Firefox's "signed-addons"

ky331 · May 29, 2015, 01:13:59 PM

As of 28 May 2015, Mozilla requires all extensions made available through addons.mozilla.org to be signed by Mozilla's self-appointed discretionary "review team".

Indeed, when I went to check my extensions (add-ons) this morning, I found that updates (to the signed versions) were available for at least 6 or 7 of my add-ons.

Several of my add-ons apparently don't [yet??] have "signed" versions. This may either be because I'm still using an "ancient" add-on [that still works] that Mozilla isn't looking into at present, or because it's an add-on that Mozilla's team has intentionally chosen NOT to "sign".

Based on their current plans, UNsigned add-ons will cease to work effective with the release of FF 41 (about 15 weeks from now).

----

PaleMoon has intentionally removed its PaleMoon Commander add-on from addons.mozilla.org so as to prevent Mozilla from signing it, as PaleMoon considers such signing to "be a direct violation of the extension's freeware license". If desired, Pale Moon Commander can still be by installed directly from the Pale Moon website, the Pale Moon addons site, or any software portals that may mirror this extension. But unless Mozilla changes its plans, this add-on will cease to function effective with the release of FF 41.

https://forum.palemoon.org/viewtopic.php?f=1&t=8330

Digerati · May 29, 2015, 01:54:21 PM

I am not sure of your opinion here. Are you saying FF's new policy is good or not good?

I see it as a good thing.

As I read the new Extension Signing policy which is based on the new Add-on guidelines, the "automated" approval process protects FF users from unwanted, unexpected, and non-reversible changes to their systems. Again, I see that as a good thing.

Only the submitted add-ons that don't pass the "automated" review processes, (either submitted for hosting on the AMO or submitted via developer accounts) will go through the "review team" to ensure the add-on meets the guidelines.

Again, I see this as a good thing for FF users. While it may impose an extra hoop for some developers, FF is not for developers. It is for us Internet users and I see nothing in the Add-on guidelines that is bad for us users.

ky331 · May 29, 2015, 02:14:55 PM

I don't know that my post actually offered an "opinion" on the matter. It was simply meant as a statement of events, alerting users to "ongoings" at Mozilla.

I would agree with you that limiting FF to signed add-ons certainly has the potential to enhance FF's security, by eliminating/blocking rogue/malware add-ons. That's assuming that "politics" and matters of professional rivalry don't come into play in Mozilla's decision-making process.

On the other it, it's clear that MoonChild --- the developer of PaleMoon --- blatantly DISapproves of Mozilla's action, referring to it as "draconic 'sole arbiter' nonsense ". [That's HIS quote/opinion, not necessarily mine.]

Digerati · May 29, 2015, 02:42:51 PM

QuoteI don't know that my post actually offered an "opinion" on the matter.

It didn't. I was just wondering because you included the link to Moonchild's PM post and that clearly suggests disapproval of Mozilla's "unscrupuled tactic".

Corrine · May 29, 2015, 03:18:07 PM

IMO, the path forward on this new FF practice depends on the "review team". Is the review to eliminate rogue/malware add-ons? There has long been the procedure in place where add-ons are submitted by the developer for testing. Not all add-ons pass review and get added to the official channel so what is new? Does anyone recall rogue FF add-ons? Will this "review team" be biased in any way? Will the "review team" modify the code beyond signature? By Moonchild in the above-linked topic:

QuoteMozilla signing the extension would be a direct violation of the extension's freeware license, because they would be altering the xpi, which is explicitly not allowed.

Digerati · May 29, 2015, 04:09:24 PM

QuoteThere has long been the procedure in place where add-ons are submitted by the developer for testing.

But according to the guidelines, developers didn't have to submit them for review and that is where the problem was.

And again, with this new policy, this will be an automated process and only if that fails, will "people" get involved so until then, bias "should" not be an issue. It is all about ensuring the add-on does nothing without the user's awareness/consent and/or without being able to undo/uninstall. If the automated process cannot verify those requirements, then humans will get involved.

At least that is how Mozilla claims the process will work.

As far as the review team being biased, I guess only time will tell. I sure hope not. I also hope they make no modifications to the code, other than signing it. If they deem it necessary to make further changes, they need to reject the submission and return it to the developer rather than modifying it and then signing it.

As far as Moonchild's complaint, that is way beyond my level of expertise, but if Mozilla is only "signing" the extension, then even though that is technically modifying the code, I don't see the problem if it, in no way, modifies the function of the add-on.

To be sure, I respect the developer's rights to develop their own code, but when it comes to consumer security, the consumer's right to security trumps the developer's rights.

Freedom is NOT free and unfortunately, it is the honest people who must bear the burden and costs of those who would be dishonest. :(

siljaline · May 29, 2015, 11:13:12 PM

Spotted & Tweeted - perhaps Mozilla is out to force some love on it's users in the wake of recent negative press.
https://twitter.com/randyknobloch/status/604304388400766976

plodr · May 30, 2015, 03:29:55 PM

Link to article for those who do not do twitter. (I do not tweet).
http://www.theregister.co.uk/2015/05/29/mozilla_signing_vetted_security_add_on/

siljaline · May 30, 2015, 06:04:11 PM

Quote from: plodr on May 30, 2015, 03:29:55 PM
Link to article for those who do not do twitter. (I do not tweet).
http://www.theregister.co.uk/2015/05/29/mozilla_signing_vetted_security_add_on/

I feel that you don't want to be on some bits of social media but the Twitter link is rather harmless and does point to the Register URL.

Right click - > open in New Tab - view link aka URL, life is good. :grin:

siljaline · May 30, 2015, 10:52:38 PM

Sometimes a Tweet can have "sub-tweets" - meaning; those that have visited Twitter to view the link have added additional comments to the Tweet.

This is sometimes interesting for those that do like looking under the hood - in that way. It would be similar to someone on a board thread only choosing to reply to certain elements of the thread but not all off it. You'll get used to it as we move along. We'll endeavor to break this out as we go.

This YouTube video was borne out of a Tweet that Ed Bott posted earlier today within context - it makes sense.

https://www.youtube.com/watch?v=x0pSo58K5aY

plodr · May 31, 2015, 01:20:05 AM

QuoteRight click - > open in New Tab - view link aka URL

See, I did not know that.

siljaline · May 31, 2015, 03:45:34 AM

Ignore what I wrote about sub-tweets as I used the term in a negative light for purposes mentioned here. Twitter is a good place to get live breaking info.

siljaline · May 31, 2015, 05:52:52 AM

Screen capture will show that my installed ad-ons are now signed by Mozilla.

v_v · May 31, 2015, 06:11:22 PM

Yes, I noted yesterday that most of my extensions in Firefox wanted to and did update themselves.

For grins I checked the same extensions in Pale Moon and SeaMonkey just now: no signatures.

v_v

v_v · May 31, 2015, 06:33:05 PM

Change that! After restarting Pale Moon again most of the extension did update themselves as signed. So far the SeaMonkey extensions are not updating to signed even after a couple of restarts.

v_v