Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox To Mandate Extension Signing

Posted by samzenpus on from the changing-things-up dept.

First time accepted submitter x0ra writes In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: "For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review. For other developers, this is a larger change. For testing development versions, they’ll have the same options available as AMO add-on developers. For release versions, however, we’re introducing the required step of uploading the extension file to AMO for signing. For most cases, this step will be automatic, but in cases where the extension doesn’t pass these tests, there will be the option to request a manual code review."

5 of 196 comments (clear)

  1. How about sandboxing and processes per tab? by Billly+Gates · · Score: 3, Informative

    This is not 2008 anymore.

    Even IE 8 no really IE 8 has sandboxing and processes per tab starting with Windows 7 back in 2009??!

    Until then Firefox is too insecure for me and can't scale my hyperthreaded i7 like IE or Chrome can.

    Mozilla adding signing really does help but only those who are dumb and put in any extension without reviewing it at first.

    --
    http://saveie6.com/
  2. From the post... by yuhong · · Score: 3, Informative

    "Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. To combat this, we created a set of add-on guidelines all add-on makers must follow, and we have been enforcing them via blocklisting (remote disabling of misbehaving extensions). However, extensions that violate these guidelines are distributed almost exclusively outside of AMO and tracking them all down has become increasingly impractical. Furthermore, malicious developers have devised ways to make their extensions harder to discover and harder to blocklist, making our jobs more difficult."

  3. Re:Start of th End by Anonymous+Brave+Guy · · Score: 3, Informative

    The beauty of open source is that you can go in, disable the signing requirement, and compile your own binary.

    You can, but 99.999% of Firefox users won't, and probably 99.99% couldn't do it even if they wanted to. Even the geeks who could mostly won't have the time to learn a major OSS code base like Firefox's in order to actually do it.

    I've looked at contributing to this sort of project a few times to see if I could help out. I've then given up when I realised it would take me longer just to set up the development environment and be able to build it than it would take me to write from scratch and give away entire useful software packages of my own, or to chip in a significant amount of extra help to some existing small but useful project on someone's GitHub that they are otherwise trying to maintain alone or with just a couple of regular contributors.

    In practice, that lack of user base then has a direct effect on some add-on developers, and if those developers stop producing or maintaining their add-ons then even users who have compiled their own unlocked version of Firefox won't be able to enjoy them. Killing off part of an ecosystem affects everyone.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  4. Re:This is a good thing overall... by aardvarkjoe · · Score: 3, Informative

    A security feature that can be easily overridden is not a security feature.

    That's just stupid. So passwords are not a security feature if you can disable them? Disabling telnet access by default to a computer is not a security feature? Blocking Flash or Javascript in a browser is not a security feature if you can turn them back on? HTTPS access to a web site is not a security feature if you can access it via HTTP?

    The default should be the one that is right for most people, but that's no reason to cripple your software for those that have other needs.

    Chrome did the same thing months(Maybe even more than a year?) ago.

    Chrome allows the user to re-enable installation of unsigned extensions.

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  5. Re:Drama queen by JMJimmy · · Score: 4, Informative

    Extensions are what got me to switch away from IE way back in the day. There's a core half dozen of them that are invaluable.