Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox To Mandate Extension Signing

Posted by samzenpus on from the changing-things-up dept.

First time accepted submitter x0ra writes In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: "For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review. For other developers, this is a larger change. For testing development versions, they’ll have the same options available as AMO add-on developers. For release versions, however, we’re introducing the required step of uploading the extension file to AMO for signing. For most cases, this step will be automatic, but in cases where the extension doesn’t pass these tests, there will be the option to request a manual code review."

12 of 196 comments (clear)

  1. Drama queen by Anonymous Coward · · Score: 4, Insightful

    Then use one of the builds where they will disable this feature. It's not that hard, and unless Mozilla decides to stop open-sourcing Firefox you'll always be able to make your own build without the feature. If you don't even trust them enough to be sensible with this plan, then why do you trust them enough to use their complicated source code in the first place?

    1. Re:Drama queen by Sir_Substance · · Score: 5, Insightful

      I'd like to express my personal dislike to you as a developer for any process where I must acquire your approval in any fashion to develop for your platform.

      I'm doing you a favor mate, the least you can do is not make doing that favor harder than it need be.

    2. Re:Drama queen by sumdumass · · Score: 3, Insightful

      Well, that is until someone accuses mozilla of aiding copyright distribution by signing and allowing the youtube downloader and they eith stop signing them to avoid legal threats or a lawsuit orders it.

      Then it will be 0.

      BTW, concievably, add block can be blocked similarly. Al it would take is someone to claim it alters their copyrighted presentation and removes artistic value like when those fundies were bleeping language and cutting r rated scenes from movies. Even if there is no chance in hell of it winning in court, its questionable if mozilla would spend the money to fight it verses just stop signing the blocking software.

    3. Re:Drama queen by HBI · · Score: 4, Insightful

      They won't have many users at all if they piss off the extension developers sufficiently. The whole reason FF got the uptake it did was because of the very evangelizing users who care about extensions. I know of dozens of people who would not have ever had Firefox but for me.

      The fact that this isn't even realized is sad, but understandable. The reason FF is losing users now can be traced to many things, but any road to recovery is being hindered by pissing off the precise people that got them to where they were.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    4. Re:Drama queen by AmiMoJo · · Score: 3, Insightful

      You are being unreasonable. All modern operating systems put restrictions on what software can run on them and what it can do. On mobile operating systems you have to ask for permissions, and even on Linux your app doesn't get automatic root access and the ability to poke into the kernel just because you want it. You will have to build your own platform for that, an no-one will use it because it would be insanely insecure.

      Firefox downloads arbitrary data and code from the internet and renders/executes it. That's pretty dangerous, and despite attempts to sandbox and limit the damage it still leads to severe security vulnerabilities. Even worse, some of the people developing add-ons are malicious.

      Mozilla's actions seem quite reasonable. Require code to be signed after automatic review. Allow a way for in-house and development apps to run, the same way that Chrome does and the same way that Microsoft supports in-house ActiveX arbitrary code execution in the browser process. For 99.999% of users its a massive security win and for 99.999% of developers it won't make the slightest bit of difference.

      The only real danger, and it's way too early to know if it is a real danger or not, is if someone tries to use the courts to stop them signing something like AdBlock or YouTubeDownloader. Attempts have already been made and yet they still host both apps on AMO, so it seems unlikely that merely having to sign the code will change anything. They already have to approve every add-on they most with an automated code review.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Re:This is a good thing overall... by aardvarkjoe · · Score: 4, Insightful

    The problem in my eyes is not the default requirement that only signed extensions are allowed; the problem is that they don't even allow users to override it.

    Even if you're only concerned about development of extensions, it's a terrible idea to say that, essentially, developers can't test and develop with release versions of Firefox.

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  3. Re:Start of th End by Anonymous Coward · · Score: 0, Insightful

    I'm convinced that Mozilla doesn't want to be in the browser business any more. Why? No idea, but I can't think of any other explanation as to why they've been shooting themselves in the foot for so long they haven't got legs to stand on, so to speak.

    Firefox broke away from the bigger Mozilla "suite" with the idea of being a more lightweight browser, then they proceeded to lumber it with so much crap that if they were to merge Thunderbird back in you'd think you were running Netscape Communicator again.

    They had a great relationship with Google, a competitor, were receiving all kinds of funding for development...then they jumped ship to deal with Yahoo instead for some ungodly reason. Yahoo is like AOL, its continued existence is a mystery that probably depends upon a lot of its users not knowing any better. Perhaps that shouldn't be surprising coming from developers who proudly stated that corporate users aren't important and "don't matter" whilst inflating version numbers for...what reason? The only end result I've seen from the inflated version numbers is a lot of pissed off extension developers. Now people developing extensions are going to have to grovel to Mozilla to get them "signed," probably pay a fee for their troubles.

    They're in the business of data mining just like everyone else, no surprise there. People give Google a lot of flak for privacy issues, yet nobody seems to give Firefox any for making their "data choices" opt-out...and by the time you've opted out, they've already been sent a "health report" and who knows what else, likely with a unique identifier for every PC running it.
    Somehow in the midst of all that they shoehorned in a video conferencing option that's so hilariously broken and buggy that it almost comes off as an intentional joke with no punchline.

    Mozilla can get fucked. There's been plenty of options out there for years now that have been better, this latest bit of boneheaded nonsense is just the last nail in the coffin. So long Firefox, it's been a good run, shame that the people who created you had to ruin it by being a bunch of insufferable douchebags who have no concept of good software engineering.

  4. This won't end well. by Bryan+Bytehead · · Score: 4, Insightful

    I'm already seeing erosion of extensions just because of the changes that are being made in Firefox, and developers' are getting tired of fixing the breakage. Forecast Fox, a nice weather bar suffered from losing the default status bar. OK, there are ways to get it back, but now you have an extension that requires other extensions to work. Then AccuWeather created some issues, which they have since fixed. Another developer has now taken up to keeping it working, but I can't help think that the original developer is going to smack that version down. Not yet, but then, it hasn't been a week yet. Then there's a theme extension that I used to use, Noia, which has gone through a few iterations. It seems that Mozilla has made it harder for theme authors, and that author has given it up. In fact, the author has already removed it from AMO! Which means that I get left with something that looks very much, too much, like Chrome. I run a desktop, I don't run Firefox on a tablet or a phone, and I rather like how Firefox looked before everything got borked. Trying to force everybody into a phone/tablet/laptop/desktop only one way of doing things, yeah, it's something that I do object to. Strenuously, but it's not like what I have to say means anything.

    Throwing another wrench into the path of extension authors isn't going to be helpful. To the end users or the developers.

    Yeah, it might cut down on some cruft, but that's why you do your due diligence when installing extensions, both on and off AMO.

    --
    Bryan
  5. Re:This is a good thing overall... by aardvarkjoe · · Score: 3, Insightful

    Re-read that sentence, specifically the word "special." If it's a special developer build, then it's not the same thing that your users are using.

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  6. Re:This is a good thing overall... by Anonymous Coward · · Score: 3, Insightful

    "what extensions do you use on any regular basis that are not off the mozilla extension archives"

    oh just a few that interface with our CMS, a few that Mozilla will never see (unless they come work for us), because our extensions are none of their fucking business

  7. Re:This absolutely sucks by Anonymous Coward · · Score: 0, Insightful

    Maybe you need to choke on a dick, Jorge?

  8. Re:Start of th End by Zontar+The+Mindless · · Score: 3, Insightful

    I'm still pissed about them moving the tab bar to the top of the UI, thereby throwing the tab paradigm right out the window, and forcing me to go find a hack to get back what was perfectly sensible and should never have been changed like that in the first place.

    I'm forced to hack extensions almost weekly because the default for each new release is simply to declare all existing extensions "outdated/incompatible" when this is obviously not true in the vast majority of cases.

    It's almost as if someone said, "Now that we've lured in all these users, let's see how much abuse they'll take before they leave again."

    --
    Il n'y a pas de Planet B.