Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
Post Reply
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Mandatory signing requirement for add-ons may be coming

Post by rsx11m »

Frank Lion wrote:I think we need a clear statement from SeaMonkey as to whether they intend to disable signing in SM or not.

I'll add a link to this thread to the agenda for next week's status meeting (2/17, 13:00 UTC).
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Frank Lion »

Lemon Juice wrote:To me this sounds like a pretty clear statement!

I've come across quite a few ' there are no plans to implement this in....at the moment.' statements in my time. Usually it's '...at this stage' at the end, so this is groundbreaking stuff here!


rsx11m wrote:
Frank Lion wrote:I think we need a clear statement from SeaMonkey as to whether they intend to disable signing in SM or not.

I'll add a link to this thread to the agenda for next week's status meeting (2/17, 13:00 UTC).

Many thanks.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
mcdavis
Posts: 3195
Joined: December 9th, 2005, 5:51 am

Re: Mandatory signing requirement for add-ons may be coming

Post by mcdavis »

On m.addons.user-experience, Dan Veditz said:

> Then use a popup like Chrome does (that can't be bypassed). It would be much less annoying than this.

For an add-on that requires a Firefox restart to install there's nothing we can do that can't be bypassed. Chrome benefits from never having allowed extensions to be as invasive/integrated as Mozilla's.


What's he referring to?
Theme Development is Radical Participation.
NNL Beta Builds for Current and Up-coming Firefox
Dear User: Your Help is Needed
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons may be coming

Post by LoudNoise »

Likely transitional vs "restartless". 14 year olds are easily annoyed.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
mcdavis
Posts: 3195
Joined: December 9th, 2005, 5:51 am

Re: Mandatory signing requirement for add-ons may be coming

Post by mcdavis »

I thought he was saying that traditional add-ons have a way of compromising Firefox that comes from not being restartless. So I'm wondering what it is about restarting Firefox that would let it be compromised, if that's what he was saying. "Nothing we can do that can't be bypassed" is an eye-opener.
Theme Development is Radical Participation.
NNL Beta Builds for Current and Up-coming Firefox
Dear User: Your Help is Needed
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons may be coming

Post by LoudNoise »

i would doubt much thought was given to it by Dan Veditz. Mozilla blogs have a weakness for stating things as good news and then ignoring everything that comes afterward. This encourages wackos and gives them the ok to look at anyone who disagrees as weirdos.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

He's essentially saying that's Chrome's limited extensions are a good thing for everyone. Which to a limited degree, they are. They are good because limited extensions benefit from rarely becoming incompatible. The are good because doing really naughty stuff is really really difficult. They are good because memory leaks are rare (although apparently in recent versions of Chrome they are mostly caused by the addons system itself... which breaks that line of logic IMO). They are good because explicit approval from nanny-Google means only evils approved by Google are accepted... again this presumes that Google has the Good of the User in-mind when approving which we know from Google's own practices should not be inferred.

Mostly it is assumed that they are Good because it's so much *harder* to Do Evil. Which isn't any kind of real security argument at all... unless you are one of those who still believe that running Linux or OSX automatically makes you "safe". Meanwhile, it's mostly just limited for the sake of being limited... which makes developing novel extensions for the benefit of the user all the more difficult.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons may be coming

Post by Lemon Juice »

Reading the comments under the Mozilla blog I'm getting a sensation of deja vu. A few years back when MS released their test versions of Windows 8 - 95% of users complaining and asking to change the course and no one really listened. We all know how successful Windows 8 became... :roll: The only difference is MS can afford to release a complete flop from time to time and pick up momentum again with a next corrected release 2-3 years later while I don't think Mozilla can.
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by patrickjdempsey »

I do think it's funny the comments that say "Goodbye Firefox" and then complain that Mozilla wants to be the next Apple/Google/Microsoft.... I wonder what web browser they plan on using then? ](*,)
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons may be coming

Post by Lemon Juice »

patrickjdempsey wrote:I wonder what web browser they plan on using then? ](*,)

SeaMonkey :mrgreen:

But honestly, they'll just switch to a facebook app on their phone/tablet/win8/win10 and be done with browsers :lol:
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons may be coming

Post by Frank Lion »

patrickjdempsey wrote:I do think it's funny the comments that say "Goodbye Firefox" and then complain that Mozilla wants to be the next Apple/Google/Microsoft..

Not going to happen, they are struggling to even be the next Mozilla.

Two quotes come to mind -

'When in hole, stop digging' and 'Consider the possibility that you may be wrong '' ( that second one is actually a paraphrase of Oliver Cromwell going back to 1650 ! )

http://marketshare.hitslink.com/browser ... pcustomb=0
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
cyrix007
Posts: 164
Joined: October 25th, 2006, 1:10 am

Re: Mandatory signing requirement for add-ons may be coming

Post by cyrix007 »

What does all this mean for an average user like me? Am I in danger of losing a good many of my beloved extensions? Are the extensions available on Mozilla's official Add-ons site safe from extinction? If I already have an extension installed which isn't digitally signed, will it vanish from my profile when the blocking takes effect?
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons may be coming

Post by lithopsian »

cyrix007 wrote:What does all this mean for an average user like me? Am I in danger of losing a good many of my beloved extensions? Are the extensions available on Mozilla's official Add-ons site safe from extinction? If I already have an extension installed which isn't digitally signed, will it vanish from my profile when the blocking takes effect?

Probably you won't see much difference, it is more of an impact for developers. Addons hosted at AMO, which is probably everything you use, will automatically be OK (assuming they don't add some stupid extra requirements to the review process). The difficulties will come for addons hosted elsewhere, which will have to go through an additional review (supposedly automated, with a "manual" appeal process) before they will be valid for install in Firefox. It *should* reduce the number of malicious toolbars and adware floating about getting piggyback-installed, but it may well also be the last straw for some addon developers who host addons themselves for various reasons, including the current Mozilla review process. I don't think anyone can say exactly how it will work yet, but existing addons won't magically disappear from existing versions of Firefox. Quite what a new version of Firefox will do with unsigned addons I don't know: hopefully not trash them, or at least give some warning and grace period.

Sounds like some forks of Firefox may remove this feature, so maybe you'll be switching to SeaMonkey or PaleMoon :)
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Mandatory signing requirement for add-ons may be coming

Post by rsx11m »

To get your history straight: SeaMonkey is not a fork of Firefox (Firefox is a fork of the Mozilla Suite = SeaMonkey with various parts reimplemented). What the Add-ons system will do with already installed but unsigned add-ons is a good question. It may just keep them disabled, or let them be activated but refuse any updates. There is a lot of activity on bugzilla with regard to the signing process (meta bugs 1047239, 1070152, 1070153), hard for me to figure out what it actually means in terms of practical implications for developers or users. It sure will make it harder for non-mainstream extensions to stay afloat. I hope that the people here with experience in extension development watch those bugs and slap the driver's fingers where necessary.

Edit: There is also a wiki page with more details, https://wiki.mozilla.org/AMO/SigningService
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons may be coming

Post by lithopsian »

Although the documentation states that developers will have to use special Firefox versions for testing not-yet-signed addons, a preference is planned to allow installation of unsigned addons (not implemented yet though):
https://bugzilla.mozilla.org/show_bug.cgi?id=1038068

I also found a throwaway remark in another bug that non-signed addons will get disabled if a Firefox version that requires signing is installed/upgraded.
Post Reply