Hacker News new | past | comments | ask | show | jobs | submit login
Stylus: Broken links to install Chrome extension (github.com)
87 points by seanwilson 4 months ago | hide | past | favorite | 27 comments



The fundamental problem with all app stores is that they're a monopoly. Google and Apple can decide whatever they want because both users and producers/developers don't have good options for distribution channels.

Whenever you complain about "discoverability", arbitrary rules or opaque processes without appeals you are really complaining about a monopoly that has power to do whatever they want to do.

Yes, I am aware about sideloading apps in some platforms. But in practice they don't really provide too much of an alternative.

There have been talks about splitting the appstores from the companies that make the platforms (Elizabeth Warren proposed it). It follows some of the arguments that forced the splitting of the Bell System into AT&T and baby bells or the breakup of Standard Oil.

Appstores are part of a walled garden protected by a moat called network effect.

Edit: the main justification for app stores has been security. It is a false justification, a smoke screen. There are alternative ways to avoid malware, e.g.: sandboxing, virtualization, containers or signed apps. Using these techniques, Microsoft has been quite successful on avoiding malware in Windows 10 from outside their Windows Store. The real reason Apple & Google want their stores is to mantain control, to keep their moat deep and wide.


Just the fact they call it "side loading" is showing it's a monopoly. They discourage any installation outside their walled garden because they know that if users have an alternative like they do on PC, their walled garden is doomed to fail, they could never sustain a real competition.


> They discourage any installation outside their walled garden because they know that if users have an alternative like they do on PC, their walled garden is doomed to fail, they could never sustain a real competition.

Not that I disagree that the Apple and Google app stores are monopolies, but, as a counterexample to "doomed to fail", I would almost never install a Firefox extension from outside addons.mozilla.org , even though it's just an extra click or two to do so—the security trade-off is just too great.


I have done it a few times myself, I just looked at the website to be sure I'm installing the right one.

I don't think stores provide any security guarantee anyway, anything you can do with an app installed outside the store, you can also do it with an app inside the store. The security is provided by the sandboxing capabilities and the permissions, not the store.


> I don't think stores provide any security guarantee anyway, anything you can do with an app installed outside the store, you can also do it with an app inside the store. The security is provided by the sandboxing capabilities and the permissions, not the store.

In Firefox's case they also have a "Recommended Extensions Program" with more thorough security review by Mozilla. All of the extensions I use (Stylus among them) are in this category.

https://support.mozilla.org/en-US/kb/recommended-extensions-...


> I have done it a few times myself, I just looked at the website to be sure I'm installing the right one.

I don't claim no-one wouldn't, just that I wouldn't—and I'm a moderately techie type.

> I don't think stores provide any security guarantee anyway, anything you can do with an app outside the store, you could do it with an app inside the store.

Certainly the mere act of being in the 'store' itself does nothing, but I trust Mozilla's review process (certainly more than Apple's or Google's) to screen out some of the obvious security flags that I wouldn't, or couldn't be bothered to, notice.


Depends what we are talking about, if it's unintentional security issues, the store review is good for that. If the author is trying to put malware in the extension, you have so many ways to hide it that it's pretty much guaranteed they won't catch it. That's why I trust much more the sandboxing capabilities than the store review.


> That's why I trust much more the sandboxing capabilities than the store review.

Nobody has found a decent way to do fine grained permissions for extensions yet and it's made much harder (compared to say mobile apps) when many extensions need to read/modify data on any web domain.

The ominous "Access your data on all web sites" permission is required by uBlock for example because there's nothing more fine grained that will let it block the network requests it's checking for.


Also see the Chrome extension forum for daily posts like this about the review process from worried and confused developers of other extensions:

https://groups.google.com/a/chromium.org/forum/#!forum/chrom...

- Developers of established extensions are having to wait weeks for both small updates and critical fixes to be accepted (up to 3 weeks is cited as expected from Google) e.g. https://groups.google.com/a/chromium.org/forum/#!topic/chrom...

- Extensions are being removed from the store for vague reasons with no human support answering e.g. https://groups.google.com/a/chromium.org/forum/#!topic/chrom...

- Once an update is in the review queue you can't cancel or replace it, schedule when it can go live or revert to a previous version e.g. https://groups.google.com/a/chromium.org/forum/#!topic/chrom...

Can anyone within Google escalate this and give a roadmap for how this situation will be improved?

Chrome extension updates used to take hours at most to be live on the store. Having to wait weeks for critical bug fixes to go live and having extensions taken down unpredictably is creating a horrible experience for developers, including those that work on paid extensions with customers. It feels like nobody is listening to us.


>Can anyone within Google escalate this and give a roadmap for how this situation will be improved?

The impassable robotic wall lacking any semblance of human response seems to be the desired customer service approach across all of Google. That is, this is by design for them; a feature, and not a problem to solve.


1. Be famous. 2. Tweet at Google. 3. Hope it winds up on Hacker News. 4. Issue resolution.


This resonates with my story. Chrome Web Store has been a nightmare to work with for me as a developer ! I have had the same extended review periods, and automated answers pretending they come from a real human, when trying to publish updates for my dezoomify browser extension [1]. The facts that you have no visibility on when your extension is going to be published, no possibility to cancel a submission, and that no update is allowed during the long review process combine together to make chrome web store thousands of time worse than addons.mozilla.org.

Here is the exact message I received from them :

Hello <my first name>,

Thank you for reaching out to us and my apologies for the delay in getting back to you. I understand that it is taking awhile for the review to be completed and approved. Please note that both new item submissions as well as updates to existing items are subject to automated system checks and may be flagged for manual review. Review times vary; some reviews complete in a few hours, others take many days, and in some cases a review can take several weeks, depending on review complexity of each item. However, to ensure that this issue doesn't happen again, please make as much of your code visible in the package as you can. If some of your app's logic is hidden and it appears to be suspicious, it may trigger the manual review.

This documentation will be helpful to get an understanding on what items our review team considers for manual review.

Please let me know if there is anything else I can help you with.

Did you receive the same message ?

[1] https://chrome.google.com/webstore/detail/dezoomify/iapjjopj...


Slightly orthogonal to this, but I feel like extension stores vendors should create some sort of open standard to let the community check the source code and verify code in source repo is the same as uploaded to the extension store. It could work like this:

- source code must be in a public git repo (github, gitlab etc.)

- some config file is inside the repo which describes how the extension is built

- the store in question either builds and uploads the extension itself via the config file, or at least verifies that submitted file is identical to the output of the build (the upload needs to provide a name of git tag/sha1 used for the build)

- (some Travis CI/Circle CI integration could be used for the above perhaps)

- if the verification is fine, the store displays a badge "verified opensource build" (wording to be decided) + a link to the given git tag

- "verify opensource build" option works like 2FA: when extension author enables it, they can't disable anymore later

- once uploaded, there's a regular check (nightly? weekly?) that the git repo is still up and the latest used git tag still exists and points to same sha1; and that the commit pointed to by the git tag is merged into `master`

It doesn't solve the issue of blatantly malicious extensions, but it prevents (or makes it harder) for good ones to become malicious (after change of owner etc), and hopefully shortens review times for those extensions' updates.

The problem is that extension stores don't care if extensions are opensource or not. Probably most are not.


> source code must be in a public git repo (github, gitlab etc.)

>

> some config file is inside the repo which describes how the extension is built

There is an extension which allows to review the code of other extensions, CRX Viewer[1]. You just need to visit an extension installation page and the CRX Viewer icon becomes available. You can beautify the code, search for a string/regex through all files, etc.

* * *

[1] https://github.com/Rob--W/crxviewer


Well, technically anyone can have access to Chrome/Firefox extensions source.

They're just zipped files with javascript & html content.


Yes, but you then need to unzip it, perhaps unminify code, find github repo yourself, and diff all the stuff manually.

If the extension is complex and the original source undergoes a massive complex build step, making sure that final bundle is functionally the same as the code in github is the work few people want to do.

I don't want to do it (especially not for every update), hence I don't install extensions except absolutely necessary ones.

If I had more trust in this, I'd be more keen to install niche exceptions.


For what it's worth, you can install a Chrome extension into a Chrome profile that is different from your regular one to isolate it from your data. For example, I have one Chrome profile I use for web development (where lots of development extensions need wide ranging permissions) and another for personal email + banking.


Nowadays, the javascript files often come minified, as the result of a build process. I think only the original files used for compilation can be considered as the "source" of the extension.


Slightly off-topic: Is there a large marketplace site for Chrome extensions that are, and are NOT in the official Chrome store? Something better/easier than just trying to search through GitHub? If not, that'd be a brilliant site to spin up while all this is happening more and more. Just say "screw it" to the crazy Chrome store policies, and build something that ends up being even more "official" than theirs, that everyone uses. Or is there a reason this hasn't been done? From my understanding Chrome can't stop any local extension from being added, right?


I'm not sure, but Chrome extensions outside of the Chrome Web Store need to be side loaded to install so this creates friction and you'd miss out on the organic traffic from being in the Chrome Web Store.


That's fair, but in theory if this site was closely monitored for adware plugins, and it become popular enough, then that could be enough to mitigate traffic from the official Chrome store to this one.


Though new, there's the MS Edge Extension site. I don't expect there's much room for an additional third-party extension site in the market.



It'd be awesome if there was a decentralized marketplace of browser extensions that Google/Mozilla have censored or messed with. Developers can sign the git revision/build with their keybase gpg key for authenticity. Users would have to install them manually though.


Thank you for posting this. Although HN shaming not a very good way to solve issues, in practice it works pretty well, and when you've run out of options you don't have anything to lose anyway.


Store updates without any package updates also go through the standard review process now. Why can’t this aspect be automatic? Just check for abusive text and let us publish.


Stop using Google Chrome




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: