It is a perfectly valid reasoning: Addons can be like malware, and that is something Mozilla should protect its users from. Reviewing and then signing extensions is an ok way to do that. But the focus here is not the signing, it is the reviewing.
The problem is not the reviewing either. That may take time and is unpleasant, but it offers something good in return. The problem is the "we will do it this way and make it not configurable". There is no need for that. Users don't change defaults, it would be perfectly valid to go the android route: Disallow the installation of unreviewed addons by default, but add an option in the settings to override this behaviour for users who know what they are doing.
That way, you still protect users in general, and you don't anger the other users who want to install addons from github or whatever. It was completely unnecessary to make it this controversial by forcing it on all users, by taking freedom away.
That said, Mozilla has also said that they will release an unbranded version of Firefox that does not include the add-on signing restriction but is otherwise identical. Hopefully, that "identical" promise holds true and users who do not want to deal with the signing restriction can use this unbranded version.
Just to illustrate how unworkable this is currently, Facebook had to include a huge warning in the developer console telling you not to XSS yourself because people would follow instructions to open the developer tools and paste in a blob of JavaScript: https://www.facebook.com/help/246962205475854
In general I do not like restricting rights to protect people. Now Mozilla is no government, but the same basic idea is going on here. Removing (instead of disabling or discouraging) features in the name of safety. At some point you have to tell someone they are responsible for their own online safety, give them the resources to educate themselves, and let them face the consequences if they choose not to.
We have already seen malware that just replaces the Chrome binary to avoid add-on checks, but somehow this isn't seen as a big problem?
> That is possible, but I don’t expect the majority of malware developers to go through such trouble. [1]
I can totally understand where this idea is coming from, but trying to somehow secure Firefox on a system that is already busted is futile.
[1] https://blog.mozilla.org/addons/2015/02/10/extension-signing...
"Download Mozilla Firefox, a free Web browser. Firefox is created by a global non-profit dedicated to putting individuals in control online."
I find the "appeal to security" argument that's being increasingly popular these days as nothing more than an excuse to restrict general-purpose computing and control the users, and I am not happy about it at all. "Malware is the new terrorism." The idea that we should take away freedom just because someone could possibly make a wrong decision is personally quite horribly disturbing. On the other hand, from the perspective of wanting to exert control, it makes perfect sense: by decreasing the amount of decisions users have to do, it induces atrophy of their critical thinking skills, and makes them more inclined to accept things without questioning...
"Freedom is not worth having if it does not include the freedom to make mistakes."
It's yet another hoop to jump through, one that further splits "developers" and "users" and makes it harder to be a "casual developer" - one who just wants to make an extension and share it among a small group.
Upon further inspection at the source code of these scripts and some googling, we found out that it was ad injecting malware in the form of Chrome extensions. Basically and long story short, some 40-50% of our customer base browses the web with ad injecting malware installed, and that's only counting malware that caused errors client side, which is obviously not all.
This was naturally disheartening for us, because you pour your heart and soul into building the best product you can deliver only to hear a very large amount of your customers will never experience anything other than a very subpar version of it...
Browser malware is a very real problem, and I don't know if Mozilla's approach is the best way to tackle it, but there definitively needs to be more people thinking about it, and in particular the Google Chrome team.
I remember when Chrome kicked any youtube-downloading extensions out of the chrome store. What happened? A few people downloaded non-chrome store extensions, but most of them downloaded the ones that were left in the store - the malware extensions that promised to download youtube but didn't. Huge spike in malware on Chrome installs that I saw.
Wreck the address bar algorithm? Ugh. Move the tabs on top? Ugh. Force me to keep download history? Ugh. Bury all the configuration options (like JS features) into about:config? Ugh. Turn the UI into a poor Chrome imitation? Ugh. Turn the new tab page into adware? Ugh. Promote a bigot to the CEO position? Ugh. And now turn extensions into a walled garden? ... I can't even muster up the energy to feign surprise anymore. I basically expect a new disappointment every time I hear Mozilla in the news.
From what I can tell, Mozilla's own Firefox feedback stats support what you're saying.
https://input.mozilla.org/en-US/?product=Firefox
It's currently showing 77% of the reports about Firefox as being 'sad', while only 23% are 'happy'. It gets even worse if Firefox OS and Firefox for Android are included, too. In that case, 86% of the reports are 'sad', and only 14% are 'happy'.
I expect disappointed users to be more likely to say something, but that's still an awfully large difference between the proportion of users who are 'happy' and those who are 'sad'. When I used Firefox for Android, I'm pretty sure it sometimes prompted me to give feedback, so it's not like only disappointed users looking to complain are being sampled.
I don't know how things work at Mozilla, but at any other software product company I've ever worked at, feedback results so out of whack would've raised a lot of eyebrows, and gotten a lot of attention. Much effort would have been put toward finding out what's wrong, and what can be done to fix it, especially if the results were consistently bad for weeks or months on end.
When your product is free, you feel no obligation to your users whatsoever. We see it time and time again. Firefox, Ubuntu, Gnome 3, KDE 4, systemd, etc. The attitude is always, "we know what's best for you, piss off."
Hell, I am guilty of it myself. When I'm working on projects for free, I do things the way I want them done. But in my defense, I'm one person working on niche projects nobody would ever depend on for anything important, and I am not looking for popularity.
But right now, the most I can do to express my dissatisfaction is to simply leave. And when we all do that, then suddenly they don't hear anyone complaining, so they think everything they are doing is great, and keep getting worse. I complain because I've enjoyed their software so much in the past, and I'm saddened by its new direction.
Microsoft really went against the grain with Windows 8. And you saw similar levels of outrage. But you know what? The Windows 10 preview has fixed most of it. The Metro start page is gone, the start menu is back, Metro things can run inside windows and multi-task properly now ... they may not be perfect, but they are definitely listening to their customer's feedback, at least.
So I think the feedback there is seriously skewed towards "unhappy".
One thing I would like you to consider is that Firefox has to maintain a certain marketshare in order to continue to serve their mission. Which includes fighting for web standards and other things outside directly working on the browser/phone os. Unfortunately, that causes them to serve the larger market than what you or I might enjoy. I'm definitely not a big fan of the dummification trend in UX right now(which most of your complaints seem to stem from), but I'm sure it's just that, a trend, and we'll see some of the more ridiculous parts of that trend move back toward the middle soon enough. Design trends are like the weather, if you don't like it now, just wait a bit and it will be sure to change.
So, hopefully you can cut Mozilla a little slack as they have a many headed dragon to feed and that set of compromises will leave everyone a bit hungry, but on the whole I feel more comfortable depending on Mozilla than the alternatives of Apple and Google.
I thought about leaving it out because it wasn't a technical issue, but being honest, it was one of the bigger disappointments I've had with their project, so it seemed important to include it.
I know all about the situation, and I also don't like how it was resolved (my disappointment was that it happened in the first place.) I also know others won't agree with me on that. But to me, it's a very important issue. I think ethics are absolutely essential for a CEO of a company.
> Which includes fighting for web standards
This is certainly one positive thing I will say about them. They have definitely helped advance good standards (HTML5, CSS3, etc.)
> Design trends are like the weather, if you don't like it now, just wait a bit and it will be sure to change.
I sure hope so. I've been backed into such a tight corner. I'm down to running FreeBSD with Xfce, and I'm already starting to write my own basic system utilities now (file manager, text editor, etc) because this trend is just accelerating so rapidly.
That doesn't make it untrue. He was a bigot, and good riddance to him; I hope his reputation remains sufficiently sullied for the foreseeable future.
This is going to impede regular users a lot more than the advertisers.
However, thus far, I've been able to do it. I disable the magic address bar, I use tree style tabs, I have history disabled, and I use combo of menu, toolbar and status bar (Status 4 Evar, addon bar, whatever) to maintain what I consider to be a usable UI. These are all extra work, but I haven't been locked out.
My concern about this latest move is the lag when Firefox needs an upgrade, and not all extensions have been updated and signed. I've had to download and install custom treestyle tabs builds in the past in particular.
And indeed like you said ... the signing thing is a huge issue. oldbar in particular hasn't been touched since 2008. I've also had to manually load Greasemonkey before, and many times I've had to manually edit the XPI file compatibility ranges so that I could install certain extensions.
Shitty suggestions that elicit strong reactions seem to be better for the Mozilla Corporation than being more and more ignored.
For extensions that will never be publicly distributed and will never leave an internal network, there will be a third option. We’ll have more details available on this in the near future.
That sounds like admin installed certificates in the browser to verify the local signatures.
I a made a quick and dirty plugin for chrome a month ago only to find out i need to undergo an anal exam and give over credit card information to Google, fuck that! is that where Mozilla want to endup?
Less nice than being able to self-host them which used to be possible, though...
I'm a bit skeptical of an automated security scan and approval process, but at least it provides a means to revoke a malicious plugin when complaints come in after the fact.
There are exceptions - something about "in house, corporate" (whatever that means), developer editions of Firefox and nightly builds. But if I read correctly users of the current, stock Firefox will not be able to suppress the signature check when installing addons.
It's not like this will be that hard to get around for people who know what they're doing, so I'm not too worried about this change.
Mozilla are using 'security' in the same way oppressive politicians use terrorism and/or "Think of the children!".
That's fine, but what about those, who want to homebrew their own plug-ins, experiment with something from GitHub etc? Mozilla could make signed plug-ins a default choice, but not prevent others. A good model, imho, is implemented on Android -- your (only) default choice is Google Play, but if you know what you are doing, you can install any app from anywhere. This way users, that need a hand holding, are protected, but more tech savvy ones will not have their freedom denied.
A bit of vetting for add-ons is probably a good thing in the long run.
It's hard to see how to get back into this particular Eden.
Extensions that change the homepage and search
settings without user consent have become very
common, just like extensions that inject
advertisements into Web pages or even inject
malicious scripts into social media sites. To combat
this, we created a set of add-on guidelines all
add-on makers must follow, and we have been
enforcing them via blocklisting (remote disabling of
misbehaving extensions). However, extensions that
violate these guidelines are distributed almost
exclusively outside of AMO and tracking them all
down has become increasingly impractical.
Furthermore, malicious developers have devised ways
to make their extensions harder to discover and
harder to blocklist, making our jobs more difficult.
We’re responsible for our add-ons ecosystem and we
can’t sit idle as our users suffer due to bad
add-ons. An easy solution would be to force all
developers to distribute their extensions through
AMO, like what Google does for Chrome extensions.
However, we believe that forcing all installs
through our distribution channel is an unnecessary
constraint. To keep this balance, we have come up
with extension signing, which will give us better
oversight on the add-ons ecosystem while not forcing
AMO to be the only add-on distribution channel.Yes. It's the same code with different logo.
Testing proper integration on those aspects will get pretty hard.
So if I use a xulrunner based app, and I want to run a Firefox extension (like ABP, mozrepl, etc), right now all I have to do is edit it's install.rdf and whitelist my application, and if there's a signature (META-INF folder), delete that. In this scheme, as I understand it, that would not work, unless I was running the Firefox Developer edition or had an app popular enough to get developers to include it in their whitelist before signing, and even then there would be plenty of exceptions.
So now no one can run my xulrunner based app (with extensions) with the normal firefox installed on their system (or likely available in their distro package repository).
Please tell me this won't apply to apps launched via xulrunner or firefox -app (with the normal firefox).
I self distribute my extension because I found the AMO process to be infuriating. The extension would pass review then not pass and require changes. Each step in the process requires a multi-week wait in a queue. Unanswered requests for clarification, lost communications, etc, etc. After months of trying I gave up, I know I am not alone in this. The possibility of having to go back into that Kafka-esque maze is extremely disconcerting.
The manual review possibility should also be a concern of all current AMO users, as it has the potential to lengthen current queue wait times.
The problem with browser extensions is that there are too many bad players on the field, preying on the non-technical people. The situation is not as bad as in the IE heydays where I regularly cleaned up 10+ (!) toolbars from customers' computers, but it's still a problem.
And I, unfortunately, don't see any way to avoid a walled garden approach - as long as there is a sideload option like on Android, I'm fine with it.
edit: downvotes? Care to explain how else to solve the bundled crapware toolbar plague?
One thing I did realize in learning how to make these extensions is that, unlike with Chrome, Firefox extensions can do anything any other executable file on your computer can do, or at least, they can move, delete, edit, and rename any file anywhere on the hard drive, spawn any process, download anything and save it, so effectively all a malware author has to do is make the extension's install hook download their payload and execute it. It's a one liner to wipe out your $HOME (I have no idea if it will work I'm not going to try it!):
require("sdk/system/child_process").spawn("/bin/rm", ["-rf", "~/*"])
For developers hosting their add-ons on AMO, this means that they will have to
either test on Developer Edition, Nightly, or one of the unbranded builds.
Does this mean that developers won't be able to test the add-ons on official stable binaries end users will consume their add-ons on? Good luck with that.
That aside, I honestly can't see the value of the developer edition at all.
HTTPS Everywhere is currently only available via their website because it's actually securer than though AMO. If mozilla wall-gardens firefox in the interest of security, I guess they've got some serious issues to settle.
I also wonder bit what happens to developers who need a small userbase to tests their alphas/betas before publishing, as well as custom-built extensions.
https://blog.mozilla.org/addons/2015/02/10/extension-signing...
The short answer is that you can still have AMO sign an extension even if you distribute elsewhere (e.g. the way password managers like to ship one installer for everything) and the nightly / developer builds will allow unsigned extensions for obvious reasons. They are planning a private-app signing process but the details aren't public yet.
This is FUD. Even Apple's App Store doesn't require huge amount of bureaucracy let alone what they seem to be talking about.
Sometimes apps containing things like pictures of old paintings with nude ladies are fine, sometimes not.
Often updates to something published will get stuck because some rule is supposedly being broken by the update, but of course the original, accepted, app contained the exact same thing.
One of my professors said "the browser is the new OS" about a decade ago. This seems like more proof of that to me — if we want fast, low power JavaScript in browsers, we have to have a reasonable chain of trust imo.
At least PM actually follows through with the concept of user freedom.
I don't believe that Mozilla has any innate desire to lock-down users and prevent them from customizing their browsers, but making a browser is now an expensive and complicated project, and both Firefox and Chrome are bankrolled by companies which make their revenue primarily via advertising (Google + Yahoo, Google).
It's clear that Google will never make the same mistake with mobile Chrome -- it will never be extensible, because they have no desire to sacrifice that advertising revenue. I doubt it will be more than a year or two before the Mozilla app store is purged of ad-blocking extensions, if they ever make it in.
I don't want to get in some flamewar about "oh but ads are so bad, I can't help but install adblock". They suck, and I'm not accusing anyone of acting in anything other than their personal best interests, but I think everyone should acknowledge that this is the natural end-game.
So besides the speed and the nuisance factors there is now also a security factor involved in ad-blocking.
If you're too stubborn to let Mozilla sign it AND too lazy to do it yourself then that's your problem - you have no inalienable right to demand that people run your code if you can't be bother to secure it. However you are never locked out of providing mozilla addons, you can still supply whatever you like.
Also, Why did this piece bother to quote the random verbal vomit of some internet commenters? What is that supposed to show? That some people online are rude and ignorant? Frankly there's quite a bit of FUD in this thing, like asking if devs can trust that moving from Dev versions to production will break their code - pretty much the whole point of Mozilla's development model in iterating and providing developer editions is to ensure that doesn't happen.