On 27/11/2015 23:46, dstill...@zotero.org wrote:
The issue here is that this new system -- specifically, an automated
scanner sending extensions to manual review -- has been defended by
Jorge's saying, from March when I first brought this up until
yesterday on the hardening bug [1], that he believes the scanner can
"block the majority of malware".
Funny how you omit part of the quote you've listed elsewhere, namely:
"block the majority of malware, but it will never be perfect".
You assert the majority of malware will be 'smarter' than the validator
expects (possibly after initial rejection) and bypass it. Jorge asserts,
from years of experience, that malware authors are lazy and the
validator has already been helpful, in conjunction with manual review.
It's not helpful to say that what Jorge is saying is "not true" - you
mean different things when you say "the majority of malware".
Jorge has been saying he believes the scanner can block most malware
because he genuinely doesn't understand the technical issues here, as
his statements (and his absurd blocklisting of the PoC) make clear. It's
hard not to make this sound like a personal attack,
This is what's so offensive. It's hard to make this not sound like a
personal attack because it *is* a personal attack. What's more, Jorge's
competence or otherwise is irrelevant to the discussion. Your
insistently bringing it up and your condescending attitude towards Jorge
and other Mozilla folks is offensive, unhelpful, and not constructive in
addressing the actual issue at hand. If we were some nameless
corporation you wouldn't even know the name of the person responsible
for the add-ons system, but that wouldn't change its quality or the
validity of its approach one iota.
As a sidenote about the blocklisting: without signing being required,
that's the only thing that could actually be done at that time. I mean,
that or close off submissions for all non-AMO-listed frontloaded
add-ons, which presumably would have made you (and many other people)
even more angry. I wasn't involved in the decision, but I don't think it
is "absurd", or that your calling attention to it (in your blogpost and
elsewhere) was anything but sensationalizing the issue.
[Dan] says stuff like "And
it's just depressing that the entire Mozilla developer community spent
the last year debating extension signing and having every single
counterargument be dismissed only to end up with a system that is
utterly incapable of actually combating malware."
which basically boils down to an ad-hominem on Mozilla and an indictment
of "the system" and signing and the add-ons space generally, when
really, all we're talking about right now is how/whether to review
non-AMO-distributed add-ons before signing them. Dan acknowledges
elsewhere in his post that signing has other benefits, but the polemic
tone sure makes it seem like the entire plan we have here is rubbish
from start to finish.
It's the people defending automated scanning as a meaningful
deterrentagainst malware that are failing to make a distinction between
different
parts of the system, not me.
I quoted you in the paragraph above this statement of yours. It is a
matter of English spelling and grammar that your phrasing condemns all
of the signing and review changes. Stop blame-shifting.
There's been a general trend there that Dan sees our attempts to try to
do something in that space as a one-way street where Mozilla should
basically make sure that all add-ons that used to work and weren't
distributed through AMO should not be disrupted, and we have been saying
that it's hard to improve user experience here if there are 0
restrictions, and so "something's gotta give". Dan wants a system where
he can (grudgingly) submit his add-on to AMO, and AMO gives it back to
him signed (ideally automatically via APIs) and nobody from Mozilla
(human or otherwise) reviews his code or tells him how to do stuff.
Read my post.
I read it before posting, so please don't insinuate I did not.
I'm not calling for no signing. I'm not calling for no
restrictions. I'm not calling for no review.
You're asking us to remove every bit of the automated review that
prevents you from publishing zotero automatically without a blocking
human review of your codebase.
I don't know how many of those bits there are (ie which bits are
currently getting you dropped into the manual review queue), and how
much would be left, and you have not specified this. If there were just
a few, I assume you would simply have argued against those specific
rules because that would have been a simpler change to make and convince
people of, so I believe the conclusion I drew is reasonable.
In any case, if we left something of the automated review in, chances
are Zotero would just run into the same thing in a future update where
you added some more code that ran into the bit that wasn't problematic
before, right?
I'm calling for changing
the parts of the process that provide essentially no additional
protection against malicious code but that are hugely disruptive to
legitimate developers.
This sounds eminently reasonable - but doesn't correspond to the
specific parts of your original post and this reply that I have referred
to before. You could have constructively called out the automated review
requirement for frontloaded, non-AMO-distributed add-ons in an objective
and simple manner. Instead we get a long angry rant about it, mixed with
references to "security theatre" and calling people incompetent.
But wait, now it's unreasonable
I simply said that this was what you wanted - ie no additional burden
for you compared to the status quo - and in both that and the next
paragraph, I outlined what "we" wanted, and that those two things are at
odds.
What you have now is a system that is extremely
disruptive to legitimate developers
I will just point out that not all legitimate developers seem to be
struggling as much with it as you do, so I don't know that your
generalization is justified. Struggling with signing, privately-run
add-ons, modifying public add-ons, the overall debate and its
consequences wrt e.g. government surveillance, centralizing a bunch of
infrastructure that used to be distributed - yes. Struggling
specifically with the automated portion of the review system for
frontloaded, non-AMO add-ons... not so much.
~ Gijs
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
