Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
Post Reply
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

For myself I think this will be the final nail in the coffin for my remaining Firefox extensions. It's bad enough they stole the shortcuts for Error Console and DOM Inspector replacing them with the utterly useless "Dev Tools". Even though it doesn't sound like it'll have a huge impact on my extensions, I'll probably upload versions only for SeaMonkey and finally just be done with the Fox.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

I just wanted to thank those who have been keeping up to date with this. I have currently resigned contributing and minimized support for Firefox (Fx) and plan on reestablishing SeaMonkey (SM) as the primary browsers in all my companies networks for the time being. Fx has once again massively disappointed with the foolish and foolhardy move to require developers to jump over unnecessary hoops... not to mention the system isn't always impartial on AMO which is why I've never chosen to publish any available add-ons there. I have better things to do with my unpaid time with Fx than dance to this sort of tune.

I think the most important comment I have read and makes the most sense from a legal standpoint is having the AMO/Fx teams sign non-disclosures for this... and reiterating/paraphrasing I seriously doubt Fx will comply which will result in litigation after litigation until they are no more... or the obvious dropping support for Fx by the community until they are no more.

Anyhow keep up the great work here guys and gals and I look forward to reading more updates.
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons may be coming

Post by Lemon Juice »

There are quite a few good suggestions on mozilla.addons.user-experience discussions for alternate solutions (I also tried to put my 2 cents there) but none of them are even taken into consideration. It looks like there's a small group of Mozilla devs who are on a mission to protect users and an overwhelming majority of users who simply do not want this but their voice doesn't count. Quite an interesting situation - we know you don't want this but still we will do it our way - but I don't see any point in that kind of discussion.

Indeed, for an average user the change will be hardly noticeable but many developers will just leave. And in time average users may wonder why their favourite extension is no longer available.
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

What's also interesting about this is that the mechanism they are using has been around for ages... but is notoriously a huge pain in the behind to setup and use. A few years ago some addons authors who hosted offsite addons created RSS feeds to alert people of new updates so they could manually get them instead of trying to get the signing to work. Some authors who were offsite for years finally came back to AMO because it's easier to just go along with them than to try to "buck the system".

And the development process doesn't surprise me much. This kind of top-down absolutism has been a growing part of Mozilla's organizational structure for years. And they'll get what they want eventually. They've managed to basically kill Themes pretty damn well without officially doing it. It's just taken 5 years of constant prodding and an unfriendly restructuring of AMO but the goal is near. The forces within Mozilla who want to be rid of traditional Netscape addons and finally turn Firefox into a neutered clone of Chrome are as unrelenting as the tide.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Frank Lion »

Lemon Juice wrote:There are quite a few good suggestions on mozilla.addons.user-experience discussions for alternate solutions

When you point at something to a dog, the dog doesn't look to where you are pointing but at your finger. When dealing with Mozilla, too many people act like that dog.

It looks like there's a small group of Mozilla devs who are on a mission to protect users

Yeah? I feel like the guy in Bladerunner, 'I've seen things you people wouldn't believe....'

Still, no longer my problem.

PJD wrote: They've managed to basically kill Themes pretty damn well without officially doing it. It's just taken 5 years of constant prodding and an unfriendly restructuring of AMO but the goal is near.


7 years - viewtopic.php?p=13995803#p13995803

Top themes were then being downloaded at a rate of 200,000 - 440,000 downloads per theme, per WEEK. That bug in the link above shows when those figures mysteriously dropped to 10% of that overnight (was corrected back for extensions, but never for themes). Around 4 or 5 smaller reducing download/user 'adjustments' were made for themes in the years following. That, together with users playing 'Find the Theme' on AMO and revised review guidelines means not many people make themes any more.

For those that do, Mozilla has left a solid wall of over 400+ old and abandoned themes dating right back to 3.6 in the way, that any new theme has to fight through first just to get noticed.

************

Now, all should feel free to make their views/feelings known about this extension signing stuff. However, this is how Mozilla dealt with the trivial (you would think) matter of the Themes link in the Addons Manager being changed to point to Personas instead of Themes - https://groups.google.com/forum/#!topic ... 5-false%5D

You have just about every single Mozilla big shot on that thread, spending hour upon hour on writing some pretty unpleasant posts and being paid to do so. I tell you, they are wicked bastards really, they know damn well that volunteers have to fit that stuff into their free time, so they will just keep going for as long as it takes. I steered clear of that thread!

We did tell you about it at the time though - viewtopic.php?p=8407855#p8407855 and I did warn you on Page 3. ;)
Last edited by Frank Lion on February 19th, 2015, 11:41 am, edited 1 time in total.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
groze5858
Posts: 148
Joined: June 11th, 2014, 3:26 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by groze5858 »

Lemon Juice wrote:The statement comes from the official Mozilla blog entry you linked to: "Signature verification will be limited to Firefox, and there are no plans to implement this in Thunderbird or SeaMonkey at the moment.". To me this sounds like a pretty clear statement!


I take this means it won't affect 3rd party builds like Cyberfox, Palemoon, waterfox or any build that may be compiled by the user. Another words you will still be able to install unofficial builds and use the add-ons like normal no signature check will happen. One of my concern is how secure the unofficial builds are compared to Firefox builds that why I haven't switched. I also see another problem. People will start using 3rd party builds, Nightly builds just to use their favorite extension.
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons may be coming

Post by LoudNoise »

Most third party builds are simply Firefox with some sort of optimized compiling. Unless it is easy to remove, they will also have this.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

groze5858 wrote:I also see another problem. People will start using 3rd party builds, Nightly builds just to use their favorite extension.


I see this problem as well. The inverse concern is that there won't be any way of testing on releases until it's too late. If the Beta/Aurora/Nightlies are crippled in some sort and those "last minute" changes that we all get preached to about... it could easily break a release of another project. Some licensing requires accurate source to be made freely available.

Their Mercurial repository is such a mess and that's not including the older SCM technologies that they have used. It was interesting to find out recently that mozilla-central was abandoned on GitHub as well under pretense of it's too hard to keep it up. GitHub makes web hooks, and the like, super easy e.g. an automatic sync could have easily been set up.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

3rd-party builds will have to do the right flag at compile time and *also* disable the preference. If the user accidentally enables the preference, or if Mozilla pushes one of those preference-push updates to force it back on, then you are back to square one and builds that require customized addons will be especially hit by this. Cyberfox users can at least just install working Firefox themes. PaleMoon likely won't be hit simply because their code base is based on Firefox 24... apparently forever... which means it already requires hacked *older* versions of extensions, which are hosted on their own self-vetted hosting site.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Martii wrote:
groze5858 wrote:I also see another problem. People will start using 3rd party builds, Nightly builds just to use their favorite extension.


I see this problem as well. The inverse concern is that there won't be any way of testing on releases until it's too late. If the Beta/Aurora/Nightlies are crippled in some sort and those "last minute" changes that we all get preached to about... it could easily break a release of another project. Some licensing requires accurate source to be made freely available.


That concern seems like rhetorical hyperbole to me. There's more difference between localized versions of Firefox than there is with the unbranded builds. And *IF* there ever was a case of testing on a unbranded build causing extension breakage in Release... then it would be trivial to get it fixed and pushed through... AMO folks are generally pretty receptive to getting emergency fixes pushed out in a timely manner. And aside that, any author who claims they've never put out a bad version only to discover the breakage hours or even minutes after the release is full of it. We've all done it, no matter how many testers you have, it happens.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

patrickjdempsey wrote:3rd-party builds will have to do the right flag at compile time and *also* disable the preference. If the user accidentally enables the preference, or if Mozilla pushes one of those preference-push updates to force it back on, then you are back to square one and builds that require customized addons will be especially hit by this...


Well that's why you strip that code out of the source repo and your build. I've already done some of this in some test builds. FOSS requires that full transparency is made just takes a little bit longer to reverse the damage that the Fx team is doing with this. Part of learning JavaScript is to not forget how to do things in C/CPP. I've been trying to educate our users on this for well over a decade. While there are some distinct differences a lot of the core of any browser methodologies can be applied to add-ons.
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

patrickjdempsey wrote:AMO folks are generally pretty receptive to getting emergency fixes pushed out in a timely manner.


Don't know about that for sure. In my experience over the last decade or so with them they've said some pretty nasty things in private which I don't care to repeat. Everyone makes mistakes and that also is something I teach in our projects circles. Unfortunately the AMO/Fx side has already made up their minds as previously mentioned and they don't appear to listen to reason or logic... which is why I won't be distilling and contributing patches for the Fx team anymore.

Pale Moon has promise too but only so much time in the day. :)
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

That's why they hired Jorge to be a liaison. He will work on getting things pushed through if you ask him. I do think he genuinely cares about developers and wants there to be a good relationship between us and Mozilla... even if that's beyond his power to make happen.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

What's interesting is I just had this entire conversation a little while back on the b2g group (FxOS if some aren't familiar with the pet name of that project) and was assured that installation from third party sources was never going to be an issue. I probably should have paid attention to the "never" flag because now it is a concern.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

I don't know much about B2G, but I've always assumed that it would only work with JetPack/SDK extensions anyway.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Post Reply