Hacker News new | comments | ask | show | jobs | submit login
Firefox 42 will not allow unsigned extensions (wiki.mozilla.org)
288 points by fernandotakai on Aug 11, 2015 | hide | past | web | favorite | 302 comments

It's the "no override" part that concerns me.

I created and maintain an extension that is used by visually-impaired people around the world (it has been translated by volunteers into Dutch and Chinese, for example).

Occasionally a Firefox update breaks this extension. OK, fine, that's the cost of doing business. Of course, the automated compatibility report that Firefox creates is utterly useless; it almost never catches the breakage. But that's a side rant....

There can be a decent turnaround lag (sometimes on the order of a few days) to get a new version of an extension reviewed by addons.mozilla.org. In the meantime, I have made a habit of building a new version of the extension and giving it to anyone who asks. Some people rely on it to use the web and can't wait for Mozilla to do their thing (another side rant: I once stupidly forgot to check in a key resource. I've since changed my development process to keep this from happening again. But the non-functional extension that I pushed passed Mozilla's review just fine. Makes me wonder how much value the review process is really adding.)

If I want to be able to continue this process, I will need to sign the extension myself (and who knows what histrionics Firefox will throw if a user tries to replace an extension with one that has the same UUID but a different signature!)

Hi, Mozilla developer here, speaking for only myself. I'm not sure why we don't make this clearer on the wiki page, but I think the reason there's no override is that any malware installation routine would simply activate it and continue on its merry way. (Disclaimer: I didn't work on this feature and am going by recollection and my own logic.)

We see many copies of Firefox infested with rogue add-ons the user didn't ask for or isn't even aware of. Sometimes these add-ons even ship with big-name software, with no opt out or with the opt out squirreled away in some dark corner. Typically, they do one or more of the following: (1) spy on the user, (2) add affiliate codes for money, (3) cause performance problems and crashes.

The network is a pretty hostile place these days. It's no longer 14-year-olds playing around for fun; there are moneyed interests in the game. And the sorts of people who don't frequent HN are pretty much helpless and clueless in the perpetual tug of war between various companies and mafias. As a "user agent", we have the opportunity defend users who lack the sophistication to root around and remove invasive software they didn't ask for.

Of course, if you're reading this, you're in a different category. You have a better idea which software to trust, and you know how to scour your machine if something gets past you. That's why nightlies and the Developer Edition let you do whatever you want: you aren't the ones who need hard-coded protections to shield you from pref-twiddling installers.

I hope that provides some needed context. Safe surfing, all!

> We see many copies of Firefox infested with rogue add-ons the user didn't ask for or isn't even aware of.

Like Pocket or Hello?

Why is this downvoted? These inbuilt add-ons might not be 'rogue', but are definitely the ones which many users didn't ask for, or aren't even aware of.


It's been a few months already, and Mozilla is still 'undecided' on what will happen to Enterprise add-ons.

The only two options you are giving us are: 1) Either remain on 'ESR' branch, which is always outdated, OR, 2) Reveal private Enterprise source code to you to get it signed (it might even be illegal for employees to do that).

Both of them could be unacceptable to many organizations.

There will also be automated, unbranded builds of Firefox Stable that allow you to disable the signing requirement, but are otherwise bit identical.

In which case what's stopping the malicious software from replacing the official build with the sign-disabled version?

There is no way of doing this that both respects users freedoms and prevents malicious software.

> We see many copies of Firefox infested with rogue add-ons the user didn't ask for or isn't even aware of.


why Firefox could not remove these extension itself? I needed to remove some files from the harddisk --I doubt john.doe will be able to remove such evils

Please excuse the rant tone, these things make me feel my intimacy raped

Mozilla does this from time to time for really egregious cases [1]. There is a high cost to staging the block. If the author is known there is a delay to try to get the author to ship a fix [2]. If it is unknown then the block can proceed rather quickly but the cost of changing the extension to avoid the block is usually cheap [3].

[1] https://addons.mozilla.org/en-US/firefox/blocked/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=527135 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=937405

You can still use Dev Edition or Nightly with an about:config pref set.

> but I think the reason there's no override is that any malware installation routine would simply activate it and continue on its merry way.

And what's stopping said malware installation routine from patching my firefox.exe or /usr/bin/firefox or whatever to bypass the signature check? Or patching the running program in-memory? How would it even access that checkbox? This concern seems a bit far-fetched to me.

The target is not illegal malware which, as you say, would do anything. But there's a vast amount of detrimental foistware doing malicious things (e.g. injecting ads, tracking) under legal cover because the user somewhere forgot to uncheck some light-grey box in an installer. Anyone tried to install something from Sourceforge lately?

Modifying the Firefox installation directory would get flagged by any anti-virus, but software using the defined extension points does not -- the user "agreed" to it.

Right, but my point is that if some bit of adware is capable of checking that box without being able to do far more nefarious things (like outright patching/replacing Firefox itself), then one particular symptom of that ability ought to be the least of users' - and Mozilla's - concerns; that indicates an ability to modify the execution state of a program during runtime, in which case probably nothing on that computer is safe.

That's a fair point. Thanks for the explanation. I think it's cool that Firefox has become mainstream enough to have so many non-tech-savvy users that Mozilla has to save them from themselves. I wish there was another approach, but I understand your viewpoint.

> If I want to be able to continue this process, I will need to sign the extension myself

This seems like a good approach to me. Instead of Mozilla itself signing developers' extensions, why can't Mozilla issue certificates so developers can sign their own extensions locally? If a developer turns rogue, Mozilla can revoke their certificate.

Because bad guys can just keep getting new certs when their old ones are revoked, unless you do identity validation (which costs money as it requires actual humans, so the certs can't be cheap or free).

Reviewing plugins costs somewhere around the same amount of human time/money, no?

If their review are as thorough as Android app's one, they cost about nothing.

Add-on reviews are done largely by volunteers.

the addons signage is an automated process.

> There can be a decent turnaround lag (sometimes on the order of a few days)

Actually, the link says

> Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds

You may be thinking of a different type of review process, the signing one sounds almost instantaneous.

That's for non-public add-ons. If you submit a public add-on, even a minor update, it has to go through the AMO bureaucracy. I currently have an update that was uploaded on July 10, 2015, and is at queue position of 64 of 137. There are no code changes; it's just being updated because Mozilla changed their build system.

This seems to be part of Mozilla's effort to be more like the Apple and Google stores.

Mozila AMO - Learn to embrace the pain.

Actually, it's their effort to prevent AMO from ending up as malware riddled as the Chrome Store.

Addons are running in the chrome context and are thus pretty powerful. It's trival to compromise the whole computer if they aren't reviewed.

I wouldn't think Chrome Web store is full of Malware. Yes, it's not free of those, but the bad ones are quickly removed by both Chrome's policing, and users' flagging. That's how Mozilla should go forward. The problem with manual reviewing is, it depends on the 'volunteers' time availability, and a stupid Review system which is NOT FCFS. You are told you are 37th out of 150 in the queue, but you see that you either remain at that position while others are being approved, your queue position goes both up and down, and some times your add-on is instantly approved even when you are 100th in the queue. All this takes many days even if your users are waiting for a critical fix. This is the biggest turn off in uploading add-ons for Firefox.

I have one uploaded on Mar 12, 2015, it is at position 25 right now. And it has been at around that position for quite a while.

You can sign the addons and distribute it on other channels. If you want to have it on AMO then it takes a while to review. The process is done by volunteers

This is one of the things which is frustrating about Mozilla. I love that they stand for open protocols, free software and user privacy, but I don't love what they prioritize.

Reviewing extensions is critical to their user-experience. If this really doesn't have an team of paid staffers, that's unfortunate.

It has paid staff and volunteers. More volunteers than paid staff IIRC. Reviewing stuff correctly takes time :-( sorry.

This can be mitigated by having more volunteers (or paid staff (or both)) to help though.

If it passes.

Nobody knows what it checks for or how it works.

I don't use many extensions but I'm finding I have to use more as Mozilla remove features from Firefox.

For example you can no longer set the User Agent string on a per site basis natively in Firefox preferences [0]. This would be very handy to force HTML5 video on BBC News when you don't want to install flash [1]. I only discovered this setting was deprecated by finding that bug report whilst researching the blog post.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=933959

[1] https://unop.uk/dev/how-to-watch-bbc-news-videos-on-a-deskto...

> I don't use many extensions but I'm finding I have to use more as Mozilla remove features from Firefox.

To me, that's the way Firefox should work: a fast, lightweight browser, with a powerful extension system.

I get disappointed when Mozilla add "features" to Firefox, like PDF viewers, Pocket, etc.

The PDF viewer is rather important if only for security.

I disagree. Having no PDF viewer is more secure than having a PDF viewer.

I'd have no problem with Mozilla releasing a separate PDF viewer, either as an extension, a standalone application or even a Web site. I also have no problem with Mozilla setting Firefox's default PDF application as a stub which downloads their separate viewer. But it shouldn't be built in to Firefox.

In any case, it is not the job of a Web browser to subvert the user's OS setup.

> I disagree. Having no PDF viewer is more secure than having a PDF viewer.

No, because that means you still do have a PDF viewer, but it's whichever the user has installed, most likely Acrobat, which is vulnerability-ridden.

> But it shouldn't be built in to Firefox.

Why shouldn't it? Browsers aren't limited to HTML. They also support plaintext, SVG, many image formats, XML, and so on. What's wrong with supporting PDF?

> No, because that means you still do have a PDF viewer

I didn't say "having no PDF viewer in Firefox", I said "having no PDF viewer".

> Browsers aren't limited to HTML. They also support plaintext, SVG, many image formats, XML, and so on. What's wrong with supporting PDF?

I would call that feature creep; even so, there are still a few differences:

HTML provides mechanisms for embedding images[0], so trying to support some common formats in the browser is a reasonable approach. A better approach would have the OS handle image formats, eg. like the datatype mechanism in AmigaOS[1].

The example image formats at [0] include single-page, non-interactive PDFs. Supporting such an image format might be reasonable, although I've never seen such a thing used in the wild. That's not what Firefox provides, though. Instead, it provides a whole application embedded in a tab, with a GUI for navigating around documents. The equivalent analogy for images would not the facility to decode the format; it would be the bundling of a whole image browsing GUI like Gwenview[2], which I certainly would object to. As it stands, FF treats a standalone image file as if it were a standalone img element, which is perfectly reasonable. The same goes for plain text, which FF effectively treats as if it were in a pre element. Again, it doesn't provide a special application for navigating text files.

SVG is also specifically mentioned in the HTML spec[3], hence providing browser support for SVG isn't straying too far from providing support for HTML. Again, FF doesn't provide a embedded GUI application for navigating SVGs (unless you count the Web Inspector stuff, which also has no place in the browser and should be either a separate extension or rolled into Firebug).

XML is just a syntax, which browsers need to support if they want to support XHTML[4], in the same way they need to support UTF-8 as a syntax for representing the text in HTML documents. Hence it's completely in-scope.

[0] http://www.w3.org/TR/html5/embedded-content-0.html#the-img-e... [1] http://wiki.amigaos.net/wiki/Datatypes_Library [2] https://userbase.kde.org/Gwenview [3] http://www.w3.org/TR/2010/WD-html5-20100624/the-map-element.... [4] http://www.w3.org/TR/html5/introduction.html#html-vs-xhtml

How is having a built-in PDF viewer more secure than downloading the PDF and viewing it in Adobe Reader or Foxit? Is it just that those readers have vulnerabilities that Firefox doesn't?

Yes. The Firefox viewer sits on top of the JavaScript sandbox, which is the same sandbox that has to withstand attacks from pretty much everything on the internet and has been very hardened over the years (same for other browsers).

Ironically it had a vulnerability last week, but that's ONE and that's why it got so much attention. Adobe Reader and similar have had hundreds.

Allowing people to implement viewers for file types that run in the sandbox as plugins seems like a good idea then. Not that I mind that a PDF-viewer is already built in, but firefox can't support all file types.

A plugin API separate from the Web APIs is itself a large source of complexity and bloat.

> For example you can no longer set the User Agent string on a per site basis natively in Firefox preferences [0].

This seems like a uselessly fine-grained control. I was surprised to hear that they ever supported it.

Opera had this feature before it became yet-another-WebKit-clone. A lot of other settings were per-site too.

It's very useful for sites that complain or even block you from visiting depending on your browser, which you'll undoubtedly find if you venture far enough on the Internet.

uMatrix is relatively popular on AMO and it's about even more fine-grained control. ;)

We need a signed extension that allows unsigned extensions.

You mean like Greasemonkey?

I wasn't aware GM allows making changes to the browser. Does it?

Do you test your extension against pre-release versions of Firefox? That's kinda what they're for.

Sometimes. With the new ultra-frequent release cycle, as a volunteer maintainer I don't always have the time. And sometimes it breaks in ways that are not visible to me (I run Linux, for example, so bugs that show up on OSX or Windows only are going to be caught by users. These are few and far between, but have happened.)

Super noob question: Would it make sense for FF to realize a version which an extension is approved for? You create an extension capable for 1.0, they release 1.1, any client who has 1.1 has the extension automatically disabled? Assuming this is your business and you dont mind going through the approval process, then your users would have a better experience with this process no? Being notified they simply can't use it yet?

To note, there is a client-side workaround that allows whitelisting of ALL unsigned extensions (they might consider creating a whitelist of UUIDs or something "humans" can handle like the name of an extension). I was able to change the following and uBlock and Ghostery immediately started working in the "Aurora" build: go to about:config ; set xpinstall.signatures.required = false

You didn't read the linked article. They say that the option will be available in Firefox 41, but Firefox 42 will have no such override.

Thanks for pointing that out. Too bad.

This is deeply disappointing.

Two details: the extensions need to be signed by Mozilla, and only US English speakers will be allowed to disable this requirement.

The point of free software is that users, individually and collectively, are free to modify it as they wish, without requiring approval from third parties. (And of course to use, copy, and redistribute.) This is a sharp turn away from the free-software ethos that made Firefox possible in the first place.

I understand the issue of users being tricked into downloading and installing malicious extensions. If you let someone program, they will be able to paste malicious code. I just don’t think that taking away users’ ability to modify their own browsers is an acceptable solution to that.

If this disturbing move sticks, Mozilla will become an increasingly tempting target for whatever group wants to control what software you can install on your own computer — whether that’s Sony Pictures, the NSA, or Amazon.

The old free software movement has died. We need a new free software movement.

In addition to the "en-US locale only" restriction, I wonder if unbranded builds will be made available for non-desktop platforms. I would like to run my own extension, or that of the company I work for, on multiple platforms and especially without having to share proprietary source code with Mozilla et al.

I think they removed alternate signature checks from the base code (may affect other browsers), and the preference to disable Mozilla signature checks is a global switch. So they've made things even harder than they have to be for those who don't want to comply with the new model.

According to Mozilla, they have to do this because a user who has control of their OS might install malware and might grant it root/admin privileges. Such malware could not only tamper with extensions, it could tamper with the permission and preference systems and other key components and files. IOW, if Mozilla continues to pursue this policy, we may be looking at the beginning of a more comprehensive lockdown of Mozilla applications.

It might be wise to try to hold the line somewhere. In general, we aren't going to be more secure if we allow ourselves to be locked into simplified configurations that suit the mass market.

> might install malware

Might? This happens very frequently.

> might grant it root/admin privileges

They don't need to, if you have the browser you have all the good stuff.

> only US English speakers will be allowed to disable this requirement

Do they assume that non-English speakers are just drooling baboons who cannot decide this for themselves unlike English speakers?...

Perhaps they assume that to program enough to write an extension, you need to learn English. I’ve met people here in Argentina who say that. My view is that, even if that is the status quo ante (and I’m not sure it really is) it’s a status quo we must disrupt, not ossify.

China [1] and Brazil [2] feature strongly non-English developer communities. Regardless, keying such features to a language is just painfully ignorant. On a closer look though, it appears that beside the developer edition having the setting, the unbranded version will only be released for en-us.

ESR has some bits about "Learn English if you want to code" - but politics of it aside, this isn't even about coding. This is about using a plugin that someone has not signed (like, for instance, RES for Chrome which for the longest time did not have a Store entry iirc).

1. http://segmentfault.com/

2. http://pt.stackoverflow.com/

Wise words, kragen. With the excuse "you need english because" a new form of imperialism is on the making. And what is worse, is that this attitude is often self-imposed.

I think your are mixing “English, the lingua franca”, with “English, the language spoken in the US”.

Why would using the lingua franca that everyone agrees on be imperialism?

Because there is no such a thing like “English, the lingua franca”; changing the name do not change the content.

We should stop self-deluding ourselves in believing that English exits in a geopolitical void. English is the language of the anglosphere, and speaking English is a huge favor to those economies, and that comes with a sense of cultural inferiority as well, in many peoples.

There is a such thing as "English, the lingua franca" no matter how much one tries to will it away.

Aviation is a curious industry. English is commonly spoke between flight crews and ground stations world wide (with few but notable exceptions). Circumstances where the English meaning of a word wasn't well understood by the flight crew or the wrong words were spoken have, on occasion, lead to disaster--Avianca Flight 52 [1] comes to mind, among others.

I simply cannot agree that mutual intelligibility is bad simply on the merit that it somehow creates a "sense of cultural inferiority."

[1] https://en.wikipedia.org/wiki/Avianca_Flight_52

It sounds like you're saying that using English as the lingua franca of aviation puts at risk the lives of flight crews for whom English is not a native language, as well as their passengers. This seems like a good example of how English-as-lingua-franca gives special worldwide advantages to native English speakers.

Not at all.

What I'm suggesting is that having a standard for communication is less likely to put lives at risk. I can't help but wonder if you're invoking Poe's Law by advocating from what is arguably an extremely fringe standpoint.

Otherwise, the alternative would be to require air traffic controllers to learn a dozen languages, and then you wind up with an even worse problem than having everyone settle on a single language with codified standards.

Didn't the Browser Wars teach you anything? :)

This sounded super weird. But I guess what you are referring to is that the will only release en-US-localized builds of the "unbranded firefox" editions. That I can understand, the logistics of building and shipping all the i18n editions for an off-brand build is probably significant.

This requirement is ridiculous, a lot of developers can't speak English at all. And what about British English ? Is it not as good as American English for development ?

> The point of free software is that users, individually and collectively, are free to modify it as they wish, without requiring approval from third parties.

You've been on HN for over six and a half years. Surely you can't be this jaded or obtuse?

That freedom is absolutely, unequivocally preserved: The entire source to Firefox is available under OSI-approved libre licenses.

APIs change, but the freedom of the software isn't determined by its exposed APIs, but by your ability to exercise the Four Freedoms enumerated by the FSF at http://www.gnu.org/philosophy/free-sw.html. Debian exercises these freedoms with every build of the IceWeasel browser from Firefox's source.

I'm not jaded, and as to whether I'm obtuse, I have to let the other commenters judge.

I agree that, yes, in theory, you legally have that freedom. But if Mozilla thought users were practically able to exercise that freedom, there would be no way for them to impose a change like this; all the users would switch to a fork. In practice, maintaining a fork of a major active software project is a huge amount of work and easily to do poorly (think of the Debian OpenSSL hole), and nearly all the people qualified to do it work at Mozilla or are burned out. And Mozilla, if they want to make it harder to maintain a fork, has a wide variety of strategies at their disposal.

(In case it matters, I'm typing this comment in Iceweasel!)

As a side note, it seems to me rather in poor taste to attack my intelligence in the first line of your comment, and suggests that you think your arguments won't stand on their own merits.

I apologize for the disparagement; I was miffed at your statement that "only US English speakers will be allowed to disable this requirement," which completely misrepresents the situation, followed by doubt about Firefox's status as F/OSS. Instead of ascribing that to malice, I should have assumed good intent and that the communications from our end were unclear.

As to the English issue, we have absolutely no intent to restrict the signature opt-out to English speakers.

Much like with our Nightly builds, the unbranded copies of Firefox will only be pre-compiled with en-US strings. Additional locales can be added at any time through https://addons.mozilla.org/firefox/language-tools/.

For users that want to disable verification without installing a language pack, the Developer Edition and ESR builds will always allow for opting out and will continue to be released will a full complement of pre-compiled locales.

As a Debian user, I'd like to draw a parallel between these measures and the default requirement for GPG signatures on packages installed by apt, which has been the case since version 0.6 in 2003. These signatures are tools to ensure integrity and provenance, not to restrict your freedoms. Much like with the secure apt initiative, it's entirely possible for users to opt out of these protections after jumping through minimally invasive hoops.

"Much like with our Nightly builds, the unbranded copies of Firefox will only be pre-compiled with en-US strings."

I have been using localized builds from https://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-c... for several years - are they not part of the Nightly builds?

Oh, hey, yep. Tripping over my own ignorance there.

I didn't realize that latest-mozilla-central-l10n/ subdirectory existed; I've always gone straight for latest-trunk/, which it turns out is a symlink to latest-mozilla-central/, which only contains the en-US builds. Thanks for pointing that out. I'll file a bug to get https://nightly.mozilla.org/ updated to point to the localized builds.

> As a Debian user, I'd like to draw a parallel between these measures and the default requirement for GPG signatures on packages installed by apt

Said parallel is imperfect. With APT, you can add custom signatures (say, if you run a private or organization-specific repo). AFAICT, Firefox offers no such capability.

Thank you for clarifying, but I am still very skeptical.

I would have no problem with signature verification if, as with apt, users can decide which keys to trust. (And you don't have to download a whole new copy of apt to do it!) But the intent of this announcement seems to be that Mozilla will prevent users from doing that, on the theory that they will make bad choices. Well, some of them will!

But it's far more dangerous to take those choices away from them — that guarantees that they're trusting the wrong company.

Mozilla have been doing odd things in recent years, almost like they are transitioning into an authoritarian movement. Want to use unsanctioned extensions? No, go away. Want to use non-secure HTTP? Sure, but we will take away your features. Want to work for them but have unapproved views? Fired. All this is from viewing them as an outsider, so you never know, but something is different.

"Unapproved views"? Would you oppose firing someone for openly expressing white supremacy?

For expressing it while not on the job, no, they should not be fired.

Fair enough, I guess. I don't agree.

Mozilla hasn't fired anyone for their views.

And caring about users' security is to be commended.

The article characterizing his resignation as forced or him being fired does not make it true.

There was a large outcry, then he resigned. His resignation can be directly traced to his views. Whether he was technically fired or "decided" to resign seems largely irrelevant.

Fired for his views, or fired because of the bad press as a result of his views? I think there's enough of a difference to warrant the distinction.

I understand the issue of users being tricked into downloading and installing malicious extensions. If you let someone program, they will be able to paste malicious code. I just don’t think that taking away users’ ability to modify their own browsers is an acceptable solution to that.

I think it's just another battle in The War on General Purpose Computing. I like to keep this quote in mind: "Freedom is not worth having if it does not include the freedom to make mistakes."

The problem is what consequences those mistakes have for other people.

Yay more botnets.

> only US English speakers will be allowed to disable this requirement You can install any non-English locale (language-pack) on top of Firefox. I do that (because I want to be able to switch from a language to another). So it is a two-steps installation.

Have you read the article?

> Two details: the extensions need to be signed by Mozilla, and only US English speakers will be allowed to disable this requirement.

This is not what is written there. The addons need to be signed by mozilla. The process is automated.

The unbranded version of Firefox is distributed with the English locale. You can install other language packs.

Firefox Stable and Beta can't disable the signing requirement. Firefox DevEdition, Nightly and Unbranded can.

> The old free software movement has died. We need a new free software movement.

There is nothing wrong with the free software movement just because someone does something disagreeable---that's like saying there's something wrong with your operating system because you have malware on it.

Perhaps we need to fork it. Call it Firedog

Mozilla's hypocrisy is astounding:


"Users should have the choice of what software and plugins run on their machine."


"Firefox is dedicated to putting users in control of their online experience"

More recently:


"Firefox Puts You in Control of Your Online Life".

The slogan, as found on https://www.mozilla.org/en-US/firefox/new/ , is now "Firefox is created by a global non-profit dedicated to putting individuals in control online." I believe it used to be "users" - see above - but was silently changed. I suppose these "individuals" are the people at Mozilla...?

WTF people. So much hate for Mozilla these days, this appear pitchfork group.

Lets review what the article says: addons needed to be signed. The process is automated. It takes only seconds. It prevents some malware from spreading.

You can still host your addon wherever you want. This is just an extra step that can actually improve security. It requires more effort by the part of the developer but it also helps prevent some security issues.

Firefox Dev Edition and Nightly will have switches to turn this off. Firefox stable and Beta will not. Do you want to switch this off? Move to more bleeding edge versions. Or pick the unbranded version.

The unbranded version is available only in English and this is a problem that can be solved with language packs which are available in the hundreds.

Heck, this is an improvement to security. You can opt out by moving to a different Firefox version, there are three versions you can use, DevEdition, Nightly and Unbranded. If you opt-in you have an extra level of confidence in the addon you're installing.

Developers take only couple seconds to submit and retrieve back their addons and the added bonus for security is great. This will prevent those pesky spyware/malware from hijacking your browser which is a problem faced by many users that are not as tech savvy as this crowd here.

And yet people throw a tantrum....

Mozilla will certainly continue to sign my piracy-enabling add-on that is perfectly legal in many jurisdictions worldwide, even after an US court ordered them not to sign it explicitly?

I also heard mozilla got an NSL for my "Ed Snowden for president, Find out more on wikileaks" add-on, or rather, I didn't because NSL.

Then again, I hear a brought coalition of human rights, LGBT and feminist groups lobbying mozilla not to sign my "Find nearest public stoning near you - Saudi Arabia Editon" add-on any more, effectively blacklisting it worldwide. But mozilla will keep to their promise not to blacklist my stuff and my regular users can still use my add-on, right? The creator of Javascript and mozilla CEO Brendan Eich will make sure of it... Oh wait...

Speaking of which, what about my "mozilla - not protecting Brendan from harm was shit" add-on, is that compliant with the mozilla trademark policy that I need to abide by per https://developer.mozilla.org/en-US/Add-ons/Add-on_guideline... ?

Yes, those examples are a bit contrived, but actually not that much over the top. Also, please note that I do not necessarily condone these things ;)

My point being: Security through tech-enforce policy is nice and has a lot of upsides as you say, I agree, but it also may have downsides you aren't even aware of.

You understand that the addon signing process is automated right? Addon signing is not the same as AMO review. You can sign your addons and distribute them on other channels if they don't match AMO review criterias.

You do understand that mozilla still could reject certain add-ons, even when only to be signed to be hosted elsewhere, and in fact they do:

>Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds. If the file doesn't pass review, the developer will have the option to request a manual review, which should take less than two days.

Right now, the automatic signing will probably only fail if malware is detected. The "Right now" part is what worries me a bit, tho.

It's not "hatred" you're seeing. It's exasperation after repeated disappointment, so much of it totally unnecessary.

Many of us have been using software from Mozilla, and Netscape before them, for decades now. Generally we've been happy with the software. We were more than happy with earlier versions of Firefox, in fact. But lately we've seen changes made that have not benefited the users of Mozilla's software.

Your comment actually describes some of the problems we're talking about. Users and developers now have to jump through one hoop after another just to get a basic installation of Firefox working.

It wasn't always like that. We used to be able to download a sub-10 MB installer, run it, and have a usable installation of Firefox ready for use.

Now we have to choose from the "correct" stream, download a 40 MB or larger installer, run it, change numerous about:config options to allow us to install our own custom unsigned extensions and to disable unwanted functionality that Mozilla has added, manually remove unwanted toolbar buttons, install a number of third-party extensions that also fix additional problems introduced by Mozilla, and in the end we're still stuck with a user interface and a user experience that isn't very good.

Now if we're developing extensions, we'll have to also jump through more hoops thanks to this signing process. You say it "takes only seconds", but I've seen enough comments here from other developers saying they've been waiting months for reviews. That's not acceptable.

Firefox used to get better with each release. A new release of Firefox was something we'd look forward to. But lately, each new release of Firefox has brought us new problems to deal with, without bringing any notable improvements.

Repeatedly disappointed people will express their disappointment. Don't misinterpret it as "hatred". See it for what it is: disappointment!

Thanks for keeping it civil. I will address some of your comments in the best way I can.

>It wasn't always like that. We used to be able to download a sub-10 MB installer, run it, and have a usable installation of Firefox ready for use.

The Web Platform advanced a lot in the last few years. A lot has been added to browsers. They are no longer a simple HTML engine with some CSS and bad JS engines. Browsers these days are almost their own operating systems for good and bad. They have so much stuff going on between all the multimedia features, multiple JS engines and compilers, there are lots of stuff going on. Browsers are larger because the Web grew a lot (not in the sense of size but in complexity)

> Now we have to choose from the "correct" stream, download a 40 MB or larger installer, run it, change numerous about:config options to allow us to install our own custom unsigned extensions and to disable unwanted functionality that Mozilla has added, manually remove unwanted toolbar buttons, install a number of third-party extensions that also fix additional problems introduced by Mozilla, and in the end we're still stuck with a user interface and a user experience that isn't very good.

Firefox has always been customizable and the about:config feature enables lots of under the hood tweaks that are not possible everywhere. Making Firefox your own its part of what makes it great. Its a browser you can change to suit your needs, thats less common than people think. Your needs are not the same needs of others. As for running your unsigned extension, there will be six versions of Firefox available (stable, unbranded stable, beta, unbranded beta, dev edition and nightly). Of these six, only two will force addon signing. All the others are a tweak away.

> Now if we're developing extensions, we'll have to also jump through more hoops thanks to this signing process. You say it "takes only seconds", but I've seen enough comments here from other developers saying they've been waiting months for reviews. That's not acceptable.

Please don't mix addon signing with AMO review, they are different process with different objectives. Addon signing happens in seconds because its automated. The signed addon is returned to you in seconds and you're free to distribute it as you see fit. Now, if you want to have your addon on AMO then you need to submit to AMO review which may take a long time due to the lack of people and the overall complexity of reviewing that type of code.

> As for running your unsigned extension, there will be six versions of Firefox available (stable, unbranded stable, beta, unbranded beta, dev edition and nightly). Of these six, only two will force addon signing. All the others are a tweak away.

Okay, I want a branded Firefox. I don't want to run a dev edition or nightly. My choices are stable or beta. I probably don't even want beta, but it doesn't really matter. So, I don't really have a choice here.

I can see why signed extensions are a good thing, but removing the option from about:config is unnecessary.

What is the rationale behind removing the configuration switch, though? Is there supposed to be some contingent of users who are not sufficiently tech-savvy to be trusted with choosing their own add-ons, but sufficiently tech-savvy to go and edit something in about:config, which really needs to be protected from their own stupidity? This sort of "mother knows best" approach is something I would expect from Apple, not a company that claims to put you in control.

Nightly comes with obvious stability and security problems; I don't know about "dev edition", but wouldn't be surprised if it isn't kept up-to-date at the same rate or comes with some presets regarding UI layout or otherwise that are annoying to someone who is not intending to primarily use it as a testbed.

Chrome tried that "configuration switch" before, and what happened was malware would find and flip that switch as one of the first things it did once installed.

Then it would work like it used to (installing bullshit extensions, wrecking the browser overall, and being damn near impossible to remove)

So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?

In other words, if malware can open up the configuration of a separate program and alter it, then malicious browser addons are probably the least of your worries.

> So if the malware has the capability of finding that switch and flipping it, what's stopping it from patching one's Firefox binary to skip the signature check?

Plenty of malware runs as the user rather than the admin, so they can install an extension in your profile or change a config setting but cannot rewrite the Firefox binary without an additional exploit.

Similarly, code signing is increasingly common so an attacker who wants to replace Firefox would need to have their own signing certificate and that offers a way to track down the malware authors.

Yes, none of this works against a complete system compromise but security is all about defense in depth. It would be irresponsible not to protect millions of people just because you cannot do so perfectly.

So why isn't that checkbox / configuration option / etc. under the same protections? If malware's able to check that box to say "yeah, Firefox, unsigned extensions are okay", then it's surely able to wreak all sorts of other havoc (turning off the pop-up blocker, changing the homepage, redirecting "youtube.com" to "redtube.com"... these are just the mundane things). I can't imagine that Mozilla designed Firefox to be externally configurable by malware running under a user context.

Well without having the signing key, you can't sign anything that will "change", so any of the configuration options are either baked into the executable (and signed) or they are in a config file (in chrome's case an SQLite file, not sure about FF).

And malware can do all sorts of nasty stuff when it's installed, but the issue with extensions specifically is that they are synced and they can run arbitrary code, so malware that can install one on machine A will instantly infect any other machine that firefox is synced to, as well as silently re-installing if you try to remove it. Plus the extension itself has the ability to download and run additional malware.

I saw a particularly nasty setup one time that a chrome extension downloaded a payload and ran it which would re enable/reinstall the chrome extension if it was removed, and the extension would reinstall the payload if it noticed it was missing. The only way out was to either wipe the chrome profile and machine, or be really quick and remove both of them at the same time.

It's obviously not an ideal solution (to block all unsigned extensions), but but when the options are:

1. Let malware run rampant unable to really combat it in any way (while letting it use your software to spread)

2. Castrate the entire extensions system to make them 'safe' (basically turn them into glorified web pages with the same restrictions and all)

3. Disable unsigned extensions and play the wack-a-mole game in a way that you can actually win it.

The option which works out the best for the vast majority of users is number 3.

My point is that those aren't the only three options.

4. Have the browser executable perform some sort of integrity check on the settings file to detect if it's been tampered with by something that isn't the browser (which admittedly isn't robust, but it's a start and eliminates at least the more simplistic malware).

5. Implement encryption on the settings file so that it can only be read or modified if unlocked with a user-configured passphrase (such as that used for Firefox Sync).

6. Use an additional config file with the same permissions as the browser executable (i.e. requiring administrative privileges to modify) for critical security settings like whether or not unsigned extensions may be installed, thus preventing user-level malware from editing it.

7. Don't sync extensions automatically (as a Firefox user with several machines, extension autosyncing is actually more annoying than it is helpful; I'd really like to be able to selectively sync certain extensions - like Tree Style Tabs and Greasemonkey - while keeping others (like themes) local to specific machines). This solves the problem of malicious addon propagation that you mentioned, since said propagation would require user intervention.

5, 6, and 7 would be much more useful in Firefox than Pocket/Hello integration, builtin PDF readers, or any of the other cruft that's started to creep in. In fact, I'm pretty sure 6 is already possible through that enterprise configuration addon (I know firsthand that it's possible to have settings locked down to administrator-only access through that).

Regardless, my other point is that by default, if malware can manipulate Firefox' settings, it can manipulate other things that are just as bad as malicious extensions (like one's stored passwords). It's already possible to mitigate password storage risks by setting a passphrase on one's password cache, so I see little reason why #5 shouldn't be possible, too.

> I don't know about "dev edition", but wouldn't be surprised if it isn't kept up-to-date

Dev Edition is kept up to date. If you check Firefox Versioning workflow, you will see that Firefox DevEdition replaced aurora which was the version between nightly and beta. Its kept very up to date, there are daily updates on the Dev Edition channel. Also the Firefox UI is fully customizable, just click the menu icon in the toolbar, choose customize and start replacing things you don't like.

Why is everybody supposed to love the Mozilla Corporation? Just because you do?

Firefox users see through this feel-good marketing nonsense from Mozilla.

They've seen Firefox's UI change for the worse in so many ways, even in the face of wide opposition.

They've seen unwanted bloat, like Hello and Pocket, forced upon them, again in the face of wide opposition.

They've seen their requests for bug fixes and performance improvements go unheeded, sometimes for years.

The easy use of extensions has been the only thing keeping many of these people using Firefox. They've been using many extensions to undo, as much as is possible, the unwanted changes that Mozilla has made.

I use Firefox Nightly, and was recently surprised when, after an update, some custom extensions I had written myself were not loading, and could not be easily enabled. When I found out it was due to this, and I had to start adjusting about:config settings, it was nearly the last straw for me.

I don't want to use another browser, but it's like Mozilla is doing everything in its power to make using Firefox a bad experience for me. I know I'm not alone. We've already seen Firefox' share of the browser market drop from well over 30% to a level of around 10% today, if it isn't actually lower than that.

It's truly sad to see what's happening to what was once such a great browser.

You're being pretty grim. Hello is fucking awesome, and while I don't use Pocket it isn't the end of the world. Firefox isn't Lynx, but even as a Unix guy I enjoy and appreciate it. I also appreciate that they're trying to be more attractive to the masses, which is societally beneficial.

As you do, I have a lot of programs and extensions installed on my machine. How about you install them all on yours? Come on! Don't be grim! They are fucking awesome and if you don't use them it's not like it is the end of the world :^)

It's funny, one of the other top comments here is about how many features Firefox is removing. Vital, core stuff, like setting being able to set custom user agents for specific domains...

I think the real reason many people are angry is that their demographic isn't catered to. I'm part of that demographic, and it does annoy me sometimes. However, unlike Debian/systemd, I find the tradeoff definitely worthwhile.

I am grateful for Hello now that MS owns Skype.

Some people hate the UI changes. A lot of people are just fine with them.

Hello and Pocket are just two buttons in a toolbar which you can remove.

True. However what I have found in general is that I have been spending more and more time tweaking and fiddling Firefox to make it work the way I want it to, i.e similar to the way it was in the past with no Pocket for instance.

It is really annoying to have to watch the Firefox news and other channels to get this kind of information, reason about it, and then make my choice regarding what to do.

Browsers for me are a tool to get my work done, and I don't want to spend my time shaping my browser every time some people in Mozilla decide to change something.

There are two solutions I see: 1. The cynical/pessimistic one: the web is broken, all browsers fail to various extents, and one needs to pick one's poison - Firefox is the least of evils, hence I will continue using it with increasing dissatisfaction.

2. The optimistic one: Firefox and Mozilla will eventually get back on track, and revisit their old values - I find this harder to believe as time passes by.

> Hello and Pocket are just two buttons in a toolbar which you can remove.

I would have preferred to see bugs fixed, rather than features that undeniably belong in extensions. Even if it'd been issues that don't even affect me.

> features that undeniably belong in extensions

At least in the case of Pocket, the current browser marketplace seems to disagree: Chrome is the only major browser without a built-in reading list. When it came time to add similar functionality to Firefox, we could either build and maintain our own service and integrations, or we could partner with an established player with sane privacy and data access policies.

We chose the latter. Pocket is already integrated into literally hundreds of applications, and it started life as a Firefox add-on. Embracing that is a reasonable choice in terms of utility and sustainability, as Pocket themselves are already maintaining SDKs and applications on all major platforms.

(Why this is built into the code and not shipped as an add-on was, iirc, an architectural quirk that will hopefully be rectified.)

Im a firefox user on all devices and am fine with the ui and dont know what Hello or Pocket are. It has gone through periods of bad choices and bloat before but has been cleaned up over time. I fully expect this to happen again with more annoyances greater than this one. And i still prefer to use it because i support its aims and it supports mine.

See, therein lies the problem. I use Firefox because of our mutual views (and the extensions) and there is no competition in that field. Chromium is too pared-down (no sidebar is basically a killer) and I don't want to support a webkit-centered internet.

I don't remember Firefox being well over 30%. The highest I've seen them had been 27%.

That said I can see how users don't like Mozilla's attitude. I've actually noticed it as far back as Firefox 3.5. I know users didn't like the changes post Firefox 2.0. It's too bad Firefox wasn't componentized enough to separate UI from the layout engine and JavaScript engine.

I myself like Australis but I'm also someone who's loved Chrome from the beginning. That said I think it was a mistake to turn Firefox into Chrome. They should've released Australis as a separate browser like they did with Firefox in the Mozilla Internet Suite days. That way they wouldn't have alienated so many users and their core user base would've been secure while they experiment with big user facing changes.

These days I'm more disappointed in what they didn't add to the browser like built-in ad-blocking and tracker blocking. I understand they have this view that the web needs ads but that doesn't mean it needs third-party ad networks. Just like popups they degrade the user's experience. More importantly they also compromise the security and privacy of the user. Clearly they are a practice that should be fought against. That they haven't tells me they are no longer an advocate of the user but the site owners.

> tracker blocking

Try opening a private browsing window in Nightly and see what you get... ;-)

Edit: Here's a screenshot for folks without Nightly handy. http://imgur.com/5khKObb. This is still a work in progress, but we're getting there.

Had to look it up since I'm not on Nightly or a desktop. I assume your talking about this:


Do you know when this will make it to the stable release or when it will be on by default?

I don't understand why Mozilla is trying to control the ecosystem. It's an open source product. Why does it need to be locked down like this? Who do they think they are protecting, or even helping, with this?

Their users?

I'm not sure what you're asking. It's trivial to remove the block for open source contributors, and in fact Iceweasel etc likely won't have it.

But for people who download Windows binaries (or get automatically updated) it's a godsend.

Individuals aren't in control over their on-line experience if their browser settings (search etc) are taken over by malware.

I think the average HN reader should go out there once and look at the typical household PC. Bring eye bleach.

We're currently waiting for well over 2 months now for an add-on update to get released -.-


Users still have control. You can remove plugins you don't like, and if you really want to, use a version of a plugin which allows unsigned extensions.

Arguably this change might give users more control: Trojan horses can no longer secretly side load malware.

Users still have control. You can remove plugins you don't like, and if you really want to, use a version of a plugin which allows unsigned extensions.

You could argue that as long as users can still download a disk editor and change any byte of the disk on their machine they still have control (in fact patching out this signature check could probably be done with a single-byte change to the binary...); the problem is when this control is made more and more difficult.

Ah, feels like they're following Chrome's example, which decreed that it should be exceedingly difficult for Windows Chrome users to install extensions from somewhere other than https://chrome.google.com/webstore/ . This basically killed an internal app we had at work (a fork of a "REST client", with some added request-signing features specific to our internal APIs.) There was no strong reason to keep it secret, but there had previously been no need to put it in the store either, and there was a $5 charge to publish in the Web Store, which I didn't feel like dealing with.

Anyway, they are both measures taken to stop malware, by taking an option away from the user, that most users won't even notice, but many "power users" will be inconvenienced to varying degrees. I'm guessing Firefox's won't be as bad, since the "developer version" that will let you keep doing the old way probably won't differ from the normal version as much as Chrome's does.

You can still install custom extensions in Chrome for Windows using - among others - group policy: https://support.google.com/chrome/a/answer/188453

This is the exact reason why I moved to Firefox from Chrome back when Google started tightening the noose around developer mode extensions. I had written a few extensions for my own personal use and had no interest in putting them up in the Chrome Web Store. This was fine and good until Google decided it was A Bad Thing and Chrome started popping up annoying warning windows on every startup and then eventually disabled my extensions entirely.

I switched to Firefox since it let me have more control over my own browsing experience (and gave me a good excuse to extract myself just a little bit from the Google hivemind). I'm extremely annoyed to see that Firefox is now going down this route too.


There are FOUR VERSIONS OF FIREFOX WITH A SWITCH TO DISABLE THIS if you're so inclined. You can use: Nightly, Dev Edition, Unbranded Stable and Unbranded Beta. All of which have a switch that you can set to disable addons signing requirement.

In contrast there are only two versions where this is a requirement, Stable and Beta. If you doubt the usefulness of this you haven't seen a browser being hijacked by malware overriding search results, inserting all types of toolbars and more. This will prevent malware from sideloading extensions. And this is good.

The signing process is not the same as the AMO review process. The process takes only seconds and the signed addon is returned to the developer. They can distribute as they see fit.

Now, lets face the fact: Simple signing process that takes only seconds and will help prevent lots of malware, not the most nasty ones but a huge lot of sideloaded crap. Four versions of the browser for those power users who want to disable this.

Now, can someone explain to me without hate why this is a bad thing?


While that may be true, requiring that you run a non-standard version of Firefox to be able to use "random" extensions will probably have a chilling effect on the Firefox extension ecosystem.

That, and it reeks of Chromeism.

you will be able to run "random" extension if the developer care enough about it and about the new security procedures to sign it. After all, it takes only couple seconds for the signing to work.

The versions I quoted are not non-standard. They are all versions of Firefox being worked on and with all the relevant teams. All those versions eventually become Firefox Stable and after that becomes outdated and a new release is now current. Versions goes from Nightly -> DevEdition -> Beta -> Stable. Each version has some tweaks, for example DevEdition is where they seed and test new devtools. Which means that for the developers, thats the best edition to develop with (still test on the other versions).

They are non-standard in the sense that 99% of Firefox users are not using them.

Do you understand that the Unbranded Stable version and Firefox Stable version have the same codebase? You can use that version for testing or if your users don't want signing they can move to that version. They lose the cute icon and branding but the code is the same.

I think you missed my very clear point: now it's not enough to just run Firefox. You need to ask for users to run the "right" version if Firefox.

Telling people what browser to use is user hostile behaviour. Users will not bother. Non-official extensions will get less interest. Authors will see a smaller user base and have less interest in writing new extensions.

This will have a chilling effect all over.

How does this policy interact with greasemonkey, an extension that allows running random JavaScript on sites with access to the extension API. You could write your malware as a greasemonkey extension, convince a user to install a signed greasemonkey release, and then convince them to install your malicious extension.

Great point. Does anyone know what--if any--limits Grease Monkey puts in place to prevent users from bring exploited?

It's important to note that the Developers Editions (and the Nightlys) will have a setting for disabling the requirement.

The assumption being that developers need to test as they develop. And are a more informed user.

The link also says that there will be builds of normal (release) and beta Firefox that do not have this limitation, for those that want them.

(In addition to people always being able to recompile the browser with whatever modifications they want, of course.)

I was only commenting on the "trival build or not" part. You're right that there are plans to have official "unofficial" release and beta builds without signing requirements, but only for the en-US locale (yes, language packs exist, no, not every developer on Earth speaks English)

I had to flip that setting this morning when dev edition updated and disabled the 1Password extension. It's "xpinstall.signatures.required", for reference.

The other assumption being that there is a distinction between 'developers' and 'users'.

Every user should be permitted to disable that requirement: it's his browser, not Mozilla's.

They've said that for a while, but the last time I had the Dev edition installed I couldn't install the Dashlane [1] plugin.

1: https://www.dashlane.com/en/cs/3bce5a89

Did they say why beta wouldn't have this setting? If anything beta is closer to release and developer would target that. Developer edition is still nightly if I'm not correct?

Generally, beta is supposed to be almost completely identical to the release version, to ensure that what gets shipped to release users is tested. This particular pref seems harmless, but you never know.

Developer edition is what used to be known as "Aurora", which is in between Beta and Nightly.

I think they want to encourage wider adoption of the Beta version, so they treat it similarly to the Release. The logic seems pretty questionable to me though. If you can install a Beta version of Firefox, you should be able to avoid consenting to allow malware to run on your computer (this change is primarily targeted at extensions installed by some user action -- like something silently side-loaded by an application installer).

I don't see anything about why the beta, but I did see the following in the FAQ. Maybe this will help:

"There will also be special unbranded versions of Release and Beta that will have this setting, so that add-on developers can work on their add-ons without having to sign every build."

I recently made an update my own Firefox extension, called Tab Grenade. It took them 4 months to review. 4 months. And that's for a (very) minor update.

Because of that, I was definitely considering to start releasing it on my own, instead of through Mozilla's add-on website. It looks like I will be able to do that, but I'll have to use the signed extension process.

I'll believe this system works when I see it. After my experience with add-on reviewing, I am very skeptical.

The review is mostly done by volunteers. Sorry for the delay, I feel your pain. Will check here if we can try to get more people onboard to help review stuff.

Addons get signed by an automated process that is independent from the public store review.

Signing != Reviewing.

And slowly, freedom everywhere was destroyed in the name of security.

Firefox is open source. Disabling the signature check will probably be a one-line change. Yes, it's a much larger barrier to entry (building Firefox is not trivial), but it's not like IE or Chrome where you have no choice in the matter at all.

building Firefox is not trivial

./mach bootstrap

./mach build

Yeah? You at the very least forgot to obtain the source code first somehow. What about build-dependencies, because ./mach bootstrap does not fully handle that?

Now please tell me how to do a Windows release-build with all release features enabled (except for official branding), aka. a ton of configure switches, and also please do it for my language using the official de locale, because neither the source tar.bz2 nor the hg you'd normally clone contains that. I'm starting from scratch of course. And suddenly it is less easy and trivial..

As the link mentions, you don't need to build from source. Binary builds are provided that do not have this restriction, for those that want that.

^ This.

It's been one month and the new version of an extension I wrote is still waiting to be reviewed. I've since stopped waiting and started using the new version myself rather than download from AMO. I was already very disappointed by the review process and now this.

Tweeted to Chris Beard: "Dear @cbeard, please give your users the choice and control they deserve in @firefox. Allow extension signing to be disabled in FF42."

You want to protect the user, then start making extensions more secure and require permissions to do things. E.g. If an extension can access contents of webpages, pop up a dialog and ask the first time. There are other ways to protect users without going authoritarian on us.

An important point is that the review process before signing takes seconds, according to the article. Considering the frequency of FF updates, it's an important point.

Now, let's just hope that the other side of the coin is a concern for API backward compatibility, so that people don't need nightly versions of addons and a developer edition to keep their addons in a usable state...

I use several small add-ons I wrote myself. Why should I have to get Mozilla's approval before I can install my own damn add-ons? One of them executes processes and I'm 99% sure it'll fail the automated review.

EDIT: It passed the automated review, but my point stands. If I wrote the code, then you can be damn sure I trust it.

> I use several small add-ons I wrote myself. Why should I have to get Mozilla's approval before I can install my own damn add-ons?

Mozilla has to balance the needs of several hundred million users, who are being attacked by malware every day, with the needs of people who write their own add-ons. Is it really that difficult to see it from that perspective? And it's not like you have no options now. You can either use the developer edition or the special release version where this feature is disabled.

They've always catered to the hacker perspective, too. Why take out the about:config flag? How about letting me trust my own certificate, instead of just AMO's? What about running AMO alternatives?

Did you not read the blog post? You can use the dev edition or the special release and beta version that don't have this limitation. Nobody is forcing you to live with this limitation. If this was done as an about:config flag it could easily be changed by an add-on too.

I did read the blog post. It says I have to use a less stable (beta) or less customizable (dev edition) version of Firefox to avoid this burden.

From https://wiki.mozilla.org/Addons/Extension_Signing

"What are my options if I want to install unsigned extensions in Firefox?

The Developer Edition and Nightly versions of Firefox will have a setting to disable signature checks. There will also be special unbranded versions of Release and Beta that will have this setting, so that add-on developers can work on their add-ons without having to sign every build."

Ah, nice. Even so, I still have issues with this:

- Special version of the software

- Can't run my own version of AMO

> - Can't run my own version of AMO

You can, AMO is open source: https://github.com/mozilla/olympia

Run your own instance and make your own builds of Firefox that point to it and you're good.

>make your own builds of Firefox

Yeah, let me just get all of the potential users of my AMO alternative to compile a custom version of Firefox for it

If you want to run a custom AMO I'm assuming you're in a corporate environment or something like that where you can control what browser gets installed on people's machines.

https://addons.mozilla.org is an integral part of Firefox, if you set it up with an alternative you're effectively making your own fork.

It's not an integral part of Firefox, though. You can install add-ons without it by just clicking a link on any page that leads to an XPI, same as how AMO behaves.

And no, I'm not in a corporate environment. I'm talking about decentralization.

Dev Edition is not less customizable... its just Firefox with a new theme and more bleeding edge dev tools which you should be using to develop addons anyway.

The theme is the problem I'm referring to.

The cool thing about themes is that you can change them. Developer Edition just comes with a different default theme.

For some reason I thought you couldn't change it. That's fine, then.

Not only you can download a new theme but you can also develop a whole new one if you'd like.

What is the point of this? Shouldn't users be allowed to make their own decisions no matter how stupid or dangerous?

Users still can, they can download one of the provided builds that do not have this restriction.

The issue is that most users don't understand software on a deep level, and just click "yes" on dialog boxes, etc.

It does make sense to keep the defaults where it prevents most users from harm.

But it doesn't! As long as downloading anything is allowed, signing requirements on extensions will not prevent anything.

And by experience supporting users, this is not how bad extensions get installed on the system: they're pulled in by malware which gets installed by other means.

This is only going to irate legitimate extension developers, which already have to wait weeks for AMO to review even the most basic change. I've been distributing extensions separately precisely for this reason.

But ths change will prevent bad extensions pulled in by malware installed by other means.... On systems that require application signing, that should do some good (otherwise I'd expect malware to just switch from sideloading extensions to sideloading a modified version of Firefox).

How many systems do you think require application signing?

Why don't we teach people the don't understand so they can make informed choices instead of preventing it entirely?

There are a lot of things I wish the general public would try to get educated about so they can make informed choices.

  1) Nutrition
  2) Politics(especially taxes & wars)
  3) Computers
  4) Finances
If you can figure out how get people properly educated on even 2 of those things, the world would be a very different place.

Idealism and duct-tape- they are holding the world-view together..

Specialisation always was this species strong point. Acceptance that the user might have his strong-point elsewhere and is so nice as to not harass you with his worldview. Imagine if you went into your local bakery, and there behind the counter stands a guy all in white:

"Good morning. Try our donuts today. You could make donuts too. Its easy. Come on ill show you. And then you will be self reliant when it comes to donuts. There are thousands of great recipes online - okay, some are broken, but you dont get to become a expert in donut making - without giving a little bit back.. Sir, Sir - you forgot your Donuts. Maybe he is diabetic and forgot - or evil cooperate donut buyer - or the one dough ring to bind them all is too much of a power.."

With great specialisation comes great loss off understanding on other parts of your life.

There are way too many decisions we need to make in this world to really be informed on every one. Of course, in our world, understanding software and safety is in our scope of knowledge, so we believe everyone should have it. However, not everyone is in our world. I am sure tech people make all sorts of uninformed decisions in other realms that people in those fields would be appalled at. It is OUR job to help protect regular people who don't have the time to learn our world be safe, just as it is the job of those other fields to help keep us safe.

Heaven forbid. The unaware, uninformed user is the bread and butter that the Internet businesses survive on. Tech-savvy users are bad bad bad. Protected, gullible users is what keeps the engines running.

The choice isn't prevented. There is just a small barrier put in place of the choice. Installing a different version of firefox is not difficult, but it makes sure the user is absolutely sure, and helps get an idea across of the ramifications.

Go ahead and help teach them, no-one is stopping you.

They can't be taught, nor do they care to be. Education is not the solution to the problem of users who don't want to know.

This. Most of the people do not care about this stuff and they do not wish to learn it. Also, like with vaccines, it is important that sufficient number of people are protected for the malware/viruses to not spread.

Because that's been such an unqualified success for the last 30 years we've tried it.

30 years is not long enough.

Literacy took much longer, but the benefits are clear today.

We should teach people, yes! At the same time, educating hundreds of millions of people takes time.

> It does make sense to keep the defaults where it prevents most users from harm.

Wait, did we have an extension-caused apocalypse recently leading to this requirement ? Erm, I guess not. So why do we exactly need it ?

Approximately 5% of users are infected with adware. This is one way to combat it. Google has already taken this approach.

How many % of this 5% are running Internet Explorer ? Let me guess, 95% ?

You'd be surprised. Chrome and Fx can be and are as easily infected as IE.

Can't have censorship if users have the option of overriding it, can we?

Firefoxs plugin development is already a pain in the ass. They should focus on making it simpler, not giving more reasons to fork it.

This is disappointing. Everything is becoming centralized, even Firefox extensions. I wish there was an opt out like "unknown sources" in android, but they keep saying we're not smart enough to make or own decisions. They won't even put one in about:config. This change well undoubtedly upset developers and other techy folk, exactly the kind of people you want working with your software.

Fdroid is working on third party repositories, maybe that will catch on to decentralize the mobile world a bit. Something like that for browser extensions would be sweet. Take a look at Fennec Fdroid for a cleaner Firefox mobile experience at least.

The point here is to stop junkware authors (who operate pretend-legally) from trivially installing extensions into Firefox. Right now, this type of software commonly injects javascript into all web-pages a user visits which do things like add adverts or redirect searches.

If you allow a tick box to disable this, then how do you stop the junkware authors from simply checking that box on behalf of the user? Because that's what would happen, the user would click "next" on some random installer (which the junkware authors argue grants them expressed permission to install), and the junkware will claim they tick the unknown sources box to fix a "backwards compatibility issue."

What they're trying to do is make the option to disable the check SO niche that it really isn't a valid option for the junkware authors to use anyway (since most consumers won't have it, only corp. networks which are a hard target for junkware for other reasons).

In the article they say that Firefox DevEdition, Nightly and Unbranded will have a switch to turn this requirement off.

Have you read the article? In the FAQ section they explain which versions of Firefox you can use if you don't want this requirement to occur.

I wonder how long it will take until adware producers patch out the requirement for signed extensions in the binary when you install stuff from them on your computer.

That route is getting harder with application signing becoming more prevalent on Windows and OS X.

Isnt chrome already like this? I spent 45 minutes trying to find a way to install a non extension store extension this weekend and gave up after being blocked repeatedly.

It's actually incredibly simple, just rename the .crx to a .zip and load it as an unpacked extension.


I don't think what chrome does is relevant in this discussion at least not in the context of defining what is the the correct way for mozilla to go forward.

Unfortunately it's relevant in the discussion of what Mozilla can get away with.

It should still possible to fork Firefox and remove this requirement, right ?

It's not really a full fork, but I'm fairly confident that Iceweasel, the patched and no-branding Firefox that ships with Debian, will not have this problem.

(So as I Debian user I don't really care, but it worries me slightly for the future of Mozilla.)

Mozilla has said that this requirement is set by one flag at build time, so building a version without this requirement should not be any more difficult than just compiling Firefox I have never done that, but I think it's slightly non-trivial. The hardest part though would be distributing the fork though, so a Linux distribution like Debian mentioned this change as others have mentioned would be one way to build a popular fork without this requirement.

you don't need to fork. There are four versions without requirement: nightly, dev edition, unbranded stable and unbranded beta. What more do you want?

In theory, but that will be very difficult.

Difficult how? Even though Mozilla is going to providing builds of just such a fork themselves? Is it particularly hard to build firefox?

How about Pale Moon ?

It's trivial.

Well, at least they're paying lip-service to enterprise users who may have internal extensions to deal with:

  What about private add-ons used in enterprise environments?

  We haven't announced our plan for this case yet. Stay tuned. 
  In the interim, ESR will not support signing at least until 
  version 45, which won't come out until 2016.

I have seen several suggestions along the following lines as far back as the original blog post which announced the intention to require extension signing

Allow an extension signing certificate to be place in a directory/store which requires elevated privileges to modify (ie /etc/ or similar).

Extensions in the user's profile signed by this certificate will load as if they were signed with the Mozilla certificate.

If the user has enough privileges to add an extension signing certificate then they also most likely have the ability to modify the Firefox itself, I think this addresses any concerns that this method could be used to load malicious extensions (if the user is willing to run unknown executables with elevated privileges then extensions with apparently valid signatures are the least of their worries).

This allows enterprises to sign and distribute their own extensions, with the additional step of creating and distributing the signing certificate, and could work also work for home users.

Mozilla used to be the best place in the world for extension developers -- it was natural to have your best extension on Firefox because you could release early and often. Active developers made the platform.

When Chrome came along they decided to go in a different direction entirely slowly making it more and more painful to accomplish what used to be easy in the name of security. The review process went from automatic if you were trusted to weeks and then months and then more than a quarter year. They started demanding source code. It became scary to release to addons.mozilla.org because you never knew how long it would be before your next release would be approved.

Mozilla needs to realize they're hastening their own demise - Chrome now offers better features than when Mozilla was the leader including releasing to a percentage of users and faster nearly invisible to the user updates. They should go back to their roots and embrace developers again.

I wonder if this will mean that all the extension version numbers will stop ending in -signed. I'm used to having any build number with -label in its name denote it's a pre-release and isn't stable [0].

I was recently searching for user agent switcher add-ons as part of a blog post [1] and almost all have -signed in the name. To some people it could look like the un-signed ones are more stable and better.

[0] http://semver.org

[1] https://unop.uk/dev/how-to-watch-bbc-news-videos-on-a-deskto...

The -signed label was a one time effect to update existing extensions to signed versions (since AMO didn't want to arbitrarily bump the version numbers of all its hosted extensions). Future updates do not have this label.

What happens to all of those extensions that are on they gray area of DMCA? Who is this move benefiting? The users or the sponsors?

>>Is this a way for Mozilla to censor add-ons they don't like, enforce copyright, government demands, etc.?

>No, the purpose of this is to protect users from malicious add-ons. We have clear guidelines[1] for when it is appropriate to blocklist an add-on and have refused multiple times to block for other reasons.

[1] https://developer.mozilla.org/en-US/Add-ons/Add-on_guideline...

Copyright, DMCA, and legal concerns are not listed. So I take that to mean nothing will be rejected from signing for those reasons. Hosting on AMO has stricter rules, so they could sign the extension for you to host, but refuse to host it themselves.

Today, Mozilla doesn't get demands to take down extensions because sending demands would be pointless. If EvilCorp tried to force Mozilla to take down uBlock and friends from addons.mozilla.org they would just get hosted elsewhere and EvilCorp would look like assholes. It's all downside, no upside, so EvilCorp don't even bother to ask.

If tomorrow Mozilla can shut down any extension, the calculus changes. Forcing Mozilla to kill ad blockers still makes EvilCorp look like assholes, but it might be successful. There's a big upside now, so much more reason to try and force Mozilla's hand.

I do wonder if some lawyer will argue that a take down notice for an extension should include revocation of its signing?

It's little more than a year ago that Brendan Eich was ousted from Mozilla by an ugly orchestrated cabal. When I read Mitchell Baker's vapid blog post [1] on the decision, filled with polite backstabbing and politically correct buzzwordery I understood that Mozilla has been taken over by politicians and that its decline is just a matter of time.

[1] https://blog.mozilla.org/blog/2014/04/03/brendan-eich-steps-...

He quit, he wasn't fired. If you have evidence to the contrary, please post it.

You could say the same about Richard Nixon

I can't think of many OSS projects that aren't being manipulated by a strong community of liberals.

Is that the US definition of 'liberal'? i.e. the one that would apply to most center-right parties in the rest of the world?

"Liberals" in the US - democrats - are indeed center-right of the rest of the world. Look at Obama, Clinton, Biden. They are very center on some issues and quite right on others.

Probably. I've always considered both US parties to be so far right wrt the rest of the world, that anything even remotely moderate would be labeled "liberal" or "communist". Both terms used with extreme prejudice and disdain, of course.

A U.S. "liberal" is very socially-progressive (pro-gay marriage, pro-choice, pro-environment, anti-racist, mostly pro-regulation and anti-corporate). I think that's the sort of people the parent poster intended to describe. In Europe "liberals" are usually pro-business and socially-conservative.

(Btw, I wouldn't say a U.S. liberal will automatically sit on the right of the European discourse, today. Traditional socialism has virtually disappeared as a political choice in Europe as well, so really there is very little disagreement today between a U.S. liberal and a European with mainstream social-democratic sensibilities -- except maybe on foreign policy.)

There is no equivalent of a European left in mainstream US politics. You see bits and pieces in some small-time candidates like Bernie Sanders, but nothing serious. The red scare did its job.

I have been looking at https://input.mozilla.org/ now and then for a long time, and I am still astounded at how it's typically around 90% unhappy, 10% happy.

I know that some Mozilla supporters will justify that huge difference by saying, "but unhappy people will always complain and happy people won't say anything", but I don't think that's necessarily the case. Here we have Mozilla's own stats saying that a lot of their users are extremely unhappy with Firefox.

Clearly something is very wrong for the disapproval rating to be so high, and the satisfaction rating to be so low. In other situations, such a high disapproval rating would be met with extreme concern, immediate retrospection, and panic.

Even in the case of US presidents, where people don't have an immediate alternative like they do with web browsers, and where people's emotions run rampant, it's very rare to see an approval rating under 40%. The very worst approval ratings still are around 25%.

So something is seriously wrong for Mozilla's products to consistently have an approval rating of only 10%, or even 20% if we're being generous.

Take a look at the platform statistics there. Nearly half of the feedback (46%) comes from Android users. Reading the comments, they seem like the (very uninsightful) reviews you typically see in the Google Play Store where the "unhappy people will complain" seems to be quite true.

Firefox for Android is a fundamentally different beast from the browser on Windows/Linux/MacOS. I am quite happy with the desktop version, yet I find the mobile experience quite underwhelming.

If you limit the selection by platform, on Android it will even show "100% sad, 0% happy" -- Mozilla has some work to do there. On Windows 7 you get "81% sad, 19% happy". Still bad, I agree, but don't just dismiss the inherent bias of a feedback system. And compare them to the stats for competitors, too.

I had never seen input.* before so I checked it out. I was pleasantly reminded of the variety of user-cases when I read this comment:

"I accidentally installed a prank addon/script (can't remember the name or which one, though it did come with a clear warning). Now my Facebook comments are garbled (scrambles text (makes it worse when I use punctuation-multiplies it). Please use and add some malware cleaner in some future update to get rid of this nasty prank script/addon. I use Stylish addon and I'm guessing I got it from this! Makes using Facebook defunct and troublesome!"

Input is not an approval rating, not even close. That is what Heartbeat is for.

Mozilla Heartbeat is constantly asking for ratings from a random sample of Firefox users.

The Heartbeat rating for Firefox Desktop is currently about 4.3/5- or 86%.

P.s. Despite the amount of negative feedback in Input, the portion of feedback which is positive is about twice what it was in May.

Those approval ratings you speak of are usually reported as a part of representative studies. What do you think is the approval rating of Obama, if you only ask people who support Jeb Bush's campaign?

Input is anything but representative, it's not meant to be. It's there to catch things as early as possible.

"I have been looking at https://input.mozilla.org/ now and then for a long time, and I am still astounded at how it's typically around 90% unhappy, 10% happy."

I've been reading Mozilla's bug system for 17 years and the bug numbers keep going up. That can't be a good sign.</sarcasm>

It's disappointing to see Mozilla's leadership respond with sarcasm and denial when faced with the fact that 80% or more of their users are not happy with recent versions of Firefox.

That should be 80% of the users who have some reason to be poking around in Firefox's Help menu and are motivated enough to click "Submit Feedback". That group does not include many people who have a perfectly good experience with Firefox.

You know, there was something beautiful about users being able to pick up a tutorial and extend their browsers, if they wanted. There was something very empowering about being able to write extensions even in a corporate environment.

I've written Firefox extensions for personal and business use, and Mozilla are preventing that from every happening again. Why? Cui bono?

I'll mention, again, that they completely broke the security of Firefox Sync: it's no longer a trustworthy place to store passwords. Why? Cui bono?

Didn't Chrome take this same approach? I suspect that if multiple major browser vendors are pursuing it, it's probably to address some issue. It's not like Mozilla just thought, "let's limit people more, that will make them happy." This doesn't make it the right approach, but it does make it understandable.

So I suspect it's to the benefit of the "average user" if that's what you are asking.

I'm going to step outside of HN for a minute and say that in my work I work with people who rely on the Internet, but have no concept, and I mean none, how it works. They do not understand that when they create a Yahoo email account that no one can help them when they forget their password. They do not understand that if you type "yaho com" that you are not going to get anywhere (until auto search came along, that is). I've come to realize that Internet safety is not a simple set of rules, it's a complex understanding of the whole ecosystem that can't be readily taught in the time I have with these users (and never taught to some). I can't explain why I click on links in some emails and not others, so I just say "don't click on links". I can't explain why you shouldn't use the same password everywhere to someone who needs to reset their password literally every time they log on, so I just tell them to use the one their friend or child has written down for them. It's terrible, but I get it when vendors draw a line in the sand and say "this is to protect those users."

That said, as a user who does understand, there's an element of frustration. Hopefully they bury an override option somewhere, or maybe just add it to their ESR but I doubt I would ever use it.

So much for beta-testing your extension prior to release. It's already hard to get users involved, now they just can't.

Or using any other channel to get your extension.

!Thanks Mozilla, really.

If your extension has been fully reviewed by AMO, you can upload beta versions that only have to pass the automated signing review to be posted to AMO.

Please don't assume all extensions have a reason to be on AMO. There are plenty of extensions which are developed in-house for in-house use only.

Also, as a developer, I never cared to run the "nighties": I don't want an unstable browser, and I don't want fancy new features. I always ran the stock version, also to ensure compatibility with the user base, and never needed anything else.

Maybe Mozilla should also remove the developer tools from the stock version, because clearly it's too dangerous in the hand of people that could cut&paste code with full privileges into it, and it's only a keystroke away!

This is a giant slap in the face, frankly.

I don't see a difference between a walled garden such as google play and this.

I gave Mozilla money back in the day when they asked for donations in the beginning to be on that full-page NY Times ad.

I wonder if I can have a refund? I'm very disappointed in how Firefox has aged.

Mozilla is doing everything to stop using their browser.

And instead people are going to use what?

not sure yet, but as soon as there's something I'm making the switch.

Too many extensions are required to try to make firefox into something usable, mainly reverting changes or fiwing broken or missing features: ad blocking, sidebar, download manager, bringing back the add on bar, putting back the ability to disable javascript, session manager, cookie manager ability to take screenshot, mouse gestures, tab manager, …


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact