> So what happens if gorhill's account is hacked or he gets tired of working on the extension and sells it to the highest bidder?
Approximately the same as would happen if the developer of a traditional Windows* application were hacked or sold out, except less serious, since they wouldn't have access to the underlying filesystem. It's not a non-existent risk, but it is a trade-off I and many other people want to be able to make. uBlock Origin being FOSS and popular considerably mitigates the risks. (Not to mention that I trust gorhill not to sell out...)
* or Linux (except that in Linux most software is distributed via repositories, which lessens the risks, somewhat; OTOH uBlock origin is also available via the repositories, for instance on Debian[0] and Ubuntu[1]). I'm not sure about sandboxing on MacOS.
> (Not to mention that I trust gorhill not to sell out...)
Gorhill has already once given the extension away to a person who turned out to be untrustworthy! That fiasco is why we're all using uBlock Origin rather than uBlock, after all. Granted it wasn't for a financial motive, but the outcome was the same.
> we're all using uBlock Origin rather than uBlock
This says it all. Were any users actually harmed? Where's the harm to justify the destruction of blocking abilities? It's ironic to cite uBlock Origin to try to argue that uBlock Origin should not exist, which is the endgame of Manifest v3.
Any software whatsoever can change hands. Salesforce just bought Slack. Is that an argument to hobble or eliminate Slack? No. Oracle acquired Java. Facebook acquired Instagram. The list is endless, and there's nothing special about extensions here that justifies special treatment or punishment.
I've said nothing about manifest v3, or that uBlock Origin should not exist. The OP said that they trusted gorhill. I pointed out that gorhill already did exactly this once. It is not a hypothetical.
That said, it looks like 800k users still have the original uBlock installed. And also, uBlock Origin is blocking ublock.org on the basis of it being malware. Are you saying it's not actually a malware risk, and it's really on Origin's blocklist for some totally unrelated reason?
> uBlock Origin is blocking ublock.org on the basis of it being malware. Are you saying it's not actually a malware risk, and it's really on Origin's blocklist for some totally unrelated reason?
We don't have to speculate. The reason is right here, and it's not because of malware.
If it were malware, then why would it still be in the Chrome Web Store? Google reviews every extension update, and also has the power to remove extensions from the store, regardless of Manifest v3.
It's also important to note that Manifest v3 only affects the content blocking capability of extensions. Extensions that are not content blockers still have extremely powerful capabilities that could be abused to capture user data or otherwise do harm. And those extensions can change ownership too. Manifest v3 is not even remotely close to a solution to this general problem.
This is what uBlock Origin tells me when I try to visit the ublock.org page: "Found in: uBlock filters – Badware risks".
To repeat: I am not talking about Manifest v3. I was commenting on how ridiculous it is to say that we trust X to not do Y, when X already did Y once before.
Well, that seems to be more the result of a personal grudge by gorhill than anything else. He didn't like that ublock.org was soliciting donations. uBlock isn't literally malware or much different from many other ad blockers out there.
To be clear though, gorhill didn't "sell out". He got tired of answering support requests, so he turned the repository over to someone else. To be sure, his trust in that other person was misplaced. But in response, gorhill didn't sit idly by, he forked uBlock into uBlock Origin. All of this was done for free, with no compensation for work.
It's not a personal grudge, and I am not the one who added that filter in the first place[1], though I did not oppose the filter because I have come across numerous instances of people thinking that ublock.org was related to uBO[2].
Thanks for the clarification, and sorry about the misunderstanding!
My overall point is that policing the Chrome Web Store, which is Google's responsibility, is a separate issue and not necessarily relevant to Manifest v3. If there were a malware extension in the Chrome Web Store today with 800K users, then Google ought to remove it today and doesn't need to wait for Manifest v3 for that. In fact, Google seems to indicate that v2 will continue to be supported for at least a year, so extensions using that API will continue to be in the Chrome Web Store for quite some time.
The whole issue of transfer of ownership of extensions is a red herring as far as Manifest v3 is concerned.
Just for accuracy purpose, I never transferred ownership of the extension in the Chrome and Opera stores -- I considered this would be a breach of trust. The extension in Mozilla's AMO was not handled by me at the time.
Approximately the same as would happen if the developer of a traditional Windows* application were hacked or sold out, except less serious, since they wouldn't have access to the underlying filesystem. It's not a non-existent risk, but it is a trade-off I and many other people want to be able to make. uBlock Origin being FOSS and popular considerably mitigates the risks. (Not to mention that I trust gorhill not to sell out...)
* or Linux (except that in Linux most software is distributed via repositories, which lessens the risks, somewhat; OTOH uBlock origin is also available via the repositories, for instance on Debian[0] and Ubuntu[1]). I'm not sure about sandboxing on MacOS.
[0] https://packages.debian.org/stretch/webext-ublock-origin
[1] https://packages.ubuntu.com/search?keywords=webext-ublock-or...