Where are the builds for unsigned extensions?

[PerpetualHeadbang]

So there is not going be an version of Firefox even unbranded that will not support unsigned extensions/addons?

The unbranded release is supposed to be the one that keeps the about:config flag which allows bypassing the signing requirement.

Are those browsers that are based on Mozilla like Seamonkey, Iceweasel, Midori, waterfox, cyberfox, etc going to be required not to support unsigned extension?

Whether they want to enforce signing, or allow toggling via about:config, or just not care about signing at all, is up to the fork in question.

So will Iceweasel keep the Gecko engine or switch to Goanna engine so it can still take unsigned extensions?

There is no reason for them to switch to Goanna with respect to addon signing, since it should be trivial to bypass the requirement if they wish.

For the advance users, If you compile from the Firefox from the source will it still be required not to support unsigned extension? How secure is the browsers that are compiled from the source?

In general, there's not much difference in terms of security. You can however enable and disable options while compiling Firefox which can in turn make it more or less secure. It's up to the options you compile in. One of the options will almost certainly be the ability to bypass signing (and even if there wasn't, people would come up with source patches to do so anyway).

[therube]

Are those browsers that are based on Mozilla like Seamonkey, Iceweasel, Midori, waterfox, cyberfox, etc going to be required not to support unsigned extension?

SeaMonkey does not require signed extensions.

[groze5858]

Are those browsers that are based on Mozilla like Seamonkey, Iceweasel, Midori, waterfox, cyberfox, etc going to be required not to support unsigned extension?

SeaMonkey does not require signed extensions.

Therube

I thought Seamonkey was forked from firefox or is it the other way around?

[James]

Mozilla discontinued the Mozilla suite as of 1.7.13 back in April 2006 and a community has kept this suite going since as SeaMonkey

[Mouse5]

I thought Seamonkey was forked from firefox or is it the other way around?

only thing SM gets from Firefox an thats its Bug Fix's

[patrickjdempsey]

SeaMonkey (and Thunderbird) is built on the same core as Firefox, which does include the Addons Manager, but the signing requirement stuff is disabled for products that are not Firefox. SeaMonkey does have a large amount of it's own native code, but it is combined with Firefox's core, which includes a great deal of the Browser component. How else would "bug fixes" work?

[JanH]

You currently have to specify if your add-on is to be side-loaded during signing, according to https://developer.mozilla.org/en-US/Add ... stribution. That implies that side-loaded addons will need to be signed too, though I haven't confirmed that yet. Of course malware already running on your PC could tinker with the Firefox binary to disable signing and such, but that doesn't mean signing can't at least help with lazier attempts.

I think the idea was that if some software starts going as far as to tamper around with Firefox's binaries in order to bypass signing it should be much easier to get it classified as malware by the AV vendors than if it was just trying to place some random XPI in the installation directory.

[patrickjdempsey]

That's the general idea. Although just encrypting the log files would have gone a LONG way to preventing the risk factors without requiring all of these hoops and huge infrastructure changes. Not that any of this really matters since Mozilla has allowed certain kinds of "bad actors" as long as they meet certain requirements, and a few months ago they disabled automated code scanning after admitting that it's actually impossible to scan code to discover malware. Kind of like how Facebook allows scam advertisers as long as they don't post naughty pictures. Grade A Security Theater.

[PerpetualHeadbang]

Although just encrypting the log files would have gone a LONG way to preventing the risk factors without requiring all of these hoops and huge infrastructure changes.

Not that any of this really matters since Mozilla has allowed certain kinds of "bad actors" as long as they meet certain requirements

Interesting. Mind sharing a couple links to some specific info, if you've got them handy? (I'm not looking to pick a fight, just see what you mean, since I'm not sure how much encrypting log files would hinder malware addons, and hate to think that I missed the news of them letting some "bad actor" just get away with making malware addons).

[flaneurb]

...
Are those browsers that are based on Mozilla like Seamonkey, Iceweasel, Midori, waterfox, cyberfox, etc going to be required not to support unsigned extension?. ...

AFAIK, Midori is not "based on Mozilla" at all.

[Virtual_ManPL]

Although just encrypting the log files would have gone a LONG way to preventing the risk factors without requiring all of these hoops and huge infrastructure changes.
Not that any of this really matters since Mozilla has allowed certain kinds of "bad actors" as long as they meet certain requirements

Interesting. Mind sharing a couple links to some specific info, if you've got them handy? (I'm not looking to pick a fight, just see what you mean, since I'm not sure how much encrypting log files would hinder malware addons, and hate to think that I missed the news of them letting some "bad actor" just get away with making malware addons).

About addons, there are some adware and spyware extensions with Superfish and etc. on AMO, mostly the feature should be opted-out and disabled by default by Mozilla non-surprise police, but who knows

[PerpetualHeadbang]

About addons, there are some adware and spyware extensions with Superfish and etc. on AMO, mostly the feature should be opted-out and disabled by default by Mozilla non-surprise police, but who knows

Any links to them on AMO?

[mightyglydd]

See here...http://forums.mozillazine.org/viewtopic ... #p14569871

[PerpetualHeadbang]

See here...http://forums.mozillazine.org/viewtopic ... #p14569871

Got it. Thanks for the suggestion to try searching here again, I must have stupidly forgotten to try searching for "superfish" in addition to just "super fish" when I first tried. I found the complaint about the addon(s) this time. Seems it's another of those cases where it's up to you whether you believe that users should be allowed to shoot themselves in the foot if they want to, namely from: http://forums.mozillazine.org/viewtopic ... #p14065055

I'll try to search around a bit more to find out about any other cases when I have a bit more time, thanks. I'll let your attack in that comment slide as you've actually tried to help me out here.

[Virtual_ManPL]

About addons, there are some adware and spyware extensions with Superfish and etc. on AMO, mostly the feature should be opted-out and disabled by default by Mozilla non-surprise police, but who knows

Any links to them on AMO?

Are you just new or some kind of shill from advocacy department? jk
No worries, I will spoonfeed you
Odd that you don't remember this, as it was some big deal, even some months ago.

There were Hola, thankfully developers taken care of it from AMO. It was also part of the botnet.
Also there were issue in the past with IE Tab Plus, FoxLingo, WindowShopper - Automatic Price Comparison, Surf Canyon, Conduit, Converter, FB-Timer, SmartSuggestor, Special Savings, Similar Web, PageTweak, Calc, Calculator, SimilarWeb etc...

Now, I'm seeing only Flash Video Downloader - YouTube HD Download [4K], which I'm using, as it can download files over MSE and DASH. It has adware, but it's disabled by default.
Also adware contains: FasterFox, FasterFox Lite, betterFox, Speed Dial, New Tab King, X-notifier, Copy Link Name, BlockSite, Weather Now, Wiki, Handy Maps, *some name* Theme Engine, *some name* New Tab, Diigo Toolbar, Awesome Screenshot Plus, CouponDropDown, 1ClickDownload, Yontoo, and FBPhotoZoom, Easy Copy Paste, Safe Preview, Session box, Free Search & Youtube HD Video Downloader, FabTabs, Fastest Search, Quick Locale Switcher etc...

and many many more with SuperFish and Conduit, even the most know certificate issue