Another data point that we seem to have overlooked is that users want to be able to side load their extensions for many different reasons. We see this with apps on phones and with extensions currently. I appreciate that users have grown to be warning blind but, as others have pointed out, this feels like a sure way to have users move from us to Chrome if there extension lives there too. Once they are lost it will be non-trivial to get them back.
My main gripe is that we will be breaking tools like WebDriver[1] (better known as Selenium) and not once have we approached that community. Luckily we have Marionette being developed as a replacement for them, and was being developed before we started the addon signing. When mentioned I was told that since it instruments the browser it can never get signed and we need to get a move on or get everyone to change to the "whitelabel" version to use WebDriver. Having spoke to peers at other large tech companies they said no, they will remain on older versions and if it breaks then stop support for it until they have a like for like replacement. They will stop caring about WebCompat until they have a like for like replacement. We will drive away other users because Firefox does work as well on their favourite website. There are also companies that have developed internal tools in addons that they don't want in AMO. We are essentially telling them that we don't care about how much effort they have put in or how "sooper sekrit" their addon is. It's in AMO or else... I honestly thought we would do the "signing keys to developers" approach and revoke when they are being naughty. David [1] http://github.com/seleniumhq/selenium On 26 November 2015 at 13:50, Thomas Zimmermann <tzimmerm...@mozilla.com> wrote: > Hi > > Am 26.11.2015 um 13:56 schrieb Till Schneidereit: > > > I read the blog post, too, and if that were the final, uncontested word > on > > the matter, I think I would agree. As it is, this assessment strikes me > as > > awfully harsh: many people have put a lot of thought and effort into > this, > > so calling for it to simply be canned should require a substantial amount > > of background knowledge. > > Ok, I take back the 'complete nonsense' part. There can be ways of > improving security that involve signing, but the proposed one isn't. I > think the blog post makes this obvious. > > > > > > I should also give a bit more information about the feedback I received: > in > > both cases, versions of the extensions exist for at least Chrome and > > Safari. In at least one case, the extension uses a large framework that > > needs to be reviewed in full for the extension to be approved. Apparently > > this'd only need to happen once per framework, but it hasn't, yet. That > > means that the review is bound to take much longer than if just the > > extension's code was affected. While I think this makes sense, two things > > strike me as very likely that make it a substantial problem: many authors > > of extensions affected in similar ways will come out of the woodwork very > > shortly before 43 is released or even after that, in reaction to users' > > complaints. And many of these extensions will use large frameworks not > > encountered before, or simply be too complex to review within a day or > two. > > Thanks for this perspective. He didn't seem to use any frameworks, but > the review process failed for an apparently trivial case. Regarding > frameworks in general: there are many and there are usually different > versions in use. Sometimes people make additional modifications. So this > helps only partially. > > And of course reviews are not a panacea at all. Our own Bugzilla is > proof of that. ;) Pretending that a reviewed extension (or any other > piece of code) is more trust-worthy is not credible IMHO. Code becomes > trust-worthy by working successfully in "the real world." > > > > > I *do* think that we shouldn't ship enforced signing without having a > solid > > way of dealing with this problem. Or without having deliberately decided > > that we're willing to live with these extensions' authors recommending > (or > > forcing, as the case may be) their users to switch browsers. > > I think, a good approach would be to hand-out signing keys to extension > developers and require them to sign anything they upload to AMO. That > would establish a trusted path from developers to users; so users would > know they downloaded the official release of an extension. A malicious > extensions can then be disabled/blacklisted by simply revoking the keys > and affected users would notice. For anything non-AMO, the user is on > their own. > > Best regards > Thomas > > > > > > > till > > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
