As of 28 May 2015, Mozilla requires all extensions made available through addons.mozilla.org to be signed by Mozilla's self-appointed discretionary "review team".
Indeed, when I went to check my extensions (add-ons) this morning, I found that updates (to the signed versions) were available for at least 6 or 7 of my add-ons.
Several of my add-ons apparently don't [yet??] have "signed" versions. This may either be because I'm still using an "ancient" add-on [that still works] that Mozilla isn't looking into at present, or because it's an add-on that Mozilla's team has intentionally chosen NOT to "sign".
Based on their current plans, UNsigned add-ons will cease to work effective with the release of FF 41 (about 15 weeks from now).
----
PaleMoon has intentionally removed its PaleMoon Commander add-on from addons.mozilla.org so as to prevent Mozilla from signing it, as PaleMoon considers such signing to "be a direct violation of the extension's freeware license". If desired, Pale Moon Commander can still be by installed directly from the Pale Moon website, the Pale Moon addons site, or any software portals that may mirror this extension. But unless Mozilla changes its plans, this add-on will cease to function effective with the release of FF 41.
https://forum.palemoon.org/viewtopic.php?f=1&t=8330
I am not sure of your opinion here. Are you saying FF's new policy is good or not good?
I see it as a good thing.
As I read the new Extension Signing policy (https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/) which is based on the new Add-on guidelines (https://developer.mozilla.org/en-US/Add-ons/Add-on_guidelines), the "automated" approval process protects FF users from unwanted, unexpected, and non-reversible changes to their systems. Again, I see that as a good thing.
Only the submitted add-ons that don't pass the "automated" review processes, (either submitted for hosting on the AMO or submitted via developer accounts) will go through the "review team" to ensure the add-on meets the guidelines.
Again, I see this as a good thing for FF users. While it may impose an extra hoop for some developers, FF is not for developers. It is for us Internet users and I see nothing in the Add-on guidelines that is bad for us users.
I don't know that my post actually offered an "opinion" on the matter. It was simply meant as a statement of events, alerting users to "ongoings" at Mozilla.
I would agree with you that limiting FF to signed add-ons certainly has the potential to enhance FF's security, by eliminating/blocking rogue/malware add-ons. That's assuming that "politics" and matters of professional rivalry don't come into play in Mozilla's decision-making process.
On the other it, it's clear that MoonChild --- the developer of PaleMoon --- blatantly DISapproves of Mozilla's action, referring to it as "draconic 'sole arbiter' nonsense ". [That's HIS quote/opinion, not necessarily mine.]
QuoteI don't know that my post actually offered an "opinion" on the matter.
It didn't. I was just wondering because you included the link to Moonchild's PM post and that clearly suggests disapproval of Mozilla's "
unscrupuled tactic".
IMO, the path forward on this new FF practice depends on the "review team". Is the review to eliminate rogue/malware add-ons? There has long been the procedure in place where add-ons are submitted by the developer for testing. Not all add-ons pass review and get added to the official channel so what is new? Does anyone recall rogue FF add-ons? Will this "review team" be biased in any way? Will the "review team" modify the code beyond signature? By Moonchild in the above-linked topic:
QuoteMozilla signing the extension would be a direct violation of the extension's freeware license, because they would be altering the xpi, which is explicitly not allowed.
QuoteThere has long been the procedure in place where add-ons are submitted by the developer for testing.
But according to the guidelines, developers didn't have to submit them for review and that is where the problem was.
And again, with this new policy, this will be an automated process and only if that fails, will "people" get involved so until then, bias "should" not be an issue. It is all about ensuring the add-on does nothing without the user's awareness/consent and/or without being able to undo/uninstall. If the automated process cannot verify those requirements, then humans will get involved.
At least that is how Mozilla claims the process will work.
As far as the review team being biased, I guess only time will tell. I sure hope not. I also hope they make no modifications to the code, other than signing it. If they deem it necessary to make further changes, they need to reject the submission and return it to the developer rather than modifying it and then signing it.
As far as Moonchild's complaint, that is way beyond my level of expertise, but if Mozilla is only "signing" the extension, then even though that is technically modifying the code, I don't see the problem if it, in no way, modifies the function of the add-on.
To be sure, I respect the developer's rights to develop their own code, but when it comes to consumer security, the consumer's right to security trumps the developer's rights.
Freedom is NOT free and unfortunately, it is the honest people who must bear the burden and costs of those who would be dishonest. :(
Spotted & Tweeted - perhaps Mozilla is out to force some love on it's users in the wake of recent negative press.
https://twitter.com/randyknobloch/status/604304388400766976
Link to article for those who do not do twitter. (I do not tweet).
http://www.theregister.co.uk/2015/05/29/mozilla_signing_vetted_security_add_on/
Quote from: plodr on May 30, 2015, 03:29:55 PM
Link to article for those who do not do twitter. (I do not tweet).
http://www.theregister.co.uk/2015/05/29/mozilla_signing_vetted_security_add_on/
I feel that you don't want to be on some bits of social media but the Twitter link is rather harmless and does point to the Register URL.
Right click - > open in New Tab - view link aka URL, life is good. :grin:
Sometimes a Tweet can have "sub-tweets" - meaning; those that have visited Twitter to view the link have added additional comments to the Tweet.
This is sometimes interesting for those that do like looking under the hood - in that way. It would be similar to someone on a board thread only choosing to reply to certain elements of the thread but not all off it. You'll get used to it as we move along. We'll endeavor to break this out as we go.
This YouTube video was borne out of a Tweet that Ed Bott posted earlier today (https://twitter.com/edbott/status/604655491055165440) within context - it makes sense.
https://www.youtube.com/watch?v=x0pSo58K5aY
QuoteRight click - > open in New Tab - view link aka URL
See, I did not know that.
Ignore what I wrote about sub-tweets (http://www.urbandictionary.com/define.php?term=Subtweet) as I used the term in a negative light for purposes mentioned here. Twitter is a good place to get live breaking info.
Screen capture will show that my installed ad-ons (https://addons.mozilla.org/en-US/firefox/) are now signed by Mozilla.
Yes, I noted yesterday that most of my extensions in Firefox wanted to and did update themselves.
For grins I checked the same extensions in Pale Moon and SeaMonkey just now: no signatures.
v_v
Change that! After restarting Pale Moon again most of the extension did update themselves as signed. So far the SeaMonkey extensions are not updating to signed even after a couple of restarts.
v_v
If the extensions you are using were installed from Mozilla.org, then they will be signed. If you are using the extensions from https://addons.palemoon.org/extensions/all-extensions/, they won't be signed by Mozilla since they are not from Mozilla.org.
Corrine,
For most of the addon's what you said appears correct. However I have noted 2, 3, or 4 possible exceptions (at least for the time being).
S3.Google Translator I use on all three Gecko browsers: Firefox (FF), Palemoon (PM), and SeaMonkey (SM). On FF and PM there are new updates marked signed. On SM there is no signed update. I have also noted that the version number on the signed copies is 4.02.1 whereas on SeaMonkey it remains unsigned at 3.02.
Session Manager is another extension used by all 3 browsers. On FF and PM the signed copies are 0.8.1.6.1 and on SM the unsigned one is 0.8.1.6.
Navigational Sounds is signed on FF with version 1.2.4.1 but on PM it remains unsigned at 1.2.4. It is not available for SM.
Adblock Edge in FF is 2.1.9.1 signed and in SM it remains 2.1.8.
So far then PM seems to be working in parallel with FF for everything except Navigational Sounds and yes the latter extension does come from the Mozilla site.
At this point none of my SM extensions are marked signed.
Thus far I have been referring to extensions that are automatically updating. I am sure that if I were to downloaded the new versions from the Mozilla site that they would all be signed where appropriate.
v_v
I've never used SeaMonkey so am not familiar with the settings. As to Pale Moon, the extensions you mentioned are Firefox extensions. Do you have Adblock Latitude installed on Pale Moon? Adblock Latitude is the Adblock Plus replacement for Pale Moon. If you do, you'll see that it isn't signed.
Corrine,
Yes all the extensions that I mentioned are Firefox (FF)/Mozilla extensions. I limited my comments to only those. SeaMonkey (SM) uses many of the FF ones but not all of them---the selection of extensions is more limited than FF. And then there are some at SM which do not apply to FF.
And yes I am using Adblock Latitude since Adblock Plus has problems in PaleMoon. But because it was not a FF/Mozilla extension I did not mention it.
I suspect that SM will also be getting signed extensions at some point. They just seem to take their time with making upgrades and they do not adopt all the changes of FF. They seem to stick with 'under the hood' sorts of changes (security, better overall functioning, etc). For everything else (cosmetics, etc) SM still looks and feels like Netscape!
Whoa, I just checked and SM will be discontinuing Adblock Edge as of 6-5-2015! I noticed that Edge had a signed version at the SM site. I wonder what that means? I may have to go back to the Adblock Plus extensions, which are all signed at the SM site.
The other Gecko browser that I have, K-Meleon 74.0, is having none of this activity since they do not use extensions anyway. A lot of their features (like adblock, etc) are all built in to begin with.
It is interesting how all of this seems to be working/playing out.
v_v