not even remotely comparable to hacking the registry.

Re:Still can't uninstall?

[Thyamine]

I think that's what he's saying. It's not Microsoft bashing, but a need for consistent rules. If something cannot be uninstalled by the user, then it's along the lines of malware. Certain OS upgrades can't be uninstalled which is understandable, but for a browser? That's just lazy or hubris on the part of the company to assume no one would _ever_ want to uninstall _their_ addon.

Re:Still can't uninstall?

Then it can go to hell as well.
Anything that tries to force installation and makes it a chore to remove is badware, and badware needs to die.
And yes, i do realize the irony of Google helping Stop Badware, yet still haven't addressed Autoupdater fully.

Re:Still can't uninstall?

[BarMonger]

Is this a failed attempt at trolling?

It's a PLUGIN, not an ADD-ON. There is no way to uninstall ANY Plugins in Firefox. You can disable Add-Ons, you can uninstall Add-Ons and you can disable Plugins. But you cannot uninstall Plugins from within Firefox. Firefox simply loads all files in a specific Internet Plugins folder (not a Firefox-only plugin folder) and if it detects a plugin, it uses it.

Delete the file and you're good to go.

Someone should mod parent up.
You cannot uninstall plug-ins, no matter who releases them or how they were installed, from inside the Firefox add-on panel.

Re:Still can't uninstall?

[CNeb96]

I can't comment on MS's plugin because I don't know how it works, but Firefox does support extensions which are not displayed to the user. If they are installed in locations besides the profile directory (ie are not a normal extension a user chooses to install). I don't think Mozilla's policy is quite that clear cut about when you should or shouldn't make something viewable by the user.

https://developer.mozilla.org/en/Install_Manifests#hidden

"hidden

Firefox 1.0 - 3.5 A boolean value that when true makes the add-on not show up in the add-ons list, provided the add-on is installed in a restricted access area (so it does not work for add-ons installed in the profile). This is for bundling integration hooks to larger applications where having an entry in the Extensions list does not make sense."

Re:Still can't uninstall?

[cyclocommuter]

You don't have to google for crazy instructions and edit the registy to uninstall the Microsoft .NET Framework Assistant 1.1 add-on. Just launch the add-ons dialog in FF, go to the Extensions Tab, select the .NET add-on and click the Uninstall button or the Disable button if you just wish to disable but not to uninstall it. These 2 options are available for this add-on just like the other add-ons. For the WPF Plugin, select the Plugin Tab, select the Windows Presentation Foundation plug-in from the list and click Disable. This is the only option available for Plug-ins which includes those from Java (of which there are 3 in my machine I may add), Adobe, Shockwave, and others.

Re:Still can't uninstall?

[LordAndrewSama]

Perhaps not "as bad as the registry hell", but I would still prefer if Firefox blocked both of them until they were deletable like all other addons. I mean, have some backbone mozilla, if people don't do things properly, give them a nice big "FAIL" and send them on their merry way.

Re:Still can't uninstall?

[poetmatt]

there's ongoing discussion on how the issue is that people can drop something in the folder and it will be included when the program is run. The issue is that there is no opt-in requirement, so MS has done the same thing that other programs have done in the past.

Thankfully, this time something was done about it, without MS simply removing it in an update as of yet.

Re:Still can't uninstall?

It's a component of your OS.

<wonka>Wrong, sir! WRONG!</wonka>

Many use Mozilla Firefox for the exact reason that it is NOT a component of the OS. When a web browser gets so deeply entrenched into the OS, you open yourself to more vulnerabilities as we've seen in IE's browser in the past. Now, Microsoft wants to interfere with one of the selling points of their competitors by sticking their nose where it doesn't belong. They don't GET to decide what a competitor's product needs.

We're actually being kind to Microsoft right now. Leveraging a monopoly in one market to sabotage a competitor in another market is against anti-trust laws, something that MS has been slapped with in the past.

Re:Still can't uninstall?

What a load of crap, do you even know what these plugins do? The answer is no, you have no clue. It's ClickOnce and the other enterprise crap which nearly all desktop users won't and don't use, hell, the people who do or might use it are probably using Internet Explorer anyway!

MS has decided that it is needed on every system

Are you truly that stupid? The great Microsoft has spoken!... I bet you wouldn't be saying this if it was Windows Genuine Advantage that was being spoken about, but going by your previous comment you'd probably agree with that too.

Re:Still can't uninstall?

[ThePhilips]

Probably not deletable, but at least user should be able to disable *any* add-on or plugin. Without ifs.

Re:Still can't uninstall?

...but I would still prefer if Firefox blocked both of them until they were deletable like all other addons...

These aren't add-ons, they're plug-ins, which function slightly differently than add-ons. No plug-ins are uninstallable from within Firefox. That is the intended functionality as decided by the Mozilla team.

Re:Still can't uninstall?

[BrentH]

Well, although I appreciate Ubuntu's motives for the plugin, I'm going to disagree here: forcing users to use a (complicated, and potentially dangerous) application to remove such a thing is not so great. Although the registry is perhaps a little more complicated than synaptic, they're certainly equally dangerous tools if you don't know what you're doing.

Re:Still can't uninstall?

[Arancaytar]

Note that that one's bundled with the Launchpad package. I downloaded the binaries directly from Mozilla to get the Minefield trunk, and I see no Ubuntu addon listed in there.

In this case, MS added the plugin to the self-installed version of Firefox, not a version of Firefox they distributed (not that they'd likely be able to cut a branding agreement the way Ubuntu did, so MS would have to distribute it under a different name).

Re:Still can't uninstall?

[ryanov]

But if you let people remove it from Firefox, then how does that information get back to APT? That seems like that could be MORE confusing.

Re:Still can't uninstall?

[ThePhilips]

To my limited knowledge, MS' C# developers are people who can be reasoned with.

They are simply not used to give their users choices.

Though reasoning with them now would leave FireFox vulnerable in future to the managerial decisions by MS'. And we all know how far-sighted they are. (It's the same as a Mono/C# on Linux loophole.)

Re:Still can't uninstall?

Why the fuck is criticism of a company's business methods, ethics and products allowed in all cases except with Microsoft? Then you fcukers whine about 'bashing' well to hell with you. You shits make the net a worse place with your spam and worms.

Re:Still can't uninstall?

[c]

> Mozilla should block the plugin simply on the grounds that a user can't
> uninstall it from within the approved Mozilla add-ons panel.

That's not a bad rule for a personal desktop, but there are certain occasions where plugins are installed from outside Mozilla, and hence Mozilla shouldn't have a means to uninstall them (i.e. Ubuntu Firefox changes are installed via the package manager, not Mozilla, or plugins installed site-wide by a system admin).

The real problem is that Mozilla has some sort of mechanism to ask a plugin "can you be disabled?" Having that mechanism implies that it's okay for a plugin to say "no", and hence Microsoft was just using the API in the intended fashion.

I think it'd be better if they were a little more proactive and just ignored any plugin that doesn't have a disable option. And Mozilla itself should be keeping track of which plugins the user disabled/enabled rather than trust the plugin. It also would be entirely reasonable to have some kind of "disabled until user explicitly enables" rule for any plugin that wasn't downloaded and installed through the browser itself.

Then, I think, it would be more than fair to treat a plugin which violates those rules as active malware.

c.

Re:Still can't uninstall?

Fully agree. ANYTHING that won't cleanly, completely uninstall using conventional methods is malware in my book. That includes crap that evokes a browser, taking me without my permission to an online site, and doing the godz alone know what ...

Re:Still can't uninstall?

Mozilla shouldn't delete anything without asking me. I was using those plugins.

Re:Still can't uninstall?

[bloobloo]

It's because it's confusing to the end user. What is the difference between a plugin and an add-on? Unless you know, they just seem like synonyms for something that gets added to the browser to perform a new task.

Re:Still can't uninstall?

[shutdown+-p+now]

Probably not deletable, but at least user should be able to disable *any* add-on or plugin. Without ifs.

User can disable any plugin in Firefox, regardless of where it's installed - including .NET Framework Assistant. You go into Firefox Extension Manager, and click "Disable".

Re:Still can't uninstall?

[ClosedSource]

These add-ons or plug-ins (whatever the hell they are) are there to allow FireFox to take advantage of .Net features. If they didn't exist people would be complaining the MS was trying to lock-out Firefox by only supporting .Net in IE.

Re:Still can't uninstall?

[bendodge]

Actually, the most recent version (not sure of the number) has the normal Uninstall button enabled, and overall it seems to be behaving pretty well.

Re:Still can't uninstall?

[ThePhilips]

Any example why I might need it?

YouTube works - check.

WebMail - check.

Slashdot - check.

So why the hell I need the "ActiveX NG"?? (Except of course supporting malware industry.)

Re:Still can't uninstall?

[Edgewize]

Then maybe that is something the Firefox team should have thought about. As part of their, you know, open-source tradition of focusing on usability and user-experience consistency?

I can definitely see how it would be annoying to the end user, but I can't agree with blaming Microsoft for following a well-documented API.

Re:Still can't uninstall?

[Zumbs]

Given that synaptic is *the* way to install software in Ubuntu, it would be reasonable to expect users to be much more confident and less likely to screw up when using synaptic than when editing the Windows registry. In my humble opinion using synaptic is roughly the same difficulty as using Add/Remove Programs in the Windows Control Panel. There is the added benefit that you can ask a nice Linux user to write a shell script to do it for you, if you are not confident in your own ability to use synaptic. I agree that it would be better if the plugin could be disabled directly in the Firefox UI.

Re:Still can't uninstall?

[ClosedSource]

If you're really interested, you could go to http://msdn.microsoft.com/en-us/library/cc716877.aspx and read about it.

Re:Still can't uninstall?

> If I can't delete it, it's malware.

It's a component of your OS. Whether it's crucial to you is an entirely different discussion - if you want your OS to be as bare as possible, Windows is not for you. MS has decided that it is needed on every system so they can make certain assumptions on system usage and updates. Would you like to be able to delete, say, your kernel executable? Is that malware too?

This is a firefox plugin. Clearly it's not on the machines of people who don't have firefox. Clearly it's NOT a part of the OS.

Re:Still can't uninstall?

[Zumbs]

The real problem is that Mozilla has some sort of mechanism to ask a plugin "can you be disabled?" Having that mechanism implies that it's okay for a plugin to say "no", and hence Microsoft was just using the API in the intended fashion.

I think it'd be better if they were a little more proactive and just ignored any plugin that doesn't have a disable option.

In some corporate environments there may be reasons for having plugins that the user cannot disable. So a more sane approach may be to change the "can you be disabled?" to "can you be disabled by non-administrators?", similar to having the IT department force all computers to run Windows Defender once per week. This has the added benefit of allowing desktop users to log in as administrator and disable the plugin.

Re:Still can't uninstall?

[daveime]

This might surprise you, but a lot of people use the net for more than :-

Watching the latest lolcat video - check
Browsing their mail for the latest penis enlargement offer - check
Posting uninformed comments to Slashdot - check

Point taken ?

Re:Still can't uninstall?

No you're not, because Windows will try to recreate the file the next time you do a windows update.

Step 1: Delete the file.

Step 2: Create an empty text file with the same name as the file.

Step 3: Use your sharing and security settings to make that file read-only and untouchable by everyone.

Now, when windows update tries to recreate the file, it'll fail noisily. But you won't have to worry about it anymore.

Re:Still can't uninstall?

[CSMatt]

Plugins are add-ons in the Mozilla universe. The term "add-on" is used by Mozilla to mean extensions, themes, and plugins. Saying "plugin" instead is merely being more specific as to what type of add-on is being discussed.

Re:Still can't uninstall?

[c]

> In some corporate environments there may be reasons
> for having plugins that the user cannot disable.

You're suggesting a technical solution to a management problem. There are legit technical reasons why Mozilla shouldn't try to uninstall a plugin which is controlled through some other means, but the decision to prohibit users from disabling things is a management/organizational issue, and I'm usually pretty leery about "features" where the sole reason is to eliminate choice for an end-user.

c.

Re:Still can't uninstall?

[Zumbs]

... which were why I suggested that it might be more useful to require administrator rights to disable a plugin, instead of the current state of affairs, where plugins cannot be disabled unless you muck about in the registry ;-)

Re:Still can't uninstall?

[izomiac]

Just to see how difficult it is I made an attempt to remove the plugin using the registry editor without consulting instructions. It's trivial, go to HKLM then Software then Mozilla Plugins, highlight it and hit delete. This doesn't remove it from the harddrive, but I'd be hesitant to do so in case of dependencies. People who know absolutely nothing about the registry shouldn't attempt it, but the same goes for people with no knowledge of a package manager (which I would consider to be a far more destructive tool).

Is Ubuntu's package manager so much simpler than looking in a logical location (or searching) in a GUI program and hitting delete? So much so they aren't "remotely comparable"?

IMHO it's ridiculous to require the use of a third party program to uninstall any plugin. How "easy" it is is irrelevant, it's inconsistent.

Re:Still can't uninstall?

[AmiMoJo]

The issue people have with these plug-ins is that they install silently without your knowledge. You could argue that someone installing Quicktime might expect to get a browser plug-in to play Quicktime video*, but when installing a security update to .NET or WPF you don't expect to have an entire new language (and attack vector) added to your browser.

* it would be nice if it asked though.

Re:Still can't uninstall?

[c]

You could do it that way, but I find both of them to be less effective than the "plugins can be disabled by the person using Mozilla" solution.

Re:Still can't uninstall?

[jafac]

Actually, I kind of like to Disable this plugin, instead of uninstalling it.

If you uninstall it; Microsoft will just re-install it with a later "update".
If you disable it, Microsoft can update it - it remains DISABLED, where it belongs.

Re:Still can't uninstall?

[Korin43]

And while that's not as obvious as being able to use the "disable" button, anyone looking up remove "ubuntu firefox modifications" will quickly find that all you need to do is type:
sudo aptitude purge ubufox

And this is just because normal users don't have permission to remove it. What do you want Firefox to do? Make it so users can disable extensions that administrators have installed?

Re:Still can't uninstall?

[VulpesFoxnik]

Besides, real Debian based users should be using aptitude, not synaptic. But oh noes, a text user interface that can be used with a mouse in a virtual terminal is scary!

Re:Still can't uninstall?

[nschubach]

I must say, this is the best reason for why this is unacceptable. The Plugin/Addon (whatever) could alter the operation of the application specifically and the user has no choice in it's installation. It could be considered targeted abuse. Is it so hard for a website that needs the .NET extension installed to ask the user if they want it?

Re:Still can't uninstall?

[Thinboy00]

Perhaps not "as bad as the registry hell", but I would still prefer if Firefox blocked both of them until they were deletable like all other addons. I mean, have some backbone mozilla, if people don't do things properly, give them a nice big "FAIL" and send them on their merry way.

Given that the Ubuntu addon is installed system-wide and has root:root owner (as a result of being installed via APT), how, exactly, would you go about enabling the button when the user in question may or may not have root privileges?

Re:Still can't uninstall?

[Thinboy00]

Besides, real Debian based users should be using aptitude, not synaptic. But oh noes, a text user interface that can be used with a mouse in a virtual terminal is scary!

You must admit that ncurses is ugly. As for "scary", well, many people have never seen a terminal emulator (I assume you meant that and not tty[1-7] when you said "virtual terminal").

Re:Still can't uninstall?

[Thinboy00]

Just to see how difficult it is I made an attempt to remove the plugin using the registry editor without consulting instructions. It's trivial, go to HKLM then Software then Mozilla Plugins, highlight it and hit delete. This doesn't remove it from the harddrive, but I'd be hesitant to do so in case of dependencies. People who know absolutely nothing about the registry shouldn't attempt it, but the same goes for people with no knowledge of a package manager (which I would consider to be a far more destructive tool).

You're wrong. In Ubuntu, go to Applications->Add/remove. I believe Ubuntu encourages users to play with this to show them the large amount of software available. It handles dependencies (unlike regedit), avoids putting your system in a broken state (unlike regedit), and, if it discovers a problem with the package state, it gives you an exact command to paste into a root shell to automagically fix it (VERY different from regedit)

Is Ubuntu's package manager so much simpler than looking in a logical location (or searching) in a GUI program and hitting delete? So much so they aren't "remotely comparable"?

Well honestly that depends on which manager you choose to use. The one I detailed above is simpler because you can't screw the system up through it (well, a qualified idiot probably could, but only via enormous ingenuity). Furthermore, it's as simple as:
1) Open the manager (Applications->Add/remove)
2) Search for "firefox" (search box in upper right; press enter or just wait)
3) Scroll down...
4) Uncheck "Ubufox extension for Firefox" (if you're not sure it's the right one, you click on it and read the description, which makes it very clear that it is the right one).
5) Press "Apply"
6) Type password (because it is installed system-wide)
7) Press Enter

Re:Still can't uninstall?

[Thinboy00]

This might surprise you, but a lot of people use the net for more than :-

Watching the latest lolcat video - check
Browsing their mail for the latest penis enlargement offer - check
Posting uninformed comments to Slashdot - check

Point taken ?

What specific, popular website (other than *.microsoft.com) is nonfunctional or seriously crippled without ClickOnce?

Re:Still can't uninstall?

[VulpesFoxnik]

Yes, I mean Konsole, XFCE-Terminal, Or Gnome's terminal. I would never expect the average user to use TTY. I do, but only when doing repairs.

Re:Still can't uninstall?

[VulpesFoxnik]

su-to-root -X -c "xfce4-terminal -e 'pico /etc/apt/sources.list' --tab -x aptitude"

btw.

Re:Still can't uninstall?

I'm ok with that too.

No, I'm *very* ok with that.

Re:Still can't uninstall?

[Kalriath]

Actually, yes, for the past several months.

Re:Still can't uninstall?

[Kalriath]

The real problem is that Mozilla has some sort of mechanism to ask a plugin "can you be disabled?" Having that mechanism implies that it's okay for a plugin to say "no", and hence Microsoft was just using the API in the intended fashion.

No they don't. Plugins cannot be disabled if they were added via the Windows Registry (e.g. by a Group Policy or installer) rather than by placing them in a specific location. Blame Mozilla's sloppy coding there, not Microsoft's shitty practice. Microsoft also released an update months ago that restored the correct disable/uninstall functionality.

Re:Still can't uninstall?

[SanityInAnarchy]

IMHO it's ridiculous to require the use of a third party program to uninstall any plugin. How "easy" it is is irrelevant, it's inconsistent.

It's actually quite consistent, given the Unix philosophy -- each program does one thing and does it well.

Let me put it this way: We used to have something called Netscape Communicator, which became Mozilla. Later, it was split into Firefox and Thunderbird. People like it a lot better this way -- one program handles web, one program handles mail.

Even in the Windows world, this is more or less what you expect -- if I want to uninstall a program, I don't open the program to do so. Instead, I go to "Add/Remove Programs" and uninstall it there.

So, where would I go to install or remove anything on Ubuntu? That's right, the package manager. Maybe it's not where you expect it to be if you only use Firefox, but if you're already using Ubuntu and you've ever installed or uninstalled anything, this should make perfect sense to you.

If nothing else, consider the alternative -- should every collection of programs that could be called a system of plugins, let alone actual programs-supporting-plugins, be forced to implement its own add/remove dialog? I don't think so. Perhaps it could be integrated with the system one, but ultimately, that's what the package manager is for.

Re:Still can't uninstall?

[izomiac]

It handles dependencies (unlike regedit),

Regedit doesn't delete files, so it'd be somewhat difficult to remove a dependancy. (I mentioned it since I didn't want to delete the file and risk breaking .net or whatever, that wouldn't be done from regedit obviously.)

avoids putting your system in a broken state (unlike regedit),

Using a bit of common sense will prevent breaking your system with regedit either (what would you expect deleting HKLM/Software/Microsoft/Windows to do). If you delete something important, it'll just be regenerated in most cases. In the worst possible case, you can do a system restore to undo any damage you did with regedit. A package manager, OTOH, deletes stuff without backing it up first.

and, if it discovers a problem with the package state, it gives you an exact command to paste into a root shell to automagically fix it (VERY different from regedit)

With regedit it's pretty obvious how to fix the problem. You do the opposite of what you did to break it. No automagic required. More explicitly, you can always undo everything using a system restore. That's generally unnecessary unless you managed to have no idea what you did earlier, didn't export the settings first, and it's one of the few important keys that don't get regenerated.

Regedit and a package manger are very different tools. Regedit is naturally dangerous given its purpose, so there are safeguards all over the place. Package managers make much larger changes to the system, and you can't "undo" anything. You can reinstall if you know what it was that you removed, but there's no "oh crap, make everything like it was before" feature.

Re:Still can't uninstall?

[izomiac]

That's an understandable reason, but it's inconsistent with the plethora of other Firefox plugins, extensions, and themes. I would understand if Ubuntu managed all of Firefox's add-ons that way, but it doesn't.

I also wouldn't consider that to be consistent with the Unix philosophy. Firefox includes a tool that does two things, adds and removes Firefox add-ons. That is a different thing than a similar application for Pidgin plugins. If a package manager handled all known plugin systems it'd be a massive tool that did hundreds of different things.

You'd be right about Windows if programmers followed Microsoft's guidelines. Unfortunately, most don't, so the usual method of uninstallation is to click "Uninstall" from the application's start menu subfolder. Plugins are almost never in Add/Remove programs though (Flash and Java sorta are, but I can't think of any other examples). Windows application plugins are generally DLLs dropped into a folder and the only way to remove them is manual deletion or uninstalling the application.

Re:Still can't uninstall?

[furbearntrout]

"hidden

Firefox 1.0 - 3.5 A boolean value that when true makes the add-on not show up in the add-ons list, provided the add-on is installed in a restricted access area (so it does not work for add-ons installed in the profile). This is for bundling integration hooks to larger applications where having an entry in the Extensions list does not make sense."

You forgot the rest--

Note: This property is no longer supported under Gecko 1.9.2 (Firefox 3.6) or later, to prevent extensions from being installed in such a way that the user might not be able to tell they're installed.

Re:Still can't uninstall?

[SanityInAnarchy]

inconsistent with the plethora of other Firefox plugins, extensions, and themes. I would understand if Ubuntu managed all of Firefox's add-ons that way, but it doesn't.

It does, however, manage a few other things, like the Developer's Extension.

The UI could be better, but I think you'll agree that the underlying principle is sound.

I also wouldn't consider that to be consistent with the Unix philosophy. Firefox includes a tool that does two things, adds and removes Firefox add-ons.

In other words, it includes a tool into a monolithic program, rather than split it out.

To see this taken to an extreme, look at uzbl. I'm not suggesting that is a viable alternative, but adding a feature to a program that could be implemented as a separate feature is the direct opposite of the Unix philosophy.

That is a different thing than a similar application for Pidgin plugins.

It really isn't.

If a package manager handled all known plugin systems it'd be a massive tool that did hundreds of different things.

Bingo.

Except that all intelligent plugin systems work in roughly the same way -- either put one file, or a group of files, in a particular location which is searched for plugins. That is consistent with how package managers work -- unpack a large number of files to preset locations, and track which physical file belongs to which package.

That's simplified, but not overly, I think.

Pidgin plugins seem to live in /usr/lib/pidgin, as single .so files.

Firefox plugins can be found in a number of places, including /usr/lib/mozilla/plugins, always as single .so files.

Firefox extensions can be found unpacked in /usr/lib/firefox-addons/extensions, each in its own directory (possibly a tree) -- and a directory tree is as trivial to manage as a file, for a package manager.

Kopete plugins are saved as /usr/lib/kde4/kopete_foo.so, where foo is the name of the plugin. AmaroK plugins are similarly found in /usr/lib/kde4/amarok_foo.so.

I could go on.

All of these are ripe candidates for package management. You'll have to think a bit before you can come up with a system that isn't -- and I would argue that it is a poorly designed system, much like a program which cannot be installed with a package manager.

You'd be right about Windows if programmers followed Microsoft's guidelines. Unfortunately, most don't,

Not in my experience.

Plugins are almost never in Add/Remove programs though (Flash and Java sorta are, but I can't think of any other examples).

I can't think of any other plugins I actually use, so you've got me there.

Windows application plugins are generally DLLs dropped into a folder and the only way to remove them is manual deletion or uninstalling the application.

In other words, they generally work as I described, meaning they should be trivial to manage with a package manager, and it'd be a lot of meaningless duplicate code to give each application a plugin manager. On Windows, it still makes sense, just as each program must have its own update manager, many of which run in the background soaking up RAM, CPU, and bandwidth, because there is no general-purpose, universally-accepted package manager for Windows.

But as Linux distros generally do have good package managers, including a per-app plugin manager is as bizarre as including a per-app update manager...

With one exception: Most package managers do not allow for installation to the user's home directory. (A few do; Rubygems is the most obvious example I can think of.) Therefore, Firefox's extension manager suddenly makes sense if you want to install an extension into a profile, rather than into the system, and with

Re:Still can't uninstall?

[izomiac]

Consistent plugin management certainly has its merits, but I'm not sure if it's quite better. I suppose this is linked with my reluctance to think of plugins as programs that use their parent application as a dependency. The interaction is fundamentally different since plugins don't merely use their parent application, they modify how it works. E.g. ad-block doesn't do anything on its own but instead modifies how Firefox works. Firefox though has little to no effect on how Gnome/KDE/XFCE works, which in turn don't affect Xorg all that much.

As for all plugins basically working the same, I'll give you that most do. Some don't though. PHP sticks out since you have to modify your config file to include modules. There are also issues when you have multiple installations of the same application (package management isn't too amenable to this in the first place). The amount of redundant code is rather minimal beyond having to implement a plugin configuration window since package managers generally don't handle settings.

On Windows I have 10/18 programs that have an uninstaller listed in the start menu. It used to be worse in the past IIRC. Flash and Java are actually several plugins (IE, Firefox, Opera), and Java is also stand-alone so I can see why they'd be in Add/Remove Programs.

I suppose part of my resistance to the idea of managing plugins with package managers is because I don't care for package management very much at all. So I'm definitely biased, and I'll admit I had to stretch a bit to come up with reasons that it's not a good idea. (Logic alone, I still don't think it's the best approach, but it's probably a good and valid one.) System-wide updates is a concept that I love though.

Re:Still can't uninstall?

[SanityInAnarchy]

I suppose this is linked with my reluctance to think of plugins as programs that use their parent application as a dependency. The interaction is fundamentally different since plugins don't merely use their parent application, they modify how it works. E.g. ad-block doesn't do anything on its own but instead modifies how Firefox works.

But the same can be said of many programs, and of things which package management has historically handled -- for instance, Apache modules.

PHP sticks out since you have to modify your config file to include modules.

I believe Debian does this with a post-install script now...

But I'm also not sure it would be terribly difficult for PHP to be configured to slurp a directory of config files, and then to have each module install its own config file in that directory, similar to the way /etc/apt/sources.list.d works.

There are also issues when you have multiple installations of the same application (package management isn't too amenable to this in the first place).

Good package management allows it.

On the other hand, good software wouldn't require it, under most circumstances -- if the goal is to have separate configurations and customizations to the app, good apps can have this done through configuration.

On Windows I have 10/18 programs that have an uninstaller listed in the start menu.

Some programs have both that and an uninstaller in add/remove programs, both of which ultimately do the same thing.

Flash and Java are actually several plugins (IE, Firefox, Opera),

Really? The last I checked, there was a separate Flash installer for Firefox and other browsers which implement the NS Plugin API. The ActiveX Flash, that is, the Flash used by IE, was a separate program.

I suppose part of my resistance to the idea of managing plugins with package managers is because I don't care for package management very much at all.

That's another discussion, though.

And I am very much a fan of package management, though I think there is a lot of room for improvement. I'd be curious to hear a criticism of package management which couldn't be answered by either a feature that you don't know exists, or a new feature that we all really should implement yesterday.

System-wide updates is a concept that I love though.

I'd be curious how system-wide updates could be accomplished without a package manager. Indeed, both Apple's Software Update and Microsoft Update look very much like crippled package managers -- crippled in that they will only manage Apple and Microsoft software, respectively.

Re:Still can't uninstall?

[CNeb96]

Interesting ... Actually I didn't forget the rest - it was added since I submitted my post. But at further inspection it was and still is in a section called "Obsolete Property Reference" so it sounds as if it is clarification of Mozilla's plans not necessarily a change.

Thank you for noticing, otherwise I would have missed it.

Re:Still can't uninstall?

[izomiac]

But the same can be said of many programs, and of things which package management has historically handled -- for instance, Apache modules.

Package managers can certainly handle some plugins, but IMHO it's different enough to make this a very liberal interpretation of the Unix philosophy.

I believe Debian does this with a post-install script now...

That's getting fairly close to each program requiring an installer, and turning the package manager into a download manager. It can be done obviously, but you start losing the benefits of package management over installers/uninstallers.

On the other hand, good software wouldn't require it, under most circumstances -- if the goal is to have separate configurations and customizations to the app, good apps can have this done through configuration.

I was more referring to having multiple versions installed. There are also times that it's beneficial to install multiple times so permissions can be set differently. (That's kinda a hack.)

Some programs have both that and an uninstaller in add/remove programs, both of which ultimately do the same thing.

Same thing, yes, but it's still the default approach of users to check the start menu first.

Really? The last I checked, there was a separate Flash installer for Firefox and other browsers which implement the NS Plugin API. The ActiveX Flash, that is, the Flash used by IE, was a separate program.

You got me there, I forgot flash did that. Java acts the other way though (IIRC, I don't have it installed right now so I can't check). So does the Microsoft Office plugin, and Adobe's PDF viewer plugin.

I'd be curious to hear a criticism of package management which couldn't be answered by either a feature that you don't know exists, or a new feature that we all really should implement yesterday.

On an emotional level, I've never used one that hasn't given me problems. I've learned to tolerate ipkg, opkg, and portage, but I still have to do a lot of extra work due to them misbehaving at times. Logically, I don't like the centralization of application control, the lag between application release and inclusion in the package database, and the arguable disadvantages of having software modified by a third party,

I'd be curious how system-wide updates could be accomplished without a package manager.

I try not to toss out the baby with the bathwater. Program updates and removal are amenable to package management, but I would prefer if installation was handled via other means.

Re:Still can't uninstall?

[daveime]

What a nonsensical thing to say.

I suppose you said the same thing about the JRE, or shockwave flash when it was first being deployed ? Any third party tool that extends the capabilities of the web browser needs to be deployed before it can be used (and hence become popular).

No, but hell, that's not MS, so nothing to bash right ?

Re:Still can't uninstall?

[Jimmy_Slimmy]

The point is, choice. They can make it available, but let me take it out. And do not sneak it in.

Doesn't this seem reasonable?

I think their support is fine. The strong-arming, I can do without.

Re:Still can't uninstall?

[Scoth]

One solution would be a Load/Don't Load list that's kept on a per-user basis that determines whether a plugin is loaded or not. This could have security implementations though, in a case where a non-admin user has a enterprise-configured Firefox installation with perhaps a proprietary plugin installed for something important that shouldn't be disabled for whatever reason.

Re:Still can't uninstall?

[Scoth]

You'd be amused at how many non-techy people I've run into with Linux netbooks and the like that still refer to them as "DOS Windows"

Re:Still can't uninstall?

[SanityInAnarchy]

That's getting fairly close to each program requiring an installer, and turning the package manager into a download manager. It can be done obviously, but you start losing the benefits of package management over installers/uninstallers.

You lose a few, but not a lot. For example:

• All packages can still be signed by a trusted source. The plugin manager has to duplicate both the mechanism and the work of managing that web of trust.
• Automatic updates.
• Full-system updates.
• Dependency tracking. One plugin can depend on another, for instance.
• Reverse-dependency tracking. When a library is no longer used by any programs you actually requested, it is removed.
• Scriptable setup. With a copy of /etc and a list of packages, I can rebuild (or duplicate) a system from scratch. There are better solutions (puppet, cfengine, etc), but the good ones end up wrapping package managers at least for the setup stage.
• Downloading and unpacking files.
• Gracefully starting and restarting services as they are installed, or stopping them when they're uninstalled. For example, when I want to ssh into my laptop, I install openssh-server. When I'm done, I uninstall it.

That's just what I can remember off the top of my head -- and none of these are hurt by well-behaved install scripts. Some of them are actually helped by shared install scripts -- for instance, whenever I install any kernels or kernel modules, the module dependencies are run, an initrd is regenerated, and grub is updated. That's a lot of logic that I don't want to put into each individual package.

Now of course, the right solution here is to fix PHP, not the package manager. Can you come up with a plugin system which would be better implemented as anything more complex than either a single file or a dedicated subdirectory in a predictable place?

I was more referring to having multiple versions installed. There are also times that it's beneficial to install multiple times so permissions can be set differently. (That's kinda a hack.)

I think in that case it is.

I think it sometimes isn't -- for instance, it can sometimes be beneficial to have an old version and a new version of a program available, and it's something I wish package managers handled better. They do handle it, just not as well as they could.

Same thing, yes, but it's still the default approach of users to check the start menu first.

Except for users in the know, who check add/remove programs first.

On an emotional level, I've never used one that hasn't given me problems.

It's a fair criticism, but I've also never had problems with Debian packages, and now under Ubuntu. I had a lot of problems with Portage, to where I got to know it extremely well -- at which point, I appreciated it, even when I was building my own packages...

But that's a criticism of a buggy implementation, not of the idea itself.

Logically, I don't like the centralization of application control,

I do, so I have to ask, why not?

the lag between application release and inclusion in the package database, and the arguable disadvantages of having software modified by a third party,

That's a criticism of the distribution and the repository, not of package management itself.

And I would argue that there are advantages to this. Part of it is when application developers, deliberately or otherwise, shun the conventions of a system -- for instance, when I downloaded Gish, it was an entirely self-contained folder. Your CD key, savegames, high scores, and configuration all lived in the same place as the program executables, libraries, assets, and media.

Which meant that realistically, the only place it could be installed is /home -- and it means it's probably not going to behave very well on Wi

Re:Still can't uninstall?

[Thinboy00]

What a nonsensical thing to say.

I suppose you said the same thing about the JRE, or shockwave flash when it was first being deployed ? Any third party tool that extends the capabilities of the web browser needs to be deployed before it can be used (and hence become popular).

No, but hell, that's not MS, so nothing to bash right ?

Back when I used Windows, I installed Firefox because I was tired of all the insecure crap that MS loads IE with (e.g. ActiveX). To have MS go behind my back and load Firefox with same is completely different from JRE, Flash, etc., which I chose to install.

Re:Still can't uninstall?

[izomiac]

A very impressive list of benefits, which verifies that the idea certainly has merit. The primary reason for not doing so that I can think of would lie in script incompatibilities. If something about the underlying OS changes in an update, the scripts may need to be updated. Likewise, if the parent application or plugin changes then you could quite possibly need to maintain scripts for the new plugin version installing to an old parent, vice versa, old to old, and new to new. The number of scripts needed expands with each plugin API change as a factorial. Such a system is workable if plugin API changes are rare (as they are AFAIK), but it can very quickly become impractical given the way it expands.

Fixing applications so plugin systems are consistent would definitely work. It should probably be done anyway. But I'm doubtful programmers will all break plugin compatibility for that reason. And even if they did, there's still the issue of legacy applications.

Can you come up with a plugin system which would be better implemented as anything more complex than either a single file or a dedicated subdirectory in a predictable place?

Easily, but it would be contrived since I haven't seen them in the wild. I suppose I once wrote an extremely modular chatbot that was designed to be fairly autonomous and remotely upgradable. Therefore, it installed, uninstalled, and hotswapped plugins as it ran. Each had mandatory settings (e.g. security level) and as such had to be mentioned in the config file. The thing is, settings were only loaded at launch, and kept internally afterwards, so a shutdown would be necessary for an external package manager to change anything. This would be undesirable given the nature of the program. But that's something I wrote for my personal use and never released, so I probably had a little too much fun when I designed that system.

Except for users in the know, who check add/remove programs first.

Users in the know simply delete the virtual filesystem layer they installed the application in. =P Using the start menu is usually faster than Add/Remove Programs though since it involves less scrolling and you don't have to wait for the list to be populated. Even more so now that Microsoft changed that applet's name to "Programs and Features" so it appears in the middle of the control panel rather than the top.

But that's a criticism of a buggy implementation, not of the idea itself.

Quite true, though I figure that it must be a very difficult problem given how many times I've seen it done poorly.

Logically, I don't like the centralization of application control,

I do, so I have to ask, why not?

Practical reasons: I've seen too many repositories, download sites, and the like come and go to want to rely on them indefinitely. I suppose I could create my own repository but that just complicated my life. There's also instances of when the repository might be bandwidth limited around the release of a popular program, which is also frustrating. Philosophical reason: It takes power away from the user. As a user I should be free to install whatever I want to with minimal difficulty, which would imply consistency in installation.

That's a criticism of the distribution and the repository, not of package management itself.

The lag is a fundamental part of introducing a third party to the interaction. Even if you had an obsessive package maintainer that did nothing but package stuff at 4:03 am with a 5 minute turn-around time, it's still a delay.

That's the kind of thing that it's nice for a package manager to fix.

I think that's something for the application developer to fix. If an application is misbehaving a better option is to not use it and let free market forces/natural selection take place. There is a place for this kind

Re:Still can't uninstall?

[Thinboy00]

In regedit you have to "use a bit of common sense" (in other words, you have to know what the fuck you're doing). Since the PM I was talking about is a GNOME app, you don't need "common sense" to use it (i.e. it can be used by grandma who's never^H^H^H rarely seen a computer in her life)

Re:Still can't uninstall?

[SanityInAnarchy]

If something about the underlying OS changes in an update, the scripts may need to be updated.

This is also true for the app itself. The difference is, these scripts are usually managed by the distro.

Likewise, if the parent application or plugin changes then you could quite possibly need to maintain scripts for the new plugin version installing to an old parent, vice versa, old to old, and new to new.

Or you simply decide that once you update the parent application in your distro, new versions of this plugin will only work with the new parent application. So you only need "old-to-new", and that's only if the plugins remain binary-compatible.

Fixing applications so plugin systems are consistent would definitely work. It should probably be done anyway. But I'm doubtful programmers will all break plugin compatibility for that reason.

Most applications are already consistent, and the few which aren't are also not that far off. You mentioned PHP -- it really would not be difficult to make this consistent and preserve compatibility.

I suppose I once wrote an extremely modular chatbot that was designed to be fairly autonomous and remotely upgradable. Therefore, it installed, uninstalled, and hotswapped plugins as it ran. Each had mandatory settings (e.g. security level) and as such had to be mentioned in the config file. The thing is, settings were only loaded at launch, and kept internally afterwards, so a shutdown would be necessary for an external package manager to change anything.

A few incremental changes:

First, change your app so that rather than reading only one config file, it is capable of loading a config directory. This could be as simple as adding a config directive to the master config file that says "Load this directory."

Next, add a sub-config-file to each plugin. Not terribly difficult to maintain -- they probably already have examples in their README, at least.

Next, add metadata to each plugin to restart the chat server on install. Even if your package manager forces you to script it manually, it's pretty much an "/etc/init.d/mychatapp restart".

I believe this is more or less how Debian manages Apache plugins.

a shutdown would be necessary for an external package manager to change anything. This would be undesirable given the nature of the program

So how would you normally load a new plugin without shutting down?

I've seen too many repositories, download sites, and the like come and go to want to rely on them indefinitely.

Ah, so it's the centralization of download, which isn't necessary for package management, though it's usually how it's done.

And you could also look at which ones have been around the longest to get an idea of which ones are likely to continue to be around.

The lag is a fundamental part of introducing a third party to the interaction. Even if you had an obsessive package maintainer that did nothing but package stuff at 4:03 am with a 5 minute turn-around time, it's still a delay.

I've seen Gentoo add packages within hours. I can live with that, since I certainly am not doing nothing but checking for updates at 4:03 am every 5 minutes.

And again, third-party repositories can remove even this lag.

I think that's something for the application developer to fix. If an application is misbehaving a better option is to not use it and let free market forces/natural selection take place.

Perhaps, but remember that this isn't strictly natural selection -- unlike the real world, we are designing and developing these programs intelligently.

So, for example, if a program is set up really weirdly, and Ubuntu fixes it to match FHS, and the developer has more Ubuntu users than other users, the program might actually be fixed, not simply replaced. If a

Re:Still can't uninstall?

[izomiac]

Or you simply decide that once you update the parent application in your distro, new versions of this plugin will only work with the new parent application.

This is arbitrarily limiting compatibility though. And with less compatibility between versions there's a greater risk of incompatible combinations.

So how would you normally load a new plugin without shutting down?

It was written in perl, and essentially did its own package management. Basically it'd download plugins, ask the remote user about permissions, add those permissions to the global settings hash, execute the new plugin within the same process, push back the new plugin object in the plugins array, and call a plugin subroutine to start initial configuration. This method was somewhat necessary since restarts in quick succession (e.g. installing multiple plugins) would get the bot temporarily banned from IM servers, rendering it incommunicado.

I've seen Gentoo add packages within hours.

IIRC Firefox version 3.5 basically never got added. It was hardmasked so long the next version came out.

The advantage of doing it that way is that the distro is at least a central place where you can be sure that one stable release of an app cooperates with another stable release.

IMHO, this is a bug and should be fixed rather than mitigated with package management.

I'm more often a point release away than a compile-time option away, which means I usually only have to wait for the next OS release.

My "favorite" example of this was with Privoxy on OpenWRT. Basically, OpenWRT was lagging years behind Privoxy releases, and didn't enable gzip compression until recently. The problem is that Privoxy can't filter gzipped HTML pages without that option. So the choice was basically disable HTML compression (ten fold longer page load times), or not filter them (thus defeating the point of using Privoxy on 99% of the internet). I waited on this feature for probably two or three years, and attributed the wait to the package maintainer not realizing the importance of the feature.

Your ideas on implementation of a better package manager sound solid. The devil, of course, is in the details, but I see no obvious problems.

How many users do you see with desktops filled with installer exes?

Plenty, but eventually they learn to delete them. Or at least some do and I try to be optimistic in saying that the rest are in the process of learning.

If a package manager makes things harder

Not necessarily harder, but more in line with the Einstein quote you mentioned. IMHO learning is impossible unless you have at least a rough idea of what is going on. Application installation obviously isn't a trivial operation, so if the package manager makes it seem that way then it's too dumbed down. It's fine if stuff is easy, but it needs to be accurate and complete. E.g. having sane defaults is essential, having a plethora of niche options is poor design, and hiding options and major details from inexperienced users keeps them that way.

Re:Still can't uninstall?

[SanityInAnarchy]

This is arbitrarily limiting compatibility though. And with less compatibility between versions there's a greater risk of incompatible combinations.

It's also guaranteeing compatibility where it makes sense -- old versions of the plugin may work with new versions of the app. But new plugins for the new app shouldn't necessarily be forced to be backwards-compatible.

restarts in quick succession (e.g. installing multiple plugins) would get the bot temporarily banned from IM servers, rendering it incommunicado.

Or you provide a list of plugins, and allow the restart only once all are successfully installed. Most package managers have the concept of a trigger that happens only after all current operations are finished -- or at least, all current operations with that trigger.

Reloading into the same process, though, could be easily accomplished with a package manager -- the traditional way would be to place the new plugin script where plugin scripts are expected, and then send a HUP signal to the bot, to tell it to scan its plugin directory and load (or reload) any new (or updated) plugins.

So, it doesn't save you much, but it does save you dependencies (somewhat) and downloading. And if it was something like Rubygems, it'd actually save you those dependencies.

The advantage of doing it that way is that the distro is at least a central place where you can be sure that one stable release of an app cooperates with another stable release.

IMHO, this is a bug and should be fixed rather than mitigated with package management.

I would say it's not either-or. It is a bug, and should be fixed. But distros can at least prevent end-users from ever seeing this bug, and the easiest way to do that is to freeze packages.

It's similar, by the way, to software releases in the first place. A few programs only maintain a public SVN repository (or something similar), and do no releases. Most programs try to do releases, and the way it usually works is, you call a feature freeze, and from that point on, you may only fix bugs, not introduce features, until it's reasonably bug-free. Then you release it, and only release bugfixes for that version until the next version is completely ready.

The only real difference is that distros can treat the entire distro as a single piece of software, in that respect, much as Microsoft treats Windows as a single piece of software.

My "favorite" example of this was with Privoxy on OpenWRT. Basically, OpenWRT was lagging years behind Privoxy releases, and didn't enable gzip compression until recently.

In this case, I'd hope that someone would release a new privoxy for OpenWRT, with gzip enabled. If OpenWRT used a decent package manager, such a third-party version should be possible to integrate.

Your ideas on implementation of a better package manager sound solid. The devil, of course, is in the details, but I see no obvious problems.

I see a few.

First is performance. The initial implementation would probably build most of the OS on top of a FUSE filesystem. I don't think this would be a problem for me, personally, but many users would complain about performance. To be taken seriously, I'd have to implement the cache at least partly in kernel space.

Second is time. That is, I have none. I really want to do this right -- that is, I want to do it personally, and I want it to be done right. I don't even have time to half-ass it now.

IMHO learning is impossible unless you have at least a rough idea of what is going on. Application installation obviously isn't a trivial operation, so if the package manager makes it seem that way then it's too dumbed down.

That really depends on the application. Sometimes users have really profound insights that are born out of ignorance.

For example: There's the story of a gran

Re:Still can't uninstall?

[izomiac]

But new plugins for the new app shouldn't necessarily be forced to be backwards-compatible.

They shouldn't be forced into being incompatible either. =)

Or you provide a list of plugins, and allow the restart only once all are successfully installed.

Well, I was also using it for plugin development, so basically upgrades were minutes apart, but the bot needed to run each iteration of the updated code so it could be tested. A package manager sending a HUP signal would have worked. However, this requires applications to be written with that in mind, so it's not quite expandable to novel applications. OTOH, almost no application needs to reloading plugins without restarting, so I wouldn't worry too much about that limitation. This just happened to be an odd program.

I would say it's not either-or. It is a bug, and should be fixed.

Looks like we differ in opinion here. I'd see that as sacrificing future improvement for present convenience. If an application is broken, it's broken, and IMHO it'll waste an infinite amount of package maintainer's time to fix bugs with every release that the program author shouldn't be introducing in the first place. Not being able to use the application is inconvenient, but that should be enough to motive the author to improve the code quality, thus a net long-term benefit for a short term detriment.

If OpenWRT used a decent package manager, such a third-party version should be possible to integrate.

This lends itself to explanation using an imaginary Venn diagram. You have one circle representing OpenWRT users, and another representing Privoxy users. There's obviously considerable overlap. Next, within each circle is another, that represents the experienced users of each system. The experienced Privoxy users recognize that the lack of GZip support is a problem, and the experienced OpenWRT users know how to create such a package for OpenWRT. Unfortunately, these two circles have exceedingly little overlap, and the same, rare users are probably in similar situations for an abundance of applications. So there aren't enough of the mythical man-hours to actually fix these problems in a timely manner. IMHO that's one drawback of Linux's diversity; everyone might be working on the same problems, but they aren't really working together.

I don't think this would be a problem for me, personally, but many users would complain about performance.

I'd always figured package management was within the realm of desktop users, where a sub-percent performance difference would be absorbed within unrelated bottlenecks. Servers might be easier to administer using package management, but I'd suspect that causes more problems than it fixes. Example: "Oops, that last update killed the webserver plugin, and reverting isn't an option since the old version can't be installed with the newer versions of everything else present because the package maintainer didn't feel like maintaining the scripts necessary to do so."

Second is time. That is, I have none. I really want to do this right -- that is, I want to do it personally, and I want it to be done right. I don't even have time to half-ass it now.

Tell me about it... I've got like a dozen projects stalled since I chose to go into a field essentially unrelated to computing, and apparently they think free time is wasted time. (Although the dude that wrote free cell was in my profession, so it is possible...)

The point here is not that it's dumbed down, but that it's easier.

Easy is good, so long as it is abstracted in a way that's consistent with everything else. For example, interacting with files on a partition is easier than dealing with the hardware, and basically every application uses that system, so users learn useful conventions. OTOH, suppose three developers feel th

Re:Still can't uninstall?

[SanityInAnarchy]

A package manager sending a HUP signal would have worked. However, this requires applications to be written with that in mind, so it's not quite expandable to novel applications.

All it requires is that an application be written with some way to signal a reload/reconfigure without a restart, or just a graceful restart. It doesn't have to be specifically HUP.

And while it's clear that not all apps would support this, it's also clear that any app which would support this through its own plugin system -- yours supported downloading and then reloading that -- it shouldn't be too hard to adapt the app to allow external sources to signal a reload, and it's a useful feature in general.

Looks like we differ in opinion here. I'd see that as sacrificing future improvement for present convenience. If an application is broken, it's broken, and IMHO it'll waste an infinite amount of package maintainer's time to fix bugs with every release that the program author shouldn't be introducing in the first place.

I don't think that's what I was suggesting.

I'm saying the bug absolutely should be fixed upstream. But until it can be, if the package manager can fix it, that's a good thing.

And having fixed releases, with only security updates between them, is one easy way to avoid such problems from occurring, at least on end-users' systems.

The experienced Privoxy users recognize that the lack of GZip support is a problem, and the experienced OpenWRT users know how to create such a package for OpenWRT. Unfortunately, these two circles have exceedingly little overlap...

Ideally, creating a package should be easy. For example, if you know how to configure/make/install, you're most of the way to understanding how a Gentoo ebuild works. Rubygems are even easier.

I'd always figured package management was within the realm of desktop users, where a sub-percent performance difference would be absorbed within unrelated bottlenecks.

You'd think so, but desktop users do complain about Ubuntu daring to use so much Python, as it's slower than C.

Besides which, there are people with older systems, people trying to use the system for gaming, etc etc...

Believe it or not, this is actually easier to manage in most server environments, as you can horizontally scale them -- literally throw more hardware at the problem. You can do that with desktops, to an extent, but users will resent having to buy more hardware when they don't need to -- and I agree, why does ACT need a gig of RAM, for example?

Servers might be easier to administer using package management, but I'd suspect that causes more problems than it fixes. Example: "Oops, that last update killed the webserver plugin, and reverting isn't an option since the old version can't be installed with the newer versions of everything else present

A decent package manager should make it possible to roll back the entire last operation -- including the newer versions of everything else present. Not that I know how to do this, I'm just saying, it should be possible.

But there are a couple of other concerns here:

First, this doesn't happen often. In my experience running Linux servers, I almost never see a minor upgrade (a security patch) break anything. Major upgrades sometimes do, but then, I'm ready for those (proper backups ahead of time), and by "sometimes", I mean "about as often as I've seen a Linux server crash," which is very close to "never."

Second, a package manager can theoretically deal with this better than a pure sysadmin can. Even disregarding the "roll back that last thing I did" feature, I should be able to tell it to roll back to an older version of the webserver. It should then tell me about conflicts, and suggest ways to resolve them -- for instance, remove this plugin, or roll it back as well.

Doing that manually would be much more difficult.

Re:Still can't uninstall?

[izomiac]

I'm saying the bug absolutely should be fixed upstream. But until it can be, if the package manager can fix it, that's a good thing.

The way I see it, the probability of getting a bug fixed is a function of developer motivation. If users can't run the software then there's lots of motivation to fix the bug. If package maintainers are complaining then it's going to be a lot lower priority. The latter more closely resembles reality, and such bugs rarely get fixed so it doesn't seem like that really works.

But the biggest reason this isn't a problem is, if you've upgraded your server, and something broke -- especially if you don't have the option of rolling it back -- you're Doing It Wrong.

Absolutely true. But I figure the dude with a single linux server sitting in the corner of an office might be tempted to blindly upgrade everything. Servers, for security and performance reasons, should only run the absolutely essential software. That should be trivial to maintain with or without package management. Too much abstraction leakage might cause security or performance issues. OTOH, there is a place for easy-to-administer servers, minor performance differences just wouldn't be an issue though.

The flaw in this is that we're still talking about moving to a "traditional" system, ultimately.

You've honed in on the caveat that I didn't mention for fear of being overly verbose. This assumes that the new way doesn't become wide-spread. I suppose it's good to have confidence, but expecting future applications to emulate yours at the mere design stage is quite bold. OTOH, I suppose innovation requires tradition breaking, but one should keep as much skill crossover as possible.

I'm not advocating that users remain ignorant. I'm advocating that if we want to educate users, we should start by teaching them the things which are most important.

Users, for the most part, just want to get something done ASAP, and try to learn as little as they can get away with. I figure education can't be effectively front loaded, you need to teach it along the way. This method makes no differentiation between major or minor stuff. Actually, what's major and what's minor is entirely subjective and differs with each user.

What's more frightening is, you will probably find that every user uses exactly 27 permutations out of those 1024, but they each require a different 27, and there's no way you could cut it down without pissing someone off.

With that example, each user probably only uses about three permutations, and all the different users combined use the 27. Take h264 video encoding for example. There are a ton of options, and several different user requirements. You can change resolution, bitrate, CBR or VBR, and a great many more advance options. The thing is, every user wants the best video quality possible under their individual conditions. Virtually nobody wants a high resolution, low bitrate file, and if they do they are likely doing something wrong (e.g. assuming resolution is more important than bitrate for quality). H264 specifically gets around this with encoding profiles. L4.1 is what bluray is encoded at and is hardware acceleratable, L5 is only playable with beefy computers, and L1 - L3 are for lower spec mobile devices. It's the essence of abstraction. (A TCP stack, for example, removes one's option of sending any arbitrary waveform over an ethernet cable.)

Users who aren't curious shouldn't be punished by being forced to wade through confusing commandline output.

Well, by hiding things away with a click what you do is steepen the learning curve. Users can't do much with the default interface, but are overwhelmed by the advance one. IMHO the better, albeit more difficult, way is to give the user an idea of what's going on, but still be easier to use than whatever you're

Re:Still can't uninstall?

[SanityInAnarchy]

If users can't run the software then there's lots of motivation to fix the bug. If package maintainers are complaining then it's going to be a lot lower priority.

Unless package managers are complaining that they can't include the latest version because of a bug. Thus, users can only run older versions of that package, not newer ones. I'd hope that would be some motivation.

I figure the dude with a single linux server sitting in the corner of an office might be tempted to blindly upgrade everything.

That's true... on the other hand, if he did the opposite -- blindly not upgrade everything -- he'd leave himself wide open to security vulnerabilities.

And if he was forced to upgrade manually (without package management), he'd probably upgrade far less often, even when it was a critical security issue.

Servers, for security and performance reasons, should only run the absolutely essential software. That should be trivial to maintain with or without package management.

Even very small servers have over 300 packages installed. Even if I assume that a fair number of these aren't needed, and could be stripped out, it's still going to be over a hundred packages.

Trivial to maintain with package management. A bitch to check 100 different sites (or subscribe to 100 different mailing lists) without package management.

Too much abstraction leakage might cause security or performance issues.

Shouldn't cause many security issues, unless the issue is automatic updates, and those can be turned off.

And performance, well, if I've got the caching filesystem handled by the kernel, that should take care of the performance issues.

This assumes that the new way doesn't become wide-spread.

That is true, but the new way is becoming wide-spread -- and it's not my idea.

And I don't think we should hold back progress because of those growing pains.

Users, for the most part, just want to get something done ASAP, and try to learn as little as they can get away with. I figure education can't be effectively front loaded, you need to teach it along the way.

Still doesn't preclude teaching what's more important along the way.

Actually, what's major and what's minor is entirely subjective and differs with each user.

To an extent.

For example, if I'm unpacking an archive, or playing a movie, what codecs or decompression tool is used is completely beside the point. The point is understanding that this is a movie, or that this is an archive (and not a folder) if it's going to be unpacked...

Take h264 video encoding for example. There are a ton of options, and several different user requirements. You can change resolution, bitrate, CBR or VBR, and a great many more advance options. The thing is, every user wants the best video quality possible under their individual conditions.... H264 specifically gets around this with encoding profiles.

So, what would make sense is to have varying levels of complexity. First have it just pick something, then if the user digs deeper, they find profiles, and if they dig even deeper, they can tweak each setting by hand.

The ability to tweak each setting by hand shouldn't be removed, but users shouldn't be required to tweak these settings. This is essentially why the "more details" button exists.

Well, by hiding things away with a click what you do is steepen the learning curve.

On the contrary, I think it helps the learning curve. Immediately exposing users to all details leads to information overload, and the perception that this application is "hard".

Users can't do much with the default interface, but are overwhelmed by the advance one.

So add an intermediate interface.

But even if that

Re:Still can't uninstall?

[izomiac]

And if he was forced to upgrade manually (without package management), he'd probably upgrade far less often, even when it was a critical security issue.

That is self resolving. If he doesn't keep his box secure then he'll get burned and learn to not do that in the future. That strategy won't work for end users since they don't recognize the breach, and have admins to fix stuff for them, but it should work for admins.

Trivial to maintain with package management. A bitch to check 100 different sites (or subscribe to 100 different mailing lists) without package management.

And how many really should be updated without knowing anything about the update? I figure it'd be better practice to keep the daemons up to date, but don't modify the other software unless there's a really good reason.

To an extent.

For example, if I'm unpacking an archive, or playing a movie, what codecs or decompression tool is used is completely beside the point. The point is understanding that this is a movie, or that this is an archive (and not a folder) if it's going to be unpacked...

That's the thing, in all of those examples some users will almost immediately need to know more advanced details. Video codec choice matters since a) anyone can see differences in quality, b) storage space and download speed come into play, c) not all computers are configured to play all codecs, and d) with moderate quality (or higher) h264 hardware acceleration is essentially a requirement. Archive formats also matter for reason c and b to some extent. Basically, some users have to deal with these issues before they can use those formats, and there isn't a good way to get around some of them.

The ability to tweak each setting by hand shouldn't be removed, but users shouldn't be required to tweak these settings. This is essentially why the "more details" button exists.

That is unnecessarily difficult. It's rare for "advance" settings to need to be configured independently. By allowing that option you're forcing the user to learn about all of them in detail. It's the difference between "ok, I need this set to that, oh, here's something that fits my needs" and "ok, I need this set to that and WTF do I set the other 15 values to?".

On the contrary, I think it helps the learning curve. Immediately exposing users to all details leads to information overload, and the perception that this application is "hard".

Don't expose them to all details, but don't hide all the details either. If the user has to click "Advance Options" to do something then usually the "Easy" interface has done nothing to prepare them to work with the "Advance" interface. IMHO that's more of a lazy practice for when a programmer can't think of a way to make the underlying process any easier except for the most common (easy) case.

So add an intermediate interface.

But even if that is the choice, it's still better that users have the default interface, at least, than forcing users to see the advanced one, and thus driving them away.

An intermediate interface just divides one big problem into two smaller problems. That might work, but it's better to solve the problems entirely. The point is not to always show the advance interface, it's to integrate the options into the default one in a way that retains ease of use. It's harder to do, but it makes for better programs.

The problem is, if the butler generally is easier to use, users will use the butler, and not the tool.

True, although a stupid butler is a very dangerous thing. I'm surprised that the combination of (stupid) AI and programmer foresight is enough that this approach actually works most of the time.

Re:Still can't uninstall?

[SanityInAnarchy]

That is self resolving. If he doesn't keep his box secure then he'll get burned and learn to not do that in the future.

Except that his box may go insecure for a very long time, and even once it's compromised...

It also doesn't solve the problem where it's a lot more work to keep it secure. So it's a choice between being insecure, and having someone who works full-time on keeping the box up-to-date.

And how many really should be updated without knowing anything about the update?

If you've constrained it to security updates, I'd say, all of them. If you haven't, most should still be safe for minor version upgrades. The ones you really don't know anything about shouldn't hurt, or shouldn't be on your server in the first place.

An example of something that should always be safe to upgrade: tzinfo. Tell me why any sysadmin should waste more than a few seconds of brainpower on tracking tzinfo updates.

I figure it'd be better practice to keep the daemons up to date, but don't modify the other software unless there's a really good reason.

Even if you artificially restrict which things you'd like to keep updated, it still makes sense to have a tool to help you keep them up-to-date, rather that subscribing to dozens (or hundreds) of mailing lists.

That's the thing, in all of those examples some users will almost immediately need to know more advanced details. Video codec choice matters since a) anyone can see differences in quality, b) storage space and download speed come into play, c) not all computers are configured to play all codecs, and d) with moderate quality (or higher) h264 hardware acceleration is essentially a requirement.

Some users, yes.

Many users will throw their hands up, decide it's too complicated, and simply not use the software, if the word "codec" is mentioned at all. And these users have a point -- while it does affect them, you could probably make a sane default that'd make sense for 99% of what anyone wants to do.

That is unnecessarily difficult. It's rare for "advance" settings to need to be configured independently. By allowing that option you're forcing the user to learn about all of them in detail.

I don't see how.

If they see everything they need immediately, that's fine. If they click "advanced" or "more detail", they get another level. Especially if these are scoped to a given task, or section of the config -- for instance, a user who really does need to tweak codecs will probably look under things like "video quality", and click "more detail" until they see the option they need. A user who doesn't, shouldn't need to see more than the fact that the "video quality" tab exists.

The point is not to always show the advance interface, it's to integrate the options into the default one in a way that retains ease of use. It's harder to do, but it makes for better programs.

I'd argue it's not always possible.

Probably the canonical example would be MS Word. They've managed to emphasize what most users will need to do, and most users will show each other how to find the features they need. Go beyond that, though, and everything's just in a giant mess of menus.

Now, it's possible that they could come up with a way of organizing and integrating those features such that new users aren't intimidated by a ton of features, but if you need a given one, it's exactly where you expect it.

But try it. The sheer number of features alone makes that difficult or impossible.

Oh, and if you don't already know... there's a school of thought that there's an ideal number of interface elements you should put on the screen at once -- a certain number choices a user can actually process at once. It's something like 7. If you've got 50 or 100 features, how do you pack that into 7 choices? Seems to me, you have to subdivide it somehow.

Re:Still can't uninstall?

I'm probably going to have to break this discussion off soon

Sounds good so I'll try to be brief. It's been an enjoyable and enlightening discussion, albeit a little time consuming.

So it's a choice between being insecure, and having someone who works full-time on keeping the box up-to-date.

I'd say an inexperienced admin should stick with something that has a proven track record of security and keep a stable version that has had the security bugs mostly ironed out. But I'm not familiar enough with such software that I can say for sure that it generally remains unaffected by novel attacks. As for stuff like tzinfo, I figure everything but daemons (and other security sensitive software) can left to be updated with the OS.

I don't see how.

Because settings aren't configured in a vacuum, changing one will affect what the others ought to be. A semi-experienced user will know what one "advanced" setting should be, but not what the others should be set to, forcing them to either guess or learn about them. I suppose an application could intelligently alter default values when settings change, but I've never seen it done.

Probably the canonical example would be MS Word.

You're right, MS Word is irreducibly complex because it has so many features. This is a classic case of feature bloat and demonstrates why it is a bad thing. I'm sure Microsoft expends a lot of effort in working around the design limitations brought about by being everything for everyone. If a programmer runs into this situation I would postulate that he needs to decide what his program is meant to do, and omit the features it doesn't need. Or set to divide the large program into multiple smaller ones.

The trick is to find a balance, where the "butler" is able to teach the users, without actually seeming like it's teaching them, so that they're learning to use a tool.

I agree. It seems like our different approaches arrive at the same destination in this case.

Isn't this a good thing?

[BarMonger]

Now I'll admit that there are only a few posts above mine, but already they are generally negative. Which I don't get.
Isn't this a good thing?

Microsoft releases a couple of Firefox plug-ins.
A security vulnerability was discovered in the plug-ins.
Mozilla disables the plug-ins.
Microsoft and Mozilla has a talk about the the vulnerability and it appears that one of the plug-ins aren't vulnerable.
The plug-in is re-enabled.

As far as I can tell, this is the system working properly.

Re:Isn't this a good thing?

[lunatic1969]

The system isn't working perfectly. Mozilla is taking Microsoft's word that these plugins, which install in their software without notice, don't have any vulnerabilities and are working just fine. Microsoft's plugins should be required to behave as every other responsible plugin. It shouldn't install with stealth, there should be a way to easily disable, and there should be a way to easily uninstall.

Re:Isn't this a good thing?

[Culture20]

Now I'll admit that there are only a few posts above mine, but already they are generally negative. Which I don't get. Isn't this a good thing?

Microsoft releases a couple of Firefox plug-ins.
A security vulnerability was discovered in the plug-ins.
Mozilla disables the plug-ins.
Microsoft and Mozilla has a talk about the the vulnerability and it appears that one of the plug-ins aren't vulnerable.
The plug-in is re-enabled.

As far as I can tell, this is the system working properly.

I bolded two things I don't agree with. You skipped an important statement: Microsoft forcibly installed said plug-in, and prevented its removal.

Re:Isn't this a good thing?

[Nursie]

You forgot the part where MS installed the plugins directly into firefox, without asking (proper behaviour) and having circumvented the usual removal methods (crossing over into malicious behaviour here).

So no, there is something to complain about, it's MS messign with non-MS browsers against the user's wishes. Given that one of the main reasons people switch to FF is the insecurity of all the MS plugins in IE, this is a Bad Thing.

Re:Isn't this a good thing?

[tech10171968]

"The system isn't working perfectly. Mozilla is taking Microsoft's word that these plugins, which install in their software without notice, don't have any vulnerabilities and are working just fine. Microsoft's plugins should be required to behave as every other responsible plugin. It shouldn't install with stealth, there should be a way to easily disable, and there should be a way to easily uninstall."

That, plus you have to remember that this plugin was being installed without user's knowledge in the first place. Where I come from, anything which installs something on your machine without the knowledge or consent of either the owner or the admin is generally considered a Bad Thing (tm). It would have been nice for Microsoft to have been upfront about installing the plug-in in the first place, and the security hole was a glaring example of why.

Re:Isn't this a good thing?

[BarMonger]

Mozilla is taking Microsoft's word that these plugins, which install in their software without notice, don't have any vulnerabilities and are working just fine.

Just like every other plugin on the market. Apparently the .Net plug-in isn't vulnerable, the WPF one is.
I know we like to bash Microsoft here, but the plug-in safety process (in FF) seems to work fine.
How do you know that there aren't unknown vulnerabilities in another plug-in somewhere?

Microsoft's plugins should be required to behave as every other responsible plugin. It shouldn't install with stealth, there should be a way to easily disable, and there should be a way to easily uninstall.

You disable it by going to Tools > Add-ons > .Net plugin -> click either 'Disable' or 'Uninstall'
I works fine for me, I just uninstalled the plugin.

And Microsoft aren't the only ones who install by stealth. I don't remember installing Nokias 'PC Sync2 synchronisation' extension. It just installed itself with some other software.

Re:Isn't this a good thing?

[plague3106]

Mozilla is taking Microsoft's word that these plugins don't have any vulnerabilities and are working just fine.

How exactly is that different from any other plugin?

Microsoft's plugins should be required to behave as every other responsible plugin.

Isn't it the way FF handles plugins the reason it can't be uninstalled? It sounds like a globally installed extension, and if that behavior is a problem, why does FF allow for such extensions to begin with?

Re:Isn't this a good thing?

[plague3106]

That, plus you have to remember that this plugin was being installed without user's knowledge in the first place.

You mean just like dozens of other plugins?

Re:Isn't this a good thing?

[beemishboy]

I think the post-process is a good thing - dialog. The better thing would be for Microsoft to have gone to Mozilla to find out how plugins should work and not produce a hackish way of installing plugins that are a terrible user and security experience.

It gives Microsoft a black eye when they do stuff like this - to me it perpetuates their arrogant image.

Re:Isn't this a good thing?

Microsoft's plugins should be required to behave as every other responsible plugin. It shouldn't install with stealth, there should be a way to easily disable, and there should be a way to easily uninstall.

Microsoft's plugins do behave like every other responsible plugin. They all install with stealth, and none of them can be uninstalled from within Firefox.

The plugin system, which is different from the add-on system, works like this: you put your plugin files in the plugin directory, and the next time Firefox starts, the new functionality is just magically there and cannot be uninstalled from Firefox, although it can be disabled.

If you don't like that system, let the Mozilla team know.

Re:Isn't this a good thing?

[Rary]

Microsoft forcibly installed said plug-in, and prevented its removal.

The first statement is debatable, since the plugin is a part of the .NET Framework, and people can choose not to install the .NET Framework — although I realize newer versions of Windows have it preinstalled, so there's less of a choice there, which is why I say it's debatable.

However, the second statement is just wrong. It's not Microsoft who prevented removal of the plugin, it's Mozilla. Firefox does not provide a mechanism for removing any plugins.

Re:Isn't this a good thing?

[socsoc]

So does Sun and Adobe.

Re:Isn't this a good thing?

[Rary]

That, plus you have to remember that this plugin was being installed without user's knowledge in the first place.

Unfortunately, that's how plugins work. I just checked, and the install of Firefox that I'm using right now has 8 plugins in it. I expected two of them (Quicktime and Flash). All the rest just came along as part of something else.

That's how the Firefox plugin system works. It would be nice if Firefox provided a message to the user saying "I've detected a new plugin", but it doesn't. That's something to complain to Mozilla about, not Microsoft.

Re:Isn't this a good thing?

So just because Nokia did it first means it's ok? The reason this is getting news is because this happened to -everyone- running Windows and Firefox. The news hit critical mass and now we're figuring out how to make the system work better.

It's like Sony's rootkit. They weren't the first, but it took something that wide-spread to make an impact. Unfortunately in that case it was the Malware writers who took over the rootkit idea first, and then came the rootkit scanners. In this case we're all hoping the problem gets fixed before Malware writers get a hold of the idea of stealth installing plugins!

Re:Isn't this a good thing?

[mcgrew]

And Microsoft aren't the only ones who install by stealth.

Bonnie and Clyde weren't the only ones to rob banks, either. So does that mak bank robbery OK? The former head of NASDAQ ran a Ponsi scheme for decades, does that make fraud ok? Personally, if I find a vendor doing any kind of stealth installation, I no longer use that vendor's wares. That's why I no longer buy anything with Sony's name on it, and why I'm running Linux at home. As well as why I won't deal with a host of other vendors.

Too bad there are seven billion people on the planet, that allows vendors to completeley dismiss intelligent potential customers. It's sad.

Re:Isn't this a good thing?

[natehoy]

Obviously, they meant "release" in the Klingon/rabid dog sense, as in "Release the Hounds!".

Not "release" in the software sense as in "publish the software and let people know it's available for download or sale."

Oh, and another thing that was missed, and I feel is important: Microsoft assumed that I wanted the .NET experience within Firefox and installed it without asking or even telling me about it.

If, during Windows Update, Microsoft had made "Mozilla Firefox Plugin for (Microsoft Service here)" a Recommended or even Critical update, I'd have applauded them for making an effort to make (Microsoft Service here) available in a wider range of browsers. I also would have had a checkbox to say "Ignore this update" and my Firefox would (a) not function on sites that require that specific service, and (b) not been vulnerable to security holes within that service.

I don't WANT Firefox to support Microsoft services. That's precisely why I run it and recommend its use to others. If you have a quirky site that needs to run a Microsoft-specific service, for God's sake open that site in Internet Explorer and don't expose Firefox to that vulnerability while accessing the other 99.999% of the Internet.

I'd be willing to give Microsoft the benefit of doubt here. Microsoft thought they were doing good by "extending" Firefox to support Microsoft-specific extensions. Except they ruined that benefit of doubt when they decided that they would decide how Firefox would operate in Windows with no user knowledge or consent.

Re:Isn't this a good thing?

[VGPowerlord]

The reason this is getting news is because this happened to -everyone- running Windows and Firefox.

Does it? I was under the impression that, unless you had installed a program that installed this plugin (which includes Visual Studio 2008 SP1), you wouldn't have it installed.

Re:Isn't this a good thing?

[natehoy]

It's also debatable because .NET is a required component to run certain software, like the control panel for some video cards, a lot of freeware/shareware, and many Microsoft software packages. I'm perfectly fine having .NET out there to run software packages I've specifically installed. I was not informed that .NET would be adding stuff to my Firefox install, and I was never given an option not to.

I do have a problem with Microsoft assuming (without asking me) that I also want to enable non-Microsoft software packages to use their services, and installing plugins for same.

I installed .NET because certain Microsoft software requires it. I don't give a rat's ass if Firefox supports Microsoft-specific standards for web sites, because I have IE to load those web sites.

Re:Isn't this a good thing?

[natehoy]

Except Java and Acrobat ask me if I want to install Firefox plugins during install. Microsoft didn't.

Re:Isn't this a good thing?

[petermgreen]

In this case we're all hoping the problem gets fixed before Malware writers get a hold of the idea of stealth installing plugins!
I was under the impression that they already had got that idea and that was a large part of the reason the blacklist system was present in the first place.

Re:Isn't this a good thing?

[natehoy]

Dang, you're right. I just went in again, and got the following that I expected or wasn't surprised too much by:

  - Java (expected, Java asked me during install, I said YES).
  - Shockwave Flash (expected, I installed Flash and it asked me if I wanted the Firefox plugin and I said YES.
  - Virtual Earth 3D plugin (expected, I installed Virtual Earth and it asked what browsers I wanted support in).
  - Microsoft Office 2003 (Benefit of doubt, this is a corporate install and maybe my company said YES by default for Office 2003).

The following were clearly unauthorized (and have now been disabled):
  - Google Update / Google Updater (unexpected, I do have Google Earth but I didn't expect a Google plugin).
  - Microsoft DRM (DRM Netscape Network Object)
  - Microsoft DRM (DRM Store Netscape Plugin)
  - Windows Media Player Plug-in Dynamic Link Library

So for those keeping score at home on unauthorized plugins - that's Google 2, Microsoft 3, all other companies zero so far in my very scientific test of a single computer. ;)

Re:Isn't this a good thing?

They do? With all the computers that I admin, I shoulda seen that. Guess I need to spend less time at the pub.

Re:Isn't this a good thing?

[shutdown+-p+now]

Except Java and Acrobat ask me if I want to install Firefox plugins during install.

Except they do not.

In fact, Java, at least, also does a system-wide plugin install, meaning that it cannot be uninstalled from Firefox extension manager; not sure about Adobe Reader, but I think it does that too.

Re:Isn't this a good thing?

its greyed out you idiot -- and if it doesnt, it just reinstalls the next time you start up firefox. Did you recheck your plthe whole point is that you CANT DO WHAT YOU JUST SAID YOU DID you BLATHERING NUMBSKULL. did you recheck your plugins after "uninstalling" ? no ? GO DO THAT.

Re:Isn't this a good thing?

[daveime]

Then why is it so hard to simply REMOVE the files from the plugin directory and next time Firefox starts, he DOESN'T detect them anymore ?

What am I missing here ?

Re:Isn't this a good thing?

[Youngbull]

I don't think that is true for all platforms at least. Way back (almost last year) I couldn't turn off some plug-ins in Firefox on a Linux desktop. However last time I checked, they could all be "turned off" (whatever that means... I guess disable.) Since Firefox loads these plug-ins, I guess it can choose not to load it.
In my opinion Mozilla needs to clear things up in their handling of add-ons. No add-ons should be hidden, The users should be notified of new plug-ins (seriously there couldn't be that many, so it shouldn't become annoying), and there should be an option to disable them all. Then there is no way of unintrusively hijacking the browser.

Re:Isn't this a good thing?

[albedoa]

The people above me already said it, but I just have to express my complete dumbfoundedness that you used the logic "Nokia did it, ergo it is okay that Microsoft does it". Which developmental stages did you miss?

Re:Isn't this a good thing?

[Rary]

I don't think that is true for all platforms at least. Way back (almost last year) I couldn't turn off some plug-ins in Firefox on a Linux desktop. However last time I checked, they could all be "turned off" (whatever that means... I guess disable.)

Yes, plugins can be disabled from within Firefox. But they can't be removed.

I'd like to add that this is a good thing. The plugin mechanism is useful, and for it be effective it really must work the way they've designed it. However, it would be much better if the user was warned of new plugins and given the choice to enable/disable at that time.

Re:Isn't this a good thing?

[Korin43]

Mozilla isn't taking their word for it, YOU are taking Microsoft's word for it by installing the program. And before you say "but I didn't want to install it, it was installed by automatic updates", then why are you using Windows if you don't trust Microsoft?

Re:Isn't this a good thing?

[nschubach]

As far as I'm aware though, Java's installer is a user initiated task and not automatically installed. They also (the last time I checked) offer you the ability to select which plug-ins you'd like installed.

Re:Isn't this a good thing?

The first statement is debatable, since the plugin is a part of the .NET Framework, and people can choose not to install the .NET Framework — although I realize newer versions of Windows have it preinstalled, so there's less of a choice there, which is why I say it's debatable.

So you're saying: if you don't trust Microsoft browser software, then its not sufficient just to use another browser, you should ditch Windows completely,

Re:Isn't this a good thing?

[Kalriath]

...They also (the last time I checked) offer you the ability to select which plug-ins you'd like installed...

...

No they don't.

Re:Isn't this a good thing?

[wvmarle]

When the system is working properly that doesn't mean it's a good thing. DRM comes to mind. If that works properly it's a bad thing because it prevents you from doing what you could technically do.

This whole issue is a form of DRM (=Digital Restrictions Management of course - nothing more, nothing less, no rights involved here, the DRM user is the victim and has no rights anymore). Big brother's Firefox Co. and Microsoft Co. decide what is good for the end-user, and force it upon them. MS with those plug-ins, FF with blocking and shortly after re-enabling them remotely.

When Sony prevents you to play some CD on your computer /. falls over each other condemning them. When FF blocks a plug-in that was installed legitimately and that people are actually using, that's OK. Or is that because the plug-in in question is from Microsoft? It's waiting for a serious bug in adblock plus or so, and have FF disable that one remotely too.

MS hand wave

[kaaposc]

Mozilla: Do you have any identification?
Microsoft: *waving hand* We do not need any identification.
Mozilla: You do not need any identification.

Re:MS hand wave

[impaledsunset]

As identifying as Microsoft should only remove credentials and reduce privileges, you shouldn't need to ID for this. You don't show your ID to prove that you're under 18 to get kicked out.

Re:MS hand wave

[buchner.johannes]

These are not the addons you're looking for

Re:MS hand wave

[TaoPhoenix]

I'll add notice of just how FAST this was!

(Other times: "Breaking News! Code Red Security Breach!" MS: "Yah, after my 2 week golf trip.")

But no, Firefox blocks some weird piece of .NET on a weekend, and it's reversed as soon as SomeBorg gets back to his desk at 6AM on Monday.

Re:MS hand wave

[rhendershot]

crap. you made me spill my beer! LOL

Why not click "Enable"?

nt

Re:Why not click "Enable"?

[LordKronos]

Would you be referring to the "Enable" button that is greyed out? Click on it as much as you like, but it's not doing anything.

Imagine if the situation were reversed

[drsmithy]

If Microsoft were to "block" Firefox from running due a security vulnerability it had, the sheer level of rage released from Slashdot would probably be enough to melt monitors on the other side of the world.

Re:Imagine if the situation were reversed

[Shadow+of+Eternity]

Because of course blocking a program the user chose to install is completely comparable to a program the user chose to install blocking a plugin they didn't choose to install or even knew had installed and was just as difficult to get rid of as most malware.

Re:Imagine if the situation were reversed

[Dunbal]

the sheer level of rage released from Slashdot would probably be enough to melt monitors on the other side of the world.

      You are probably the only person on slashdot NOT running linux. What rage? Microsoft can do what it wants with it's POS OS. In fact, it's perfectly legally entitled to. Enjoy your tax.

Re:Imagine if the situation were reversed

Virus scanners do it all the time

Re:Imagine if the situation were reversed

[noundi]

If Microsoft were to "block" Firefox from running due a security vulnerability it had, the sheer level of rage released from Slashdot would probably be enough to melt monitors on the other side of the world.

If you're going to draw parallels, at least learn to do it properly. If Mozilla would sneak in a plugin inside IE when you're doing something which you assume should not indulge in that behaviour, say e.g. updating Firefox, upon which Microsoft blocks this snuck piece of software, nobody in their right mind would say a thing. But yes, in your example, which is incorrect and irrelevant, people would -- and they would because they would be completely right in doing so, just like people are now with the .NET plugin which doesn't uninstall. Your kindergarden rhetorics won't work here drsmithy, if that is your real name.

Re:Imagine if the situation were reversed

[Culture20]

If Microsoft were to "block" Firefox from running due a security vulnerability

If Mozilla started installing Firefox onto my machine in a security update for Thunderbird (and prevented its uninstall), I'd welcome such a block, no matter how good Firefox is. I don't care if .NET Assistant will pick up my dry cleaning; I want it perma-blocked.

Re:Imagine if the situation were reversed

[BZ]

If Microsoft contacted the Mozilla folks first and the OKed said blocking?

I'd certainly hope people wouldn't be angry in that situation, but as you point out reason is hard to come by.

Re:Imagine if the situation were reversed

If Mozilla started installing Firefox onto my machine in a security update for Thunderbird

Why are you dragging Apple and Safari into this?

(Yes, yes, I know, it's no longer checked automatically in the Apple Updater if you installed iTunes or Quicktime, but it was a really stupid decision at the time, and those who forget the past are doomed to repeat it.)

Re:Imagine if the situation were reversed

kindergarden

Kindergarten is grade for small children. Kindergarden is a child porn series. How do I know? Because I am one.

Re:Imagine if the situation were reversed

kindergarden

Kindergarten is grade for small children. Kindergarden is a child porn series. How do I know? Because I am one.

I... don't understand. Are you saying you're a kindergarten, a kindergarden, or a child porn series? Honestly I'm very confused.

Depends on who you are

[Rogerborg]

If you're the default Free Tech Support Guy for a friends and family circle, and you've mandated Mozilla apps as a condition of said support, then you might get a bit tired of getting worried calls asking about their "internets popup point net problem".

Granted, that's pretty much what you signed up for, but it does worry Joe and Josephine User when their internets start acting up. Yes, Mozilla, I'm looking at you here.

Already?

[lordandmaker]

My firefox install has only just (about 20mins ago) popped up and told me it's disabled the add-on and would like to restart.

Why is that?

why? Is anyone using it?

Please, let the sitiation be reversed!

[argent]

If the situation was reversed? You mean if Microsoft blocked some obscure add-on or application that nobody knew about and was installed as a plug-in to Internet Explorer without my knowledge or approval? This isn't Firefox blocking IE or Windows Media Player, this is Firefox blocking something that most people have no idea exists, don't use, have no reason to care about, and never asked to have installed in the first place.

I wish Firefox would block more things like this. In fact I wish IE would block things like this. Every time I install or update Acrobat Reader I have to go through and physically remove the plugin components from the install to keep it from opening PDFs in my browser. When I check my Windows box at work and look at what's been installed in Firefox (and IE, and Windows Explorer, and...) I *always* find something new that I didn't ask to have installed, that sneaked in from some other package or program. I want an option in the Addins page in Firefox that lets me say "remove this now, and don't let it get installed again, ever."

Why is not Microsoft playing by the same rules?

[140Mandak262Jamuna]

Why would Microsoft submit its extension to Mozilla and follow the standard operating procedures as far as the dot net thingie is concerned? The user base and use cases for Mozilla/Firefox has always been, you get extensions from one authorized source. That is mozilla.org. If Microsoft wants an enabler they should just submit it to mozilla.org. Installing it in stealth mode is not expected from mozilla user base.

Further, why is Mozilla.org is allowing a mode where any Tom Dick or Harry can drop in a bunch of files in the install directory and suddenly all the users get the extension on by default? Since it is in the instal dir, individual users cant even disable them or uninstall them. The existence of such a mode itself is a big security hole. If IE has a hole and allows a drive by download of a file into Firefox install dir, boom, you get a vulnerability in Firefox. Already there are reports that installing an HP printer gives and unwanted, unasked for and unpermitted extension added to Firefox. Now every software you install is going to want to add a tool bar or an extension to Firefox.

I wish Firefox will just disallow such a way of installing extensions. The cardinal rule, as for as Firefox is concerned, is that the users rule. They control their browser, they decide which extensions are allowed, which scripts are allowed to run, which user agent string is sent out, whether or not to allow java, applet, or javascript or flash or silverlight or whatever. For corporate deployment, the Mozilla team might allow a script based instal on all machines in a corporate network using proper authentication procedures, like Corportate IT dept has local sysadmin privilege, so they come in and install an extension, and even disable its uninstall option, but that is all done outside the browser using the standard corporate deployment procedures. Allowing anyone to dump cruft in a particular folder and suddenly everybody gets the cruft is totally against the expectations of the standard mozilla firefox user.

Re:Why is not Microsoft playing by the same rules?

[Culture20]

why is Mozilla.org is allowing a mode where any Tom Dick or Harry can drop in a bunch of files in the install directory and suddenly all the users get the extension on by default? I wish Firefox will just disallow such a way of installing extensions.

I wish I had a pony. Mozilla can't prevent what the OS or other programs do with Firefox on your PC. Also, allowing a mode where a sysadmin can drop in a bunch of files in the install directory and suddenly all the users get the extension is a *good* thing for enterprise... usually.

Re:Why is not Microsoft playing by the same rules?

[LordKronos]

How exactly do you propose to stop a process from doing so when it is running outside the scope of firefox? Whatever files Firefox updates to indicate an extension has been installed can also be modified by an outside process. Want to make the file digitally signed? Well, Firefox has to get the signing key from somewhere, but then the other app could just go and get it from the same place. Want to move stuff like this off the local system and have it stored in some network repository...well, no, almost nobody is going to want this, but even if they did it wouldn't matter since the other app could just contact the repository pretending to be firefox.

You see, you run into the same problem you run into with any other sort of malware. The only way to stop it is to have a process loaded beforehand at a higher privilege level than it. That's what virus scanners do, but I don't think it's the sort of thing firefox should be doing (otherwise, why shouldn't every single application have it's own monitoring process to handle this sort of thing).

Re:Why is not Microsoft playing by the same rules?

[blue_goddess]

[...] but that is all done outside the browser using the standard corporate deployment procedures. Allowing anyone to dump cruft in a particular folder [...]

"corporate deployment procedures outside the browser" AFAIK _do_ involve dropping something somewhere and (optionally) messing with some sort of config, in this case the registry

Re:Why is not Microsoft playing by the same rules?

[Rary]

Why would Microsoft submit its extension to Mozilla and follow the standard operating procedures as far as the dot net thingie is concerned? The user base and use cases for Mozilla/Firefox has always been, you get extensions from one authorized source.

Extensions, yes. Plug-ins, no.

The Mozilla Team made a technical distinction between extensions and plug-ins for a reason. Extensions are, for the most part, centrally managed, while plug-ins are intended to be externally managed. The point of a plug-in is that it is installed and uninstalled by an external application (ie. not Firefox).

This is useful functionality, however it would be nice if Firefox would warn the user when it detects a new plug-in that wasn't there the last time Firefox was run.

Re:Why is not Microsoft playing by the same rules?

[VGPowerlord]

I have some problems with your post, namely how you keep using the term "extension" without clarifying whether you mean Extensions or Addons (which include Extensions and Plugins).

Plugins have always been managed by external programs, since back in the early Netscape days. Mozilla's plugin manager won't install a plugin for you, just tell you where to go to download it. And yes, there is a common directory for plugins.

To be honest, I'm not sure if there is for extensions or if the installer that installs the .NET Framework Assistant extension just installs it for every user.

Re:Why is not Microsoft playing by the same rules?

[Dr_Barnowl]

They could prevent unauthorized plugins and addons from running without a digital signature from a trusted key... but the the problem with that is that with the source available that would last all of a about 20 minutes before someone hacked that bit out and rebuilt the browser. It might even fork the project.

Re:Why is not Microsoft playing by the same rules?

[shutdown+-p+now]

How exactly do you propose to stop a process from doing so when it is running outside the scope of firefox? Whatever files Firefox updates to indicate an extension has been installed can also be modified by an outside process. Want to make the file digitally signed? Well, Firefox has to get the signing key from somewhere, but then the other app could just go and get it from the same place.

I have described how to implement this on Windows here. It's not entirely foolproof, but so far as I can see, short of patching the Firefox binary directly, there's no way around it.

Re:Why is not Microsoft playing by the same rules?

[Tim+C]

You do realise that a number of other apps do exactly the same thing, don't you? On my work PC (that I'm sat at right now) I see plugins installed for Java, Quicktime, Adobe Reader, iTunes, etc, none of which I remember explicitly choosing to install, none of which came from Mozilla's add-ons site (because they're plugins, not add-ons!)

The cardinal rule, as for as Firefox is concerned, is that the users rule.

The fact that Mozilla has remotely disabled a plugin (the WPF one) on my browser without asking my permission or giving me a simple way to re-enable it would seem to contradict this statement.

Re:Why is not Microsoft playing by the same rules?

So if someone wants to write their own extension, firefox will tell them "fuck you, you are trying to install it not from mozilla.org!". You have absolutely NO IDEA what you are talking about.

Yes, individual users should be able to disable ANY plugin, but that has nothing to do with what you are talking about. If you can't disable a plugin, that's the fault of Firefox, not the plugin. If you think plugins need some central overlord source, then you are fucked in the head.

Re:Why is not Microsoft playing by the same rules?

The cardinal rule, as for as Firefox is concerned, is that the users rule.

You've got to be kidding - see Edward Lee as one example of a FF dev who tells users to bend over and enjoy it.

Re:Why is not Microsoft playing by the same rules?

[FrankieBaby1986]

isn't this the kind of thing app armour does? I don't personally use it, but i thought there were filesystem permissions to allow deny certain users or processes from accessing and modifying files as well. Oh wait. This is windows we're talking about.

There is also, of course, the possibility of windows update running as root and getting to put files anywhere it wants anyway. But at least this would be obvious misbehavior. Perhaps MS needs to rethink application security.

.NET comes preinstalled

[tepples]

If you don't like this plug-in, don't install .Net. It's part of that package.

If you don't like .NET Framework. don't install recent versions of Windows. It's part of that package.

If you don't like recent versions of Windows, don't buy a national-brand PC. It's part of that package.

Re:.NET comes preinstalled

[Malc]

What, you're not like all the other /.ers who are using XP or Windows 2000?

Seriously though, this thing is being blown out of proportion. /.ers are in a minority. Firefox is a main stream browser (through choice), and most people don't care for these political shenanigans, and just want it to behave properly (no global blocking of a standard part of the Windows experience).

Re:.NET comes preinstalled

Since when was Clickonce or other bullshit features supported by said plugins part of the "standard part of the Windows experience". It isn't, as most some enterprise users who use said technology might but in the end a normal desktop user doesn't use this crap that's added in.

Re:.NET comes preinstalled

[poetmatt]

slashdotters represent the crowd that companies like MS would like to deny when it is convenient to them.

They represent a group that enterprise and abusive corporations basically try to ignore/minimize to make them sound irrelevant.

Basically, the informed consumer. This is every abusive enterprise's nightmare.

Re:.NET comes preinstalled

It's not added in. It's part of Windows 7. It's a part of a service pack to stock Vista. It's part of a service pack to an add-on to XP.

Thus, it's now standard in Windows.

Re:.NET comes preinstalled

[ThePhilips]

Those are not "political shenanigans."

MS essentially implemented a floodgate for the same malware that plagues IE users. And just like in IE, they do not allow you to disable it or disabling it (e.g. removal of .NET) means turning your desktop into a dust collector. (Unless you install Linux on it of course.)

Because now even on XP many programs and games require .Net: MS forced everybody to adopt it by simply dropping support for all other development technologies.

Re:.NET comes preinstalled

[Verdatum]

I swear to God, I'm going to pistol-whip the next guy who says 'shenanigans'!

Re:.NET comes preinstalled

[sakdoctor]

The most annoying thing on the internet by far, is the shenanigans of "internet tough guys"

Re:.NET comes preinstalled

umm hello- most Firefox users are using it because of how insecure internet explorer is-not because it has great bonus features (although it does). I for one use it cause I use GNU/Linux and Firefox is well supported and looks great. Not so much because of the bonus features. This mashes up with most other users. It is only the very very technical users who are installing add-ons. If Firefox lets this through it is negating its core benefit to the majority of its user base.

Re:.NET comes preinstalled

[Thinboy00]

I swear to God, I'm going to pistol-whip the next guy who says 'shenanigans'!

How about this?

Re:.NET comes preinstalled

I think the "Super Troopers" reference just whooshed over your head :P

Re:.NET comes preinstalled

Basically, the informed consumer.

HAHA, you're new here, aren't you?

Why is everyone targeting MS on here?

[tgd]

Seriously -- I have FAR more of an issue with Firefox disabling a plugin *that I want there* and not providing a way to re-enable it (or at least any obvious way).

Microsoft may choose to say that Firefox integration is part of the .NET framework, and if I choose to have a problem with it, I can uninstall it. But where does the Mozilla organization get off disabling an extension I have, and may be using, without any ability to opt out?

The double standard on this would be funny if people weren't so serious about it.

Re:Why is everyone targeting MS on here?

[Churla]

You're new around here... aren't you?

Although I agree with your point. One lesson people should have learned from the UAC debacle in Vista is that if you have a security feature which will disable or prevent something from running make sure that the user has an easily accessible way to override that decision should they so choose.

Re:Why is everyone targeting MS on here?

[TypoNAM]

Simply enter the address 'about:config' and then do a search for blocklist.

There, you'll see a setting called 'extensions.blocklist.enabled'. Set it to False if you don't want Mozilla to decide what plugins/add-ons you shouldn't use. Restart Firefox after making changes to take effect.

Sure it isn't obvious for majority of users, but then again on Windows it isn't obvious what registry entries to hack in order resolve issues either. Firefox does have its own (evil?) registry too.

Re:Why is everyone targeting MS on here?

[Steeltoe]

I was more upset when seeing an addon on .NET which I couldn't disable the other day. It somehow got updated, and is now able to disable / uninstall, but the plugin will still be there.

Since I don't use this, I have no qualms about Mozilla disabling something which gives away the .NET version on my computer and possible ways of breakin.

But I can see your point also, if you really want it there (have no idea why you would want to though), it's a bit unsettling.

Thing is, with Mozilla, we can *talk* about it, and they will listen.
With Microsoft we have to shout, boycot, advertise liasons with Linux solutions, just to get a small security patch, if anything at all..

Re:Why is everyone targeting MS on here?

[blind+biker]

and if I choose to have a problem with it, I can uninstall it.

One of the problems was that you, actually, couldn't. The only way was by manually editing a registry key. Microsoft did not follow the convention of other Firefox plugins, where you can just uninstall or install a plugin - it wasn't listed.

Sneaky.

Re:Why is everyone targeting MS on here?

[Dan667]

that is hilarious. Sad part is that if the roles were reversed microsoft would say tough luck, learn to live with what ever we tell you is suppose to be on you machine.

he doesn't have Ubuntu

you insensitive sakdoctor!!!

Translation, fixed that for you

[192939495969798999]

"After Microsoft drove a dump truck full of money up to Mozilla headquarters..."

There, fixed that for you.

Re:Translation, fixed that for you

[AHuxley]

Dont forget MS can reach a few well placed developers on the FF team.
Once tainted by MS, always MS.

Re:Isn't this a good thing? NO!

[schwit1]

"Microsoft releases a couple of Firefox plug-ins."

You have a funny definition of 'released'. I was never asked if I wanted it installed and there was no simple option to uninstall.

Sounds like MS is taking a page from the malware playbook.

WTF is the summary saying?

[Nexus7]

First the summary says Mozilla have unblocked the ".Net Assistant" add-on. Then it says Mozilla is working on a way to block a "Windows Presentation Framework" add-on _AS WELL_. As well (meaning "in addition to") what? The first item mentioned was unblocked, not blocked. Typo, or incorrect sentence construction, or what? It's 2 lines, can't we get it right?

Or is this a way to make readers RTFA?

Re:WTF is the summary saying?

[Nexus7]

I see they've fixed it now. Without making a note of it either. In most forums, you edit your post, and it'll say "Edited on xxx. Reason:...". Perhaps the editors should be held to a higher standard?

Re:WTF is the summary saying?

Based on your UID, I know you're not new here, but come on.... Slashdot editors being the least bit responsible?

Re:WTF is the summary saying?

[Nexus7]

Well no, I know the general inadvisability of relying on the summaries, but I was wondering why there isn't some indication that there were edits. After all, regular postings can't even be edited. So is it necessary to preserve an illusion of infallibility of the editors?

This stupid MS extension broke my Adblock Plus

[lscotte]

While using my (sigh) windows box this AM I found that Adblock Plus was no longer working. Here's the fix: https://adblockplus.org/blog/the-return-of-net-framework-assistant

Re:This stupid MS extension broke my Adblock Plus

[gbjbaanb]

I just don't believe this now.. its one thing to silently install an extension you want me to run, but quite another to install 2 - one to silently replace it if I delete it, and to break other things.

Is there *any* way I can definitely have control of my own pc please, without installing Opera, say.

Re:This stupid MS extension broke my Adblock Plus

[El_Oscuro]

Is there *any* way I can definitely have control of my own pc please, without installing Opera, say.

Not if you use Windows. The last version that you really had control over was Windows 2000. Product activation, WGA, automatic updates, the EULA, etc ensure that Microsoft has complete control over your PC if it connected to the Internet.

Microsoft has been doing things to your computer without your permission for a long time. I switched to Linux about 6 years ago for security reasons. After running Linux for a few months, I logged into hotmail, the same as I do everyday. Only this time, when I accessed my inbox, my browser popped up a message indicating that I was trying to download "adsclient31.dll" and what would I like to do with it.

I am not sure what adsclient31.dll is, but it sounds like something Microsoft was trying to install.

Not sure what would have happened if I had been running IE, but I don't run Windows anymore so I doesn't really matter to me.

Use Windows at your own risk.

Mike Shaver

[socsoc]

Didn't Mike Shaver spend hours yesterday defending FF's stance in the original article? Now they've backtracked from blocking an already patched vulnerability, but he's still sleeping! We require your insight!

Re:Mike Shaver

[glassware]

Does anyone know what the plugin actually does? Why would .NET need an assistant? Why would that assistant only need to run when I'm using Firefox?

Something completely left aside is that so many programs love to install "assistants", "launch helpers", "watchdogs" and "update managers" nowadays. I'm getting really tired of having every program install something that runs every time windows starts, or whenever I launch my browser.

There is no reason for a .NET assistant that I am aware of.

Re:Mike Shaver

Didn't Mike Shaver spend hours yesterday defending FF's stance in the original article?

"Mike Shaver"...? More like fucking "Scrotum Shaver", am I right guys??? Back me up on this one guys!

Re:Mike Shaver

[shutdown+-p+now]

Does anyone know what the plugin actually does? Why would .NET need an assistant? Why would that assistant only need to run when I'm using Firefox?

It's used to enable support for ClickOnce and WPF browser applications in Firefox. You can google for either term to see what they mean. In short, this is like Java Web Start and Java applets for .NET.

As a side note, Java does exact same thing - quietly installing browser plugins that enable JWS and applets.

Shit!

[daem0n1x]

How can I block it back?

Re:Shit!

[Culture20]

Host your own blocklist and point extensions.blocklist.url to it. Or locally: http://kb.mozillazine.org/Blocklist.xml

Next: skype.

[leuk_he]

The skype plugin is buggy and causes crashes and weird behviour on sites. Ik kan be disabled by normal pluging behaviour however.

skype funcions ok without this plugin.

Will it be the next plugin to be blocked?

The real FAQ (Frequently Asked Question...

[jkrise]

Why did it take 7 long months for Microsoft to issue this patch? Fixes using Registry hacking were available on theweb immediately then...

Re:The real FAQ (Frequently Asked Question...

[rvw]

Why did it take 7 long months for Microsoft to issue this patch? Fixes using Registry hacking were available on theweb immediately then...

7 is the answer!

Re:The real FAQ (Frequently Asked Question...

[RawJoe]

I thought it was 42

Re:The real FAQ (Frequently Asked Question...

[jack2000]

42/ 7 = 6[66] Yep there it is people Microsoft is really the beast... Damn this means I'm going straight to hell for using their products...

A little Opera would be nice

[baomike]

Even if the fat lady doesn't sing.

What should have happend:

(Allowing myself to control Mozilla, not Microsoft)

1) Microsoft installs plug-ins, people get upset
2) Firefox disables these plug-ins by default, alerts user, and enables uninstall for them
3) People run Firefox, see new extensions that have been installed without permission, decide for themselves if they should allow
4) Firefox disables the ability to add extensions without an uninstall option
5) Firefox creates an automated method to check plug-ins that existed at closing and opening, compare them and ask user about all such instances

Now Microsoft has the ability to screw with your plug-ins all they want (which since they have your system rooted, isn't preventable), but Firefox can at least detect and inform users about such activity.

sweet christ on a crispix!

[nimbius]

I think Slashdot as a community needs to take a step back, relax, and reconfirm: its just a browser.
if your OS is modifying the functionality of your favorite browser in a way you dont like, or forcing you to do things you dont like, then change your operating system.
similarly, if your browser isn't performing to your expectations, or disabling functionality you want, change your browser

for a real treat, try changing both at the same time! but for god sake stop with the asinine speculation and quit trying to turn this into legitimate news for nerds.

Re:sweet christ on a crispix!

Firefox and Mozilla aren't browsers, they are heaping stinking piles of poop.

Re:sweet christ on a crispix!

[argent]

if your OS is modifying the functionality of your favorite browser in a way you dont like, or forcing you to do things you dont like, then change your operating system.

Someone else wrote:

            Have you considered changing distributions?

Yes, every single time I try something like this, I very seriously consider getting a Mac.-- jwz

Re:sweet christ on a crispix!

[RobDude]

I don't know - I think there is something to be said for trying to evoke change before jumping ship.

"Don't like the fact that a teacher at your kid's elementary school is a convicted sex offender? Don't talk about it at the town meeting and try to get her fired....just move to another school!"

"Don't like your countries policy on gun control laws....don't argue for why your viewpoint is better and vote in people who agree with your views....just move to another country!"

When it comes to OSes, the options are pretty slim and/or come with a hefty cost. Most people are running some version Windows. The mostly realistic alternatives include Linux and OS X. Linux, for many people, require hardware changes, advanced technical skill, and is largely incompatible with the software you could buy on the shelf at your local Best Buy/Walmart/whatever. OS X requires a Mac computer with an intel processor. I've heard of people hacking around that requirement, but again, advanced technical knowledge is required and you still have to buy the OS and you are instantly removing any chance of getting technical help for your product.

So, for most people who have a particular complaint with their current OS...biatching about it until it gets fixed is easier than switching to another OS. And, the other OS is going to have plenty of fresh things to biatch about.

Re:sweet christ on a crispix!

[Steeltoe]

Most of us are trying to get real work done. Having virus outbreaks or having to reconfigure everything in the OS isn't really a choice (been there, done that).

img

[cybunk]

in picture : http://farm3.static.flickr.com/2551/4018220375_38422cdfb7.jpg

Portable Firefox Affected?

[himitsu]

I'm running a version of FF from portableapps.com. I installed it to a USB stick a few days ago and as of right now I don't have the .NET assistant installed.

Maybe the solution to this garbage is to move away from firefox.com downloads until they understand that we don't want automatic installs of useless software?

Also, why is everyone so keen on Mono lately? I don't need .NET in my Linux.

Re:Portable Firefox Affected?

You're a fucking idiot!

What sites use .NET?

[antdude]

I am confused. What sites use .NET under Mozilla's Web browsers?

Re:What sites use .NET?

the IEvil ones!

Re:What sites use .NET?

[selven]

As opposed to the lowercase iEvil ones?

I got an idea!

[jonaskoelker]

How exactly do you propose to stop a process from doing so when it is running outside the scope of firefox?

Uhmm, chmod, write in ~/.firefox/, then...

Oh, wait, doh! Epic fail.

Not really

[pizzach]

That flies in the face of the difference in expectations.

• When Windows users install Firefox, they get it by going to the Mozilla Firefox corporate homepage, not the Microsoft homepage.
• The program is not included with Windows.
• Windows does not have it in an application repository.
• MS does not take care of security updates for their "distribution".
• You do not download Firefox from MS servers at any point or time.

Malware

Microsoft is acting like malware. I don't understand the surprise.

You don't know what you're talking about

[ClosedSource]

"MS forced everybody to adopt it by simply dropping support for all other development technologies."

No. You can still use the Win32 API, MFC, ATL, WMI, vbscript, jscript etc.

Re:You don't know what you're talking about

[AmiMoJo]

"No. You can still use the Win32 API, MFC, ATL, WMI, vbscript, jscript etc."

They go pretty far out of their way to make your life difficult if you do though.

All the current developer tools are targeted towards .NET and newer technologies. That includes things like the shiny new interface elements they introduced with Vista, as well as stuff like the new (hardware accelerated) video decoding/rendering system or the re-designed taskbar in Windows 7. From Vista onwards anything that boils down to Win32 APIs for GUI stuff no longer gets hardware accelerated drawing either.

So yeah, in theory you can still use all those old technologies, but it's an uphill struggle. To be fair most systems are like that - imagine trying to create a modern website in just HTML 3.2 and CGI. You could do it and it might even be faster and less bloated than CSS, PHP and SQL, but you would probably fail and end up with a website that looks like it's from 1995.

Re:You don't know what you're talking about

[ClosedSource]

There's a big difference between making it difficult to use the old technologies and not retrofitting old technologies with new features.

Standard .NET graphics still go through the same Win32 calls that have been around for years. It's WPF applications that bypass Win32 and use DirectX instead (of course, you can still use DirectX without .NET).

Keep banned

[TheDarkMaster]

Keep banned, please. Or at least, enable the "remove this ugly thing" option.

Yes!!

[Steeltoe]

Actually, I'm all for that. Why not? Why should we have different standards for Ubuntu / Canonical?

Re:Yes!!

[Fallen+Seraph]

When you download Firefox on Windows, you're downloading it from Mozilla. When you download Firefox in Ubuntu via apt, by default, you're downloading it from Canonical, which struck a deal with Mozilla to package their plugins with it and redistribute it. If you don't want them, you can uninstall firefox and reinstall it from Mozilla's repo, or just uninstall the plugins directly from apt. With Windows, Microsoft installs their plugin into the user installed installation of Firefox without asking permission or following the API. That's the difference. Neither of them has the right to install anything into a user install of Firefox from Mozilla, but Microsoft didn't care. The point is that there AREN'T different standards for Canonical and Microsoft.

Re:Yes!!

[VulpesFoxnik]

Or get the Debian Iceweasel packages from experimental. Seriously people, lets remember that Debian is Ubuntu's mother, and her packages can be used in Ubuntu as well. (and Vise versa for most parts.)

Get off my lawn! ..Ugh, but you don't have a lawn

[ClosedSource]

"You are probably the only person on slashdot NOT running linux."

I doubt that is true, but if it is there must be a lot of busybodies on Slashdot complaining about an add-in for an OS they don't use.

Shocking incident on Slashdot, Film at 11

[ClosedSource]

Somebody on Slashdot didn't use their real name!

Re:Shocking incident on Slashdot, Film at 11

[selven]

Given the amount of time some people spend on here, it would be more accurate to say that they don't use their real names in meatspace.

Re:Shocking incident on Slashdot, Film at 11

Wooosh!

ClickOnce users should be using IE?

[colfer]

Or at least I would. Am I the only one that feels more comfortable with things like that relegated to IE? I don't use the IE Tab extension either, I use IE View, so it opens in IE. Maybe it's just a personal preference.

I realize a plugin like Java has the same powers as ClickOnce, but I just don't want more MS on the FF side. A good feature would be:

"Warn user that a third party add-on has been installed and allow disabling". https://bugzilla.mozilla.org/show_bug.cgi?id=476430

Changing Blocks to Save the World

[PingPongBoy]

Mozilla previously blocked

Is Mozilla actually Elly the Elephant? The Pearls Before Swine Oct 18, 2009 strip shows Elly the Elephant using blocks to save the world. I think the Internet has made me feel closer to others ...

MS's strategy...

[tjstork]

Let's replace HTML with proprietary WPF stuff ... while dragging our feet on HTML standards..

What a bunch of tools..

moving on

[saiha]

So I guess we should now be recommending Chrome to our non-security minded relatives? Or if not that, what?

ClusterFoxed! Hour #5 Reinstalling

[scorpivs]

I have a small cluster (10 Windows machines) in my 3-room apartment, nearly all of whom are multi-boot - even ME can be *enjoyed*. Guests and visitors are welcome to login, check email, view apps, game, watch cable, shop... whatever. I catch immeasurable *7734* from innumerable doubters for inestimable reasons, not the least of which would be EM irradiation and massive power requirements -- but I know my PC farm, and I feel obligated to give /. the low-down on the low-down:

A) They're computers, and they're connected. They've experienced issues all along, so I was actually looking forward to this so-called "fix";
2) Multi-booting exposes all kinds of issues, from small to the complete opposite of small, in which case Windo7s makes no secret it is in many ways *WVII,* a narcissistic second version of Windows: V; and

first of all, 'if it ain't broke, don't fix it' does not change my need to reinstall and adapt 3-4 OSes, 32 and 64-bit configurations, drivers, applications and settings, all on 10 machines, copy and wipe mass storage drives ...yet not perceive recent developments as a problem?

"I don't care who started it. Knock it off."

Re:ClusterFoxed! Hour #5 Reinstalling

[scorpivs]

(addendum)

My above entry I posted running Windows 7 (RC) booted in safe mode with networking enabled, on a machine not yet updated, as the propensity toward small-to-irreparable errors have been having their cascade-failure affect on all 9 other members of my cluster; these errors include *ie8* spontaneously opening and alarming all with a series of 5 minute pop-ups at full volume and a variety of "Video Hardware Error" notifications. It does not at all surprise me the EU refused Internet Explorer Infinity, err, 8.

Some fix.

Some don't, I suppose.

Too late, but...

[WetCat]

In Soviet Russia, plugin unblocks YOU!

I KNEW IT...

[hesaigo999ca]

How much did M$ pay them to reinitialize their malware pusher....I wonder

Users Must Have Say Which Plugins are Installed!

[BrendaEM]

Oh, this is bullshit--encrypt the plugin folder and be done with it.
Or, has Mozilla sold out?

Very Bad idea

[Stan92057]

Does anyone besides me think this blocking programs is a very bad idea?? What if Foxfire becomes a security risk itself?,which it has on occasion/. Is MS now going to block users of Foxfire until they fix there security holes for being a threat to windows security?? This can turn very badly for programs and applications

Mozilla Team is in Bed With M$

The Firefox browser went to hell in a handbasket the first time they collaborated with M$. M$ will draw the suckers like Novell and Mozilla into their web of deceit to destroy them. M$ has effectively ruined Firefox. Besides, free software such as Lynx will always be free from M$ dominance as the M$ addicts can't use text based interfaces. Lynx is also faster and far more secure than any GUI based web browser out there.

--
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in committing suicide.

At least it can now be uninstalled

[cheros]

At least the thing now has an uninstall button, but I think Mozilla fist did the right thing, and now the questionable thing. Oh well, at least it brought this rubbish on the radar again.

Let me be the first to say

Mozilla Unblocks Microsoft's .NET Addon

Shit!

Piss poor moves by both Microsoft and Mozilla

[d_jedi]

This whole thing was handled piss poor by both Microsoft and Mozilla.

First off, WHY did MS install a FF plugin which cannot be disabled/uninstalled by normal means? And why does FF ALLOW plugins to have this functionality?

But onto the core issue.. why is Mozilla disabling the plugin AFTER THE FLAW HAS ALREADY BEEN PATCHED BY MICROSOFT??!

The proper way Mozilla should have went about this if they were concerned with users who have not patched their systems (and on that note - MS calling it an IE update was a BAD IDEA as well, since it doesn't only affect IE..) would be as follows:
1) If system has been patched (check .dll versions or something which would indicate patch installed..), LEAVE IT ALONE.
2) If not, pop up a message saying there is a vulnerability, and suggest it is a VERY GOOD IDEA to either:
a) Allow FF to disable the extension, but if not..
b) STRONGLY RECOMMEND the user apply the security update.

And if this is not possible in the current version of FF, push out an update (installed only with consent/auto updates enabled..) WITH FUNCTIONALITY TO ALLOW THIS.

I think it is DOWNRIGHT SCARY - on par with the Amazon Kindle 1984 debacle - that Mozilla has the ability to disable plugins on MY COMPUTER without my knowledge or consent.

I'm done now.. I feel a bit better.

Microsoft p0wns Firefox.

[u64]

This why i dont come running to Firefox with open arms.
(staying with Opera)

What if Firefox pissed in Microsoft's IE's pool ?!?
Microsoft would turn into the Hulk of Lawyers.

Microsoft: BU!
Firefox: Fold.