Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
Post Reply
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

You can modify the firmwares to allow non AO-SDK extensions in... just have to whittle around in the source and comply with the back-end API. Basically it's an Android back-end with a Fx front-end... at least on my device.
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Frank Lion »

patrickjdempsey wrote:That's why they hired Jorge to be a liaison. He will work on getting things pushed through if you ask him. I do think he genuinely cares about developers and wants there to be a good relationship between us and Mozilla... even if that's beyond his power to make happen.

Yep, I agree with that. It's also the reason I mentioned the stuff in the last part of my previous.

People would be forgiven for thinking that this stuff is only about AMO and some small local decision that is being discussed on some remote AMO blog with good ol' Jorge. It's not, this is the reality - https://groups.google.com/forum/#!forum ... experience

Glance through a few of the multi post ones and you'll see the same old Mike Connor * and his chums using the same old routines of the last few years, just as though losing 25% odd of your entire userbase over the last 9 months was everyday mere bagatelle. No matter, in their eyes, you will always be wrong and they will always be right.



* https://groups.google.com/d/msg/mozilla ... LFaLoHX0gJ
Read the quoted sections. 'Since at least June 2014...''? - I'm told that I'm supposed to be an extension/theme dev on AMO and yet only found out about this officially last week, when Jorge announced it on that blog.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
groze5858
Posts: 148
Joined: June 11th, 2014, 3:26 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by groze5858 »

Does requiring the mandatory signing violate the GPL if Firefox developer do this? Wouldn't SeaMonkey developers have to do the signing first? Since Firefox is a fork of SeaMonkey

I am not sure I totally understand the GPL.
User avatar
WaltS48
Posts: 5141
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Re: Mandatory signing requirement for add-ons may be coming

Post by WaltS48 »

I don't understand how this pertains to users.

I'm not planning on installing anything new.

Will my already installed extensions just stop working?

Will they all update to the signed version, even if the extension hasn't changed other than the signature?

It appears my post to m.a.user-experience asking those questions didn't pass moderation.

Maybe they didn't think of it? :-"
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

WLS wrote:Will my already installed extensions just stop working?

Will they all update to the signed version, even if the extension hasn't changed other than the signature?

...

Maybe they didn't think of it? :-"


Most likely for all the above quoted.

groze5858 wrote:Does requiring the mandatory signing violate the GPL if Firefox developer do this?


You will need to make that decision for yourself but from previous history in dealings with licensing the short answer is yes. The latest response over there brings up one instance. I've been pleading with code developers for Fx to pick a stricter licensing for over a decade now... some have listened... some have not. Because Fx was initially derived from GPL code it is in fact GPL based... this includes all ports and derivatives. The core GTK Code is GPL as well so they have no choice in the matter. Anything further you'll need to contact your legal services... this includes any potential debates here on licensing law which I will not get into.

groze5858 wrote:Wouldn't SeaMonkey developers have to do the signing first? Since Firefox is a fork of SeaMonkey


I won't say "never" but it has been announced at least once that they won't be doing the signing requirement. Pale Moon apparently has announced they won't support it either. Time will tell.

Frank Lion wrote:Glance through a few of the multi post ones and you'll see the same old Mike Connor * and his chums using the same old routines of the last few years, just as though losing 25% odd of your entire userbase over the last 9 months was everyday mere bagatelle. No matter, in their eyes, you will always be wrong and they will always be right.


I had no idea about this person... indeed his veracity is quite absent which I picked up on right away. I am amused at his phishing expedition too... basically some portions of the team appear to be looking for ways that the community is going to work around this signing requirement so they can make changes on their end... hence the incomplete statement as to what they are going to do for developers. Luckily FOSS via the tri-licensing should keep them at bay... if they violate it then they can be appropriately dealt with. Their MPL won't protect them regardless of amendments.

WLS wrote:I don't understand how this pertains to users.


The simplest way that I can explain this is that the user experience will be crippled because it will be just like every other browser including IE with all the security flaws and procedural politics. e.g. if you want to run an add-on it has to be approved by the biased system at AMO. I've observed this bias and favoritism for about a decade now. AMO also has ignored registered complaints on spyware added to add-ons in the past in fear that they would lose support if a veteran add-on was blocked. Basically AMO/Fx has caved to the pressure of the mass hysteria and financial pressure laid into them by their investors (stakeholders as it's been mentioned by our favorite "chum").

There are a lot of good responses in this thread to hopefully help everyone to understand more fully that this isn't just a small thing they are implementing. It is a fundamental shift from a great user experience to a so-so experience. They have already alienated some of their developers and perhaps some of my other team members. I can't speak wholly on their behalf but the chatter in private is huge.

What I don't think has been discussed is the legal ramifications of their non-profit status doing vigilante works and taking away your freedom to choose. I do think things can be improved with "drive-by" toolbars but they are exceeding their mandate with the forcing of signing and eliminating testing against releases... and that's where they will lose contributors and support. Most of the larger Corps that I deal with will most likely drop Fx support and go with a system that doesn't violate their intellectual property rights... e.g. they are already dropping Fx from their nets.
groze5858
Posts: 148
Joined: June 11th, 2014, 3:26 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by groze5858 »

Martii wrote:
groze5858 wrote:Wouldn't SeaMonkey developers have to do the signing first? Since Firefox is a fork of SeaMonkey


Martii wrote:I won't say "never" but it has been announced at least once that they won't be doing the signing requirement. Pale Moon apparently has announced they won't support it either. Time will tell.


groze5858 wrote:Does requiring the mandatory signing violate the GPL if Firefox developer do this?



You will need to make that decision for yourself but from previous history in dealings with licensing the short answer is yes. The latest response over there brings up one instance. I've been pleading with code developers for Fx to pick a stricter licensing for over a decade now... some have listened... some have not. Because Fx was initially derived from GPL code it is in fact GPL based... this includes all ports and derivatives. The core GTK Code is GPL as well so they have no choice in the matter. Anything further you'll need to contact your legal services... this includes any potential debates here on licensing law which I will not get into.



Thank you Martii for thinking I some powerful business owner you made my day. :) =D> \:D/

I am just an advance computer user with some knowledge.

I am basing this theory on rsx11m post, as I said earlier GPL is really confusing for me.

Since Firefox is a fork of SeaMonkey. Firefox needs the permission of the SeaMonkey developers to modify the source code, that if I understand the GPL correctly
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

groze5858 wrote:Since Firefox is a fork of SeaMonkey. Firefox needs the permission of the SeaMonkey developers to modify the source code, that if I understand the GPL correctly


Not quite... The FSF (Free Software Foundation) especially under GNU allows derivatives however a lot of things have to happen in forks. Full free access to changes and source is one of them and required. Proper ownership of these changes must be added to the LICENSE. There is also the "tivoization" fiasco that is mentioned there which is why GPL2 was upgraded to GPL3 or later. That in its own right caused some controversy but in general GPL3 is considered to maintain copyleft and prevent agencies like AMO/Fx from doing what they are doing. When the hash signatures don't match is when AMO/Fx opens themselves up to litigation. Other licenses can impose this restriction as well but need to be enforceable and binding. What AMO/Fx is imposing with the signing is a mandatory fork of it e.g. opening themselves up to infringement if improperly executed on your behalf. One mistake is all it takes and they have a suit. I personally would never want to take on that responsibility for the whole world nor would I be foolish enough to try. They can of course remove Add-on support which appears to be the route they are going but burning development/testing/user teams over and over isn't good practice.

Part of the SeaMonkey (SM) teams divestiture back in the day was that their design concept was to keep what users might want to use in the browser. The Fx team came a long and stripped away all the extras... split out email to Thunderbird... (which has been abandoned by certain teams but still active in others) and generally dumbed down the browser to allow creative add-ons to fill in the gaps. What's interesting is the perceived SM incorporation's of the most important parts has made Fx seem very slow in comparison... when comparing apples to apples e.g. bulking up Fx to be as secure as SM.

I know it's quite complicated but licensing is generally used to protect the developer against unfair actions taken by a single entity. GNU has some less legalese articles about all of this. It takes quite a bit of time to fully comprehend so don't be afraid of it.

And thank you for the compliment... I hope to serve to the best of my capabilities the FOSS community. :)
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Mandatory signing requirement for add-ons may be coming

Post by rsx11m »

Both Firefox and SeaMonkey (and Thunderbird, and Lightning, etc.) are subject to the Mozilla Public License ([L]GPL is only a secondary license in this regard), thus I don't think that there is any conflict between those two applications as such.

If you are picky you could argue that the MPL 1.1/GPL 2.0/LGPL 2.1 tri-license applies which was in effect when the applications were split (or maybe even an earlier version), but even then I wouldn't assume any license conflict between code changes in core or application-specific portions.
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

rsx11m wrote:If you are picky you could argue that the MPL 1.1/GPL 2.0/LGPL 2.1 tri-license applies which was in effect when the applications were split (or maybe even an earlier version), but even then I wouldn't assume any license conflict between code changes in core or application-specific portions.


I appreciate your view point but there's some precedence for the proper understanding. There's a few sayings in the licensing world regarding GPL... ~"Once GPL always GPL"... it's one of their code requirements. Others have called it "sticky"... it is this "stickiness" that keeps copyleft true to form and prevents abuse such as the Tivo (I think we know where Tivo went... anyone got one still? ;) ) and now the signing requirement from AMO/Fx. Leveraging a copyright vs a copyleft is the duty of a license. When the spirit of the law and the letter of the law are enforceable and binding no project anywhere can modify it no matter how many splits occur. This affects MPL (any version). Any GPL code that is/was accepted, utilized and consumed by Fx makes the project forced to use GPL as the binding license. Mozilla didn't pick LGPL they picked GPL... as long as the additional terms don't conflict is where multiple licensing can come into play. 100% of my teams contributions are GPL unless a little more acceptance is needed from the commercial industry side when it is published as LGPL. This is part of the reason why I really don't want to get into a debate with this and others should contact their legal services. I have with multiple Companies/SOHO/Corps and every one of the legal counsels concurs with this.

Rebranding or flat out droppage of Fx is pretty much what everyone is reasonably left with if they don't remove this signing and distribution isolation requirement from releases.
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons may be coming

Post by LoudNoise »

Not really. The code that is license by GPL must remain GPL and any improvements to make to that code must be GPL and offered to the commuinty. Any new code can be licensed anyway you want it to be, including commercially. GPL cannot claim the rights to things that are not created under that license.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

Try this for a read... http://www.law.washington.edu/lta/swp/L ... ative.html ... derivative works especially. There are multiple sites that explain this in greater/newer detail but that's the first search engine hit here.

EDIT:
See also:
Last edited by Martii on February 19th, 2015, 8:29 pm, edited 1 time in total.
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons may be coming

Post by LoudNoise »

Which is what I said. Firefox isn't a derivative of any of the GPL library code it uses. If Netscape was based on GPL then they would have to follow it unless all of the folks who worked on the code agreed to change it. It wasn't
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

Also, while Firefox began it's life as a fork of Mozilla Suite, it has for quite some time now been the primary development platform that Mozilla works on. So the way that SeaMonkey is currently developed is as if it's a fork of Firefox. That's why SeaMonkey keeps inheriting weird artifacts of Firefox development like the goofy Findbar and the revamped (and never really finished) Addons Manager.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Martii
Posts: 31
Joined: February 17th, 2015, 4:49 am
Location: Terra Firma
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Martii »

LoudNoise wrote:Which is what I said. Firefox isn't a derivative of any of the GPL library code it uses.


Understandable however there are a few more links added. MPL2 work is derived from MPL1.1 frameworks which are from GPL... (some Add-ons are GPL as well so MPL must adhere to that license) of the same code which is what was said and concurred with below. Point of the matter this is beyond the realm and scope of zine as a whole which is why again I recommend having at least one or a group of attorneys concur for those who want a final answer not just web speculation. As intellectual knowledge comes at a premium this costs money.

patrickjdempsey wrote:So the way that SeaMonkey is currently developed is as if it's a fork of Firefox. That's why SeaMonkey keeps inheriting weird artifacts of Firefox development like the goofy Findbar and the revamped (and never really finished) Addons Manager.


LOL Recursion or the chicken and the egg syndrome here. :) I'm not saying who is better as I really don't mind either one save for this new policy which has zero to do with keeping net-neutrality.
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Mandatory signing requirement for add-ons may be coming

Post by barbaz »

from https://groups.google.com/forum/#!topic/mozilla.addons.user-experience/rO5jUfqsh-E:
Mike Connor wrote:the point here
is not to stop the actually illegal malware, but to dissuade all of the
greyware/crapware installers from targeting Firefox users.

To me that's the clearest reason for implementing this that I've heard yet.
Doesn't make me any more in favor of it though.

Hmm, so it's not against browser malware but against "greyware", but the question there is what percentage of the crapware-but-not-full-blown-malware installers will actually be dissuaded, and what percentage will subsequently take it to the next level and try to find a way to hack-patch Firefox binaries or omni.ja to achieve the same effect as their extension did (would that make those installers "actually illegal malware"?)... and this I can't really judge because I haven't ever personally dealt with greyware. But it's business, so it's all about the money - as such my guess is that probably those making profitable enough greyware will indeed spend the money to take it to the next level, and the end users will still be worse off in the long run.
Post Reply