Firefox 41 will block unsigned extensions

[lithopsian]

Couldn't an extension author simply copy the AMO signed version, place it on his site & say, "here"?
Would that work?

They could, but then it wouldn't really be self-hosted. Self-hosted addons use the updateURL field in install.rdf to update automatically frm a non-AMO server, so the xpi is physically different from one on AMO. Also, when an addon is self-hosted it is often because the AMO version is no longer maintained so the latest version isn't there.

> the best workaround is to use different IDs for each distribution

So does that mean I can install each extension twice (or more)?
I love extensions, so the more the merrier!

If you had different IDs then the same addon (with a subtly different name) could be installed twice. The results wouldn't be pretty. It isn't a great workaround and I'm certainly not endorsing it. Just what was suggested to me by the powers that be.

[therube]

Self-hosted addons use the updateURL field in install.rdf to update automatically frm a non-AMO server

Wasn't aware of that.
And if no updateURL is specifically provided, what it would only try AMO?

Otherwise, it is feasible (& cleaner IMO) to copy the AMO-signed version to your own website.
(Only for the reason that an extension author could say, "you can get direct from me, or you can get it from AMO - its the same".)

the same addon (with a subtly different name) could be installed twice

Could you imagine the nightmares that would cause.
Every discussion would have to start out with, where did you get it (install it) from?

Well, geez, I don't know?


And essentially, AMO becomes sole source, single point of failure.
AMO goes down, you're out of luck.
(Kind of like sourceforge going down & all the projects that were affected there that were unavailable, for days, until they got back up.)

[lithopsian]

Without an updateURL field, the addon will look for new versions from AMO. You can still host the xpi on your own web page, but you could equally just link to the AMO page.

Suggesting distributing the same addon under different IDs (and hence under different names) is just Mozilla trying to evade the fact that the signing implementation is still half-assed. There would be namespace clashes, potential duplication of DOM elements. Can you imagine two addons fighting to dynamically populate a menu? Or imagine the conniptions of Mozilla reviewers if an addon force-disabled another addon?

[Frank Lion]

the same addon (with a subtly different name) could be installed twice

Could you imagine the nightmares that would cause.
Every discussion would have to start out with, where did you get it (install it) from?

Well, geez, I don't know?

Well, not 'would cause', but will cause. I already have precisely that situation with my Tab Overflow Scrollbar extension.

When a user installs the new signed version, they still have the previous version! That's because 8 years back it was on AMO and the only way to get it signed was to make a slight change to the name and GUID.

People should remember that most extension/theme authors actually make this stuff originally for themselves and then think that they might as well share it with other people. It's one of the founding principles of the Open Source community after all.

Years pass, you update it and tweak it when needed, even with ones that the authors are not personally using, which is not a problem as 99% of users are really nice people.

Along comes signing - if you don't get it signed then I guarantee that some mouth-breathing cretin will be dissing your stuff all over the Net, saying 'the author can't be bothered' or calling it 'abandonware'.

Get it signed and, in this case, add a note on the install page advising users to uninstall the previous version. Luckily, that one has less than 10,000 users, but even so I know I'll get a flurry of Support requests asking me to explain what is going on, even though the note already explains all that.

As Shaver once said to me, 'That is the heat in that particular kitchen' and he was right. But yeah, with the combined assault of signing, cretins and the T-shirt giving Mozilla I wouldn't be surprised to see some extension authors just pack this game in now.

Can't say I would blame them either.

[DJ-Leith]

The 'self-hosted' versions of NoScript, that can be collected using
the feed (https://noscript.net/feed?c=200&t=a) and installed
(in Fx Dev Ed and Nightly - with warnings)
are hosted at secure.informaction.com

AFAICT these are identical to the 'signed by Mozilla' versions at AMO
EXCEPT that they are not signed (they don't have a META-INF subfolder).

They do not seem to have an 'updateURL' in the "install.rdf".

In the thread
NoScript Not A Signed Add On (Yet)?
https://forums.informaction.com/viewtopic.php?f=8&t=21126

I have
* proposed a work flow
* tested which rc versions of NoScript are signed

Summary
AMO all versions from 2015-05-29 onwards, that are Stable Release - that I installed, are signed.
AMO rc version since Version 2.6.9.32rc4 (2015-07-26) - that I installed, are signed.
From secure.informaction.com, via the feed, are not signed.

* checked for the presence of an 'updateURL'.

More detail in that thread.

So, while the NoScript XPIs might not be

... really be self-hosted ...

I think 'putting the signed Extensions' on another host (in addition to AMO) would work
(if the XPIs don't contain an 'updateURL').

DJ-Leith

[Drumbrake]

People should remember that most extension/theme authors actually make this stuff originally for themselves and then think that they might as well share it with other people. It's one of the founding principles of the Open Source community after all.

And is it still one of founding principles by which Mozilla lives?

Judging by their moves in the recent years, in my opinion culminating (for now) in the very, very bad move about Pocket, I would lean towards no.

Of course I'm just putting random thoughts together here, but I clearly remember a survey somewhere after the release of Firefox 4, in which they openly asked about our opinion towards an app store where you had to actually pay for addons.
If signing is to become mandatory and AMO the only place from which retrieve addons, are they possibly going in that direction?

[Frank Lion]

People should remember that most extension/theme authors actually make this stuff originally for themselves and then think that they might as well share it with other people. It's one of the founding principles of the Open Source community after all.

And is it still one of founding principles by which Mozilla lives?

You tell me. This look like the financial investments of any Open Source outfit you know? -

2013 audited accts. -

Money market funds, Mutual funds, Government bonds, Commercial paper: Financial, U.S. Agency funds, Asset-backed securities, Corporate debentures/bonds, Hedge funds

- $ 136,202,000

[patrickjdempsey]

I think 'putting the signed Extensions' on another host (in addition to AMO) would work
(if the XPIs don't contain an 'updateURL').

DJ-Leith

You are missing the point. That would only work in the case of a user *manually* downloading the extension. Which will still fail in Firefox 42 if it is not signed. But automatic updates will not work, because a "self hosted" extension by definition needs to have an "updateURL" so Firefox knows where to look for the update. With no "updateURL" field, Firefox just checks AMO for an extension with a matching GUID, and a higher version number.

As I mentioned previously, signing was originally designed entirely for this purpose of off-site hosting, and therefore was always used with a "updateURL".

[the-edmeister]

Looks like it has been pushed back to Firefox 43 now as of this morning.
https://wiki.mozilla.org/Addons/Extension_Signing

Check the Firefox Release Calendar for specific dates.
* Firefox 40: Firefox warns about signatures but doesn't enforce them.
* Firefox 41 and 42: Firefox will have a preference that allows signature enforcement to be disabled (xpinstall.signatures.required in about:config).
* Firefox 43: Release and Beta versions of Firefox will not allow unsigned extensions to be installed, with no override.

.

[James]

The article was reverted back four hours later by the same person.

https://wiki.mozilla.org/index.php?title=Addons%2FExtension_Signing&diff=1090514&oldid=1090449

[Frank Lion]

Looks like it has been pushed back to Firefox 43 now as of this morning

That's the 2nd push back now. It was pushed back to 42 from 41 at the end of June.

[DJ-Leith]

You are missing the point. That would only work in the case of a user *manually* downloading the extension. ... ...

I agree with what you have written: automatic updates would fail if AMO was down.

My point in the post above, and the thread at the NoScript Forum, was to have an easy way to have an alternative source of the signed XPIs - 'an archive of Mozilla signed XPIs' - that would allow people to 'downdate' to an older version of NoScript. Giorgio Maone has released more than 880 versions of NoScript (I'm including the Release Candidate (RC) versions). Sometimes one has to 'downdate'. Sometimes AMO is not available.

As the NoScript XPIs don't include an updateURL they are not 'true self-hosted Extensions' but they would work in an emergency even if AMO was down. Giorgio is (perhaps has already) going to write some scripts to "synchronize signed XPIs as soon as they're available"
(see https://forums.informaction.com/viewtopic.php?f=8&t=21126&start=15#p78125).

DJ-Leith

[KilliK]

I dont know if this has been asked before, but is this restriction going to be forced in Thunderbird too?

[LoudNoise]

Unless things have changed recently, not at the moment anyway.

[LoudNoise]

The article was reverted back four hours later by the same person.

https://wiki.mozilla.org/index.php?title=Addons%2FExtension_Signing&diff=1090514&oldid=1090449

There seems to be some confusion in the air which is made more enjoyable by the fact that Mossop, in true Mozilla fashion, is the chief confused Lizard,,,,