Hacker News new | past | comments | ask | show | jobs | submit login
Gorhill pulls uBlock Origin Lite from Firefox store (neowin.net)
475 points by croes 9 days ago | hide | past | favorite | 422 comments





I manage a medium-sized browser extension at work. We also offer(ed) it on Firefox. But I have spent the past year struggling to get back into Mozilla store after a manual review. As far as I can tell, there are maybe two reviewers that are based in Europe (Romania?). The turn around time is long when I am in the US, and it has been rife with this same kind of "simple mistake" that takes 2 weeks to resolve. "You need a privacy policy"–we already have one. "You are using machine generated and minified code"–no you are looking at the built code, not the included source. "We cannot reproduce your source"-that's because you didn't follow instructions and are in the wrong directory. Very frustrating.

Similar boat. I release an extension with about 1 million installs across Chrome/Firefox/Edge for work.

Firefox (despite being the smallest usage) is utterly insane with regards to process. They demand a reproducible build, but then can't do things like install the right version of yarn (no - npm install -g yarn is not correct, our readme says it in bold like 5 times and provides the exact correct command to install the right version), or follow basic setup steps like "Use this version of node (complete with exact steps to install it and a script to automate that for them)".

God fucking help you if you try to do something completely crazy as a private company like - checks notes - use a private NPM module. Despite providing them with access on a pre-configured account, or offering to give a review account access according to Mozilla "It's too hard to use external accounts during review".

Honestly - having to interact with the browser review team is a BIG reason I no longer recommend Firefox. They're incompetent at best, and I'm fairly convinced they're just milking the google search deal income for as a much as it's worth - I don't think they really want to provide an alternative and secure browser anymore.


On the flip side, having to interact with addon review has raised by confidence in the browser. The steps they take to review, while not perfect, seem like they could weed out a lot of potential garbage and malware. I was expecting a much more minimal review process, which would have raised my fear about the extensions I use and set to auto-update.

Reproducible builds and open source sounds like a good thing.

I wouldn’t expect the reviewers to deal with every add-ons bespoke snowflake build. Even less so if it requires access to a private module. Mozilla should provide a baseline of how a build is intended to be done, then extensions just have to follow this template. Though yes, you would expect them to have some familiarity with basic stuff like yarn and that the baseline supports a few of the most popular builders.


We use a relatively simple build. at the base of it, if you have node and npm, a complete build is as easy as

yarn npm login

yarn --immutable

yarn build

Personally - I don't really find it reasonable to place demands on build tooling for an external company.

I'm assuming you would also find it reasonable for Google to suddenly ship chromium with a requirement that you use "google-pack" for all js builds or they don't run it?

To be entirely blunt, what exactly do you think is going to change when we're already giving them bare JS? It's not like we're shipping a binary blob here, we're literally handing them a zip file with perfectly fine & inspectable javascript inside it.

Further, do you realistically believe that a single low grade QA/Support engineer who can't even install the correct tooling is going to catch malware?

Because I read their matrix chats and I can fucking promise they aren't catching the malware all that fast....


> I don't really find it reasonable to place demands on build tooling for an external company.

I'm not sure I agree, plenty of OS distributions do this. If you want to distribute on Arch in the official AUR you're going to need a PKGBUILD file. The difference though is they make it very easy to integrate custom distribution channels where you can build the package however you want, and I would really love to see browsers move more in that direction. Requiring centrally managed signatures from a corporation to install extensions in a purportedly open and community-driven product is just absurd to me.


> I'm not sure I agree, plenty of OS distributions do this. If you want to distribute on Arch in the official AUR you're going to need a PKGBUILD file.

This is fine. This is actually also roughly in line with what you need for an extension (a manifest.json file).

What the poster here is proposing is rather this: You cannot build that PKGBUILD file using any tooling other than the standard. Ex - you want to script how that PKGBUILD file get made? Fuck off, not allowed.

That's a COMPLETELY different take. It's not dictating limitations on the output (which I find reasonable as a required integration between products) it's dictating limitations on how a company produces that output (I find this monopoly behavior, why should they get to tell me what tools or processes to use? My output is the SAME.).


Docker

It seems reasonable that they'd have a requirement there's a single file they'll run, maybe even with a predetermined name like ./build, and that's it.

The developer can then juggle all their dependencies and run make/yarn/npm/etc within that. It's really not different from having a CI build script.


> I'm fairly convinced they're just milking the google search deal income for as a much as it's worth

That's exactly what the ex-McKinsey C-suite are doing. Regular employee talent suffers because of it, as you've found.


This is exactly what the review process for the Play Store is like, even worse for Google TV apps. Often times just re-submitting multiple times without changing anything at all will get it pushed through.

Yeah but despite how much HN hates Google everyone here will do whatever it takes to get on their app store. Google has the power to make the entire industry their bitch.

Mozilla not so much.


So much this. Mozilla barely breaks 10k installs out of our total 1million installed base.

We had a really frank internal discussion about just dropping support for Mozilla because their review process is also the most expensive out of every client we currently ship (And not "reasonable expensive"... Useless time sink expensive, back and forths with folks who I would frankly not hire as a junior because they can't read a readme file and follow basic and clear instructions.)

They are acting like they have the position to demand these reviews... and they just don't.

Good devs just leave because they're a waste of time and money, and they're STILL rampant with malware on their store (Mozilla is literally the only one of the major vendors that will make a listing live with no vetting, and then 4 months later yank it because of "problems"...).

It doesn't make me feel secure, it makes me feel like they're trying to market security. It makes me really dislike mozilla, and firefox was a formative part of the my tech career early.


I totally understand if it isn't your hobby supporting Firefox doesn't make sense.

This sounds super frustrating, as someone who has an idea or two for browser extensions I'm not looking forward to all the bureaucracy. I actually love the idea of requiring and validating reproducible builds but they really should invest in reviewers competent enough to manage that.

I do have half an idea to deal with it that I plan to try, thought it might be helpful to suggest: implement a Fisher-Price build system that checks and automates every single step and cannot go wrong. Ideally if the reviewers can run Docker, do it all in a container. Wrap package.json scripts with functions to validate the build environment before proceeding and either fix it automatically or fail and print clear instructions to the console. A preinstall hook could verify they have proper NPM auth and prompt for it if needed.

Annoying to have to do that at all though. I'm starting to come to similar conclusions on Firefox, using it currently but I've been thinking about jumping ship for a while. What browser would you recommend now? I wanted to get away from Google but I'm considering just Chromium since any remotely comparable options I've found are poorly thought out wrappers of it.


> ... it might be helpful to suggest: implement a Fisher-Price build system that checks and automates every single step and cannot go wrong...

Programming is a race between the programmers, trying to build better, idiot-proof software, and the Universe, trying to build better idiots. Do not underestimate the Universe.


You really feel this in UI design and it’s hard to get the balance right.

They should switch to an fdroid like model that does public builds on cloud infra.

It sounds like they are doing their job attempting to review random code from strangers to be honest.

Honestly I have to side with Mozilla team here. Kudos to them for trying to actually care about security and privacy. I can imagine the nightmare that people are submitting and trying to recheck everything and build those random extensions with private npm repos and whatnot.

It’s funny to think of Mozilla like landed gentry where they have captured serfs (their users) and get a payout from the king (Google) for their loyalty and support.

> We cannot reproduce your source

This is the biggest issue we had, and we had to add a decent bit of complexity to our builds to support reproducible builds in the exact way they want. But the silly part is that our extension involves building a wasm file from Rust, and after some back and forth it turned out that they don't require it to be reproducible (despite being core of our extension and containing 99% of our logic), which honestly feels like it defeats the point - who cares if JS reproduces if you can hide any arbitrary possibly-malicious code in wasm.

For a while we were seriously considering putting our prebuilt wasm in the source package or on npm, just to make the "reproducible build" on AMO side simpler, despite this making it even further from how it's actually built.


What kind of harmful code could you put in WASM? You could return a string that you eval on the javascript side, so the reviewers could possibly ask for the WASM source if they saw the eval, but other than that the purpose of WASM is to be a safe sandbox after all, right?

I'm not familiar with the security guarantees of WASM in the browser but I imagine they're more along the lines of preventing data exfiltration from the browser/OS, it would be difficult to prevent something like abusing your CPU resources to mine Bitcoin in the background for example.

One way to protect yourself from bitcoin mining is to not give a WASM program both an access to get incoming data and send data both into a 3rd party server. Another possibility is to threshold computation power on the WASM interpreter so that there's a limit of opcodes processed.

Every time I hear about the review processes for browser extensions I'm shocked that the it involves humans having to read your README and manually plumb together the build process. Sometimes I hear that reviewers are even reusing VMs when doing reviews, or even not using VMs at all. I'd have expected the review form to have a textbox where you paste your git link and a well-documented automated pipeline that stands up a specified VM with a specified amount of RAM and disk, clones the git, descends into it, and executes `docker build -t ./docker/review/Dockerfile`. I'm surprised that the reviewers themselves haven't outright demanded such tooling from their larger organization, just as a matter of job satisfaction - I can't imagine all the abuse they get from angry app owners.

Browser extensions really seem like they're slowly failing and just not supported. Kinda like PWAs.

I want to write a chat program, but it has to work on phones, and the DevEx for native phone frameworks compared to desktop apps looks like hell, and PWAs seem to be barely supported.

It's easier than ever to make a CLI or desktop app, but phones seem like the worst of all Microsoft dev history - Learn these arcane lifecycle vocab words that make no sense, like using Win32 directly, but also it changes every year or two like when MS invents a new GUI framework, but also if you can't get into The Store, nobody but your power user friends will be able to run your app anyway. What is this shit?


Someone will come up with a solution that is utterly ingenious. Like the ability to install a plugin without third party intervention with a single click.

>Browser extensions really seem like they're slowly failing and just not supported. Kinda like PWAs.

Ya, totally!

lmao

ublock origin has 8mil users on Firefox alone.


I don't think OP means for the lack of need or popularity, more so because vendors and platforms do not want them to be.

Yeah especially with Mozilla's new focus on promoting less-tracked advertising wih their anonym acquisition. Ublock origin of course hampers those efforts. I wouldn't be surprised if they want it gone just like Google does.

The problem is - I can switch the browser and not even notice. But give me one without uBO and I will switch immediately.

Also had these issues when working on my previous job's extension. The Firefox review process was a real nightmare to work with. Same heavy delays and misunderstandings your mentioned. Eventually the company just stopped updating the Firefox extension as often since usage was low and the review process was such a pain. Unfortunate for me, as the only engineer (maybe employee) at that company that used Firefox.

Same here. We even had a special "mini" Firefox version that didn't require any additional Javascript build step, to make the review easy. But there were so many issues with the review and so few users that we just decided to give up.

The whole extension change Mozilla forced on Firefox seems like some sort of sabotage.

Mozilla sneaking in more and more spyware and ad friendly functionality seems in line with the same conspirators.

And given how high profile all these changes are, it runs to the top of the company.


So, which browser are you using?

Firefox... I wont give up on them just yet :)

The problem with these types of things is that the people who are qualified to do good reviews are also the sort of people who can typically get a far more interesting job building stuff, rather than just reviewing code. It's work that does require a certain level of skill, but at the same time is also quite boring.

And that more interesting job will probably pay better as well.


Id rather hire a senior dev as a reviewer and a mid dev as the coder at a company. pay the reviewer more since they will be dealing with shit practices and having to train the dev.

Not only that, but properly reviewing code would take forever. Heck I don't know how many senior engineers at my fancy tech company could do it and reliably spot problems.

I think that is one way that “tragedy of commons”.

> that's because you didn't follow instructions and are in the wrong directory.

You just need to have a shell script in the root directory that assumes the person running it has 0 clue about your extension.

Also some of this reminds me of Apple. They clear something up, then bring it up again the next time review is needed.


Even this we had issues with - we wrapped the entire build environment and script in a dockerfile, but depending on system configuration you may or may not have to run docker with sudo - it just so happened that reviewer's environment required it, while ours didn't, and the reviewer needed specific instructions on what to do in this case.

Another time, they failed the review because the reviewer's VM _ran out of disk space_ (which we only learned after digging into the issue, as the first report just mentioned "build errors"; according to later inquiries the VM had ~9GB available) and we had to add some extra build logic to delete intermediate files, just for them. The build is quite large because it involves rust->wasm compilation, but I'd still expect the reviewer's machine to have a bit more space...


Simeon from the Firefox Add-ons team here. Sorry about the rocky experience. I realize this is a bit late for your situation, but earlier this year the source code submission docs were updated with information about the default reviewer build environment[1].

It's not a huge improvement, but it sounds like one thing we could do to improve the communications process around build errors is to include a link to this documentation in the notification email sent to developers. I'll create a ticket for this now.

[1]: https://extensionworkshop.com/documentation/publish/source-c...


Everything described here sounds like your team, your extension, and your software development process are the problem. Demanding >9GB of disk space to build a browser extension is capital F, capital I Fucking Insane. Go yell at the Rust folks about their shitty toolchain and your engineering lead for buying into it instead of blaming people who have enough problems as it is just coming into contact with the quagmire you described.

The 9GB limit was not just the Rust stuff, that was for the entire docker environment with compiler, JRE, node, wasm toolkit, typescript, webpack etc. Yes, we need all of these to make a "true" reproducible build from scratch.

> to build a browser extension

It shares 99% of code with a desktop application; you can compile it to wasm while preserving most features. The extension wraps the wasm.

For reference, when making a single clean build, the `target/` dir reaches 700MB.


> The 9GB limit was not just the Rust stuff, that was for the entire docker environment with compiler, JRE, node, wasm toolkit, typescript, webpack etc.

None of this is surprising or exculpatory. Demanding >9GB of disk space to build a browser extension is insane.

> we need all of these to make a "true" reproducible build from scratch

You need and them to reproduce your build. You definitely don't need all of them to build what you're building.


You certainly are confident that you know more about GP's situation than they do.

When you took your desktop app and built a browser extension version, did you really rewrite the entire app in vanilla JavaScript just got the Mozilla review team as you seem to be expecting GP to have done? How long did it take you? What sort of opportunity cost was there from investing your time on that instead of adding value to your product?


For someone who opened their post with a first sentence like that, you're making a lot of (bad) assumptions on your end; most of your questions are unanswerable or have answers that you are clearly expecting to go the other way.

Demanding >9GB of disk space to build a browser extension is insane.


Thank you for setting such a good example. If I were you, I don't know that I could have given such a good and dispassionate reply to such an arrogant, overconfident, and rude comment as you did. Your comments are not only technically interesting, but also epitomize. What a healthy online community should be. Thank you for doing what you do!

> that assumes the person running it has 0 clue about your extension.

I would tend to assume that a person given responsibility for reviewing this software, supposedly to protect end users, would not be this clueless.

What value is the "Firefox Store" actually offering then?


> What value is the "Firefox Store" actually offering then?

That anyone dumber than such a reviewer cannot sneak malicious extensions in.

Which, sadly, is probably a non-trivial number of submissions.


> That anyone dumber than such a reviewer cannot sneak malicious extensions in.

Although people smarter than such a reviewer are free to? What kind of standard is that?

> Which, sadly, is probably a non-trivial number of submissions.

Then they're not, as an organization, actually capable of doing what they're promising here. There are more ways to get this wrong than to get it right, and borrowing the Google strategy of just not caring about your end users seems completely inappropriate for a non-profit like Mozilla.


> What kind of standard is that?

That's the standard of all currated stores.

We can argue about whether Mozilla's reviewer skillset is too low, but there's always going to be someone smarter than a reviewer, when reviewing is a cost center that companies want to spend the minimum amount of money on.


> That's the standard of all currated stores.

This seems to ignore how boutique stores and high end retail operates. This is the standard of rent seeking middlemen stores. You still haven't answered why this model is appropriate for Firefox.

> We can argue about whether Mozilla's reviewer skillset is too low

We're not. I'm pointing out how simply taking the opposing view reveals that your reasoning could not possibly be correct.

> reviewing is a cost center that companies want to spend the minimum amount of money on.

Which is weird because I assumed the cost of re-creating the plugin yourself would be much higher than that. It's almost like continual failure of these simplistic analyses reveal that a broader examination is required.


You think the best analogy for the Firefox extension store is boutique brick and mortar retail?

A minimal cost reviewer model isn't appropriate to Firefox.

But, example counterargument as to why it might be: Firefox needs to ensure they don't open themselves up liability but doesn't want to fully fund/staff a review team.


It could be $0, volunteer labor. I doubt it’s a paid position.

> I would tend to assume that a person given responsibility for reviewing this software, supposedly to protect end users, would not be this clueless.

would you do that job 8+ hours a day for little pay?


Would you run a foundation that forces it's users to be dependent on such a job?

Ya'll are putting the cart before the horse. I'm not being critical of the reviewer but of the large non profit organization that is responsible for creating this failure. Which apparently only exists to pantomime what the for profit players have built and is unsurprisingly equally wasteful of open source developers time and skill set.

Why does Firefox even need a curated "store?" They could have built anything better. I'm sure they were paid, er given "donations," that ensured they would never try. And from what everyone has been saying here those donations got exactly what they were intended to get.

Even Hacker News seems to unquestioningly assume this is a rational way to manage an open source plugin ecosystem. That this is the fault of the plugin author somehow or the store reviewer somehow. It's really disappointing to see.


That's not just mozilla. Google's review team all are in India and they cannot write clear English. It's a mess.

>Google's review team all are in India and they cannot write clear English.

Which is ironic considering the reason they went to India and not other countries with cheap labor is that English is an official language there.


The problem is that the set of "Indians who can speak fluent English" and the set of "Indians who will work for the absolute lowest bid" are exclusive. And I don't blame them, really.

These execs mistake "English is an official language" for "English is a widespread first language". Only 0.02% of Indians speak English as their first language, while total speakers (of first, second, or third language) are 10.6% of the population.[0]

[0] https://en.wikipedia.org/wiki/Languages_of_India#Multilingua...


Also don't forget it's an Indian dialect of English, with words and usages of English words that don't exist elsewhere in the world.

Indian dialect is derived from the colonial English. So, lot of words and usage can be found in British English.

I don't think that most of Brits are "doing the needful". Indian English has plenty of expressions that are exclusive to India.

Pretty sure "why did you redeem it?!" is a British English slang from the victorian era :)

While English is not a first language for the vast majority, it is used a lot in daily life because the native languages vary wildly by area and nobody understands them all. English is the common denominator, not just for communicating with foreigners but also to other Indians from other areas.

The focus on primary language makes it seem less used than it actually is.


The last time I had realistic numbers, an outsourced engineer in India cost a bit more than a comparable one in the Midwestern US.

I’d guess they’re more expensive now, despite the obvious timezone problems.


omg I work with some Indian people since 2000, and I canonly understand about 80% of what ONE OF THEM says, the others less than 60%. :(

Also Apple and Meta. It's awful dealing with infallible gatekeepers.

Why make such a generalized statement?

I had these issues too a few years ago. Now the review time is shorter than Chrome’s and hasn’t been flagged in a few years. However my extension has about 10k users, if that makes any difference.

this seems like the kind of place where user-based reviews would be more efficient, better, and more open

having the makers of a browser do this is bound to create both efficiency and political problems for extensions. im remembering dissenter now


That's interesting to hear. Do you also offer your extension on the chrome store? How did the review process differ? I ask because I've only published on the chrome store in the past.

The reproducible build requirement seems to be a major blocker for many addons, including one I use for Twitch: https://github.com/FrankerFaceZ/FrankerFaceZ/issues/1495#iss...

That sucks. I work for Mozilla, but nowhere near Addons so I don't know what pressures they're under or whatever.

But if I ran the zoo... this is gorhill we're talking about. We ought to just make him an add-on reviewer with full rights, and tell him it's ok if the only add-ons he reviews are his own. We do not need to vet either his competence or trustworthiness; we have vastly more historical data backing him up than on any contractor or employee.

He's not a one-off either. We aren't nearly as volunteer-oriented as we used to be, sadly. But we still get many and major contributions from volunteers, and at least in my team (SpiderMonkey) there's no wall between external and paid contributors. (Except for the company-wide offsites, grr...) I don't see any reason why gorhill couldn't be made a full member of the review team, not that I'd expect him to be up for it right now given what's happened.

That makes more sense to me than giving him a special pass that we could potentially give out to other people or organizations. He is a major contributor to Firefox's capability and success already, let him contribute reviews that are already a thing and provide value. (Again, only self-reviews would be just fine with me.)

Now I need to figure out who to pester on Slack.


I disagree here. You don't want to allow people to review their own code. That defeats the purpose of a review. No matter if he's a superstar, have someone else look at his code so that he doesn't get sloppy with security practices.

And if you allowed this, then more borderline superstars would want the same privilege.

In scientific publishing, even if you're the editor in chief, your paper gets reviewed by someone else and the whole decision process happens away from your eyes; this is good for science.


This sounds like a proposal to make the review process giving more weight to reputation, unlike the current process which is supposed to be entirely technical[1]. This might be a good idea, but I can see how Mozilla would get a different set of complaints about reputation not being consistently evaluated.

[1] https://wiki.mozilla.org/Add-ons/Reviewers/Guide/Reviewing


That's a fair complaint, and I definitely agree that using reputation as a factor in the decision for an individual addon is a very bad idea. But why is that? (1) Because reputation does not imply trustworthiness. Someone could build up a reputation with a set of very proper addons, and then use that reputation to sneak in problematic ones. (2) Because it's unfair special treatment. The chosen person's addons would be subject to different standards than others'.

Again, this is gorhill. People are offering authors of popular addons some mind-bendingly large sums of money to sell out. (1) does not apply: gorhill is the author of the most popular addon, which implies that he has been offered if not the most money, at least a lot more than most. And the well-known history is that someone did make money off of his original version, that someone isn't him, and in response he rebirthed the addon that he didn't particularly want to maintain. Try to find someone with a more convincing backstory.

(2) is trickier, and it's why the distinction between uBlock Origin getting a free pass and gorhill being a reviewer makes sense to me, even if it seems like I'm just obscuring influence. As a reviewer, gorhill would be expected to not just automatically approve his own addons, but to apply the agreed upon evaluation criteria. This would be a farce if his integrity were in question, but see (1). It's pretty clear to see that he is the person most qualified to make that evaluation (heck, he's already doing it before releasing; he's not new to the game), so it comes down to trust.

Sure, I am not the best person to review my own code, no matter how honest I might be. But read the Technical Code Review portion of the link above[1], since it's the only part that matters here. There are some addons where those criteria might be difficult to evaluate, but we're not talking about those. If significant code changes cause those to be less clear cut, gorhill can always pass it by another reviewer. (Yes, this again requires trust. See (1).)

Plus, you don't even have to depend on (1). People can be skeptical and double-check, and news would get out very very quickly. (Even shortcomings in areas like a reproducible build would get called out.)

I don't see this being a wide open backdoor into the process. Not many people are going to come by with the #1 installed addon, together with the history of uBlock and uBlock Origin. Sure, factoring reputation into the process is fraught with problems, but I'm not suggesting that everyone above 1M installs gets grandfathered in. This slippery slope is bone dry and covered with cobblestones.

[1] https://wiki.mozilla.org/Add-ons/Reviewers/Guide/Reviewing


People should read this when they think about AI “Alignment”

Can’t even have a singular aligned person with full confidence


off of = from

Probably a big ask, but could you find out why one is not allowed to add your own root cert to FF and sign an addon yourself, instead being forced to use an ESR/develop/nightly version and setting xpinstall.signatures.required to false, significantly reducing your security?

And, when a self-signed certificate is in use, the browser should show a prominent icon of self-configured security.

> And, when a self-signed certificate is in use, the browser should show a prominent icon of self-configured security.

..and there should of course be a way to disable that prominent icon of self-configured security.

Because Firefox, unlike most software, is designed to be a user agent.

While it may be natural for Google, for example, to constantly nag Chrome users for non-standard behaviour, Mozilla should not do the same with Firefox.


I suspect he will simmer down a bit (I do not at all blame him for what he did, it has to be frustrating to dedicate thousands of hours into something just to have some clueless person pull it). I think it will be back inside of a week, it’s important and can save battery over regular ublock origin on Firefox.

> it’s important and can save battery over regular ublock origin on Firefox

That sounds like a reason for Mozilla to simmer down and compromise, not gorhill.


They already did? In this specific context, acknowledging the mistake and reinstating the extension is materially all they can do. Maybe it is necessary to reform the extension review process, but getting UBOL back onto AMO would then just be a positive side effect of a much longer-term project.

> can save battery over regular ublock origin

Comparing battery usage for tools with wildly different capabilites does not make sense.


If I understand the timeline correctly here, it seems that gorhill overreacted, and I say that as someone who is usually harshly critical of everything Mozilla has done in the past 5+ years. It's hardly practical for Mozilla to manually review every add-on revision for safety in a timely manner, so they had the choice between automation and delays that would make add-on development a slog; automation though inevitably will cause false positives.

What's the alternative? No pre-release review at all? As a user I would hope that this will not be the case, especially now that we have confirmation that flashy supply chain attacks are being executed in the wild. In fact the review policy protects gorhill himself too, since it makes him a bit less attractive as a target for a rubberhose attack (no point in blackmailing him to put in spyware if the spyware would be caught before release).


I think it’s reasonable to expect that one of Firefox’s most popular extension publishers gets a higher tier of review service. Gorhill (and other top extension devs) are providing real value to Firefox, and have demonstrated good behavior for years.

This doesn’t mean they should get to publish whatever they want, but if a reviewer is about to reject a high profile plugin, they should get a second set of eyes on it. Which would have obviously caught the mistake here.

Feels like another “Firefox is underinvested in developer relations” story, which is surprising given how much they rely on them.

Edit: honestly the idea that gorhill doesn’t have a dedicated rep at Mozilla is baffling to me. According to their stats the extension has 8.4 million users. They should call him on the phone to let him know there’s a problem with his extension.


Firefox is a thick wrapper around the core functionality of uBlock on Android. Without uBlock, the case for using Firefox is very weak.

uBlock on Firefox pretty much is the only reason I haven't ditched Android yet

I'd go as far as to say it's my lifeline for a smartphone. Outside of sleep-or-shitposting like this, I don't use the thing.

I live as if it were a couple decades ago, working on a desktop computer. I've bought several laptops and failed to modernize. My entire life depends on the Internet and all of that, I'd prefer more distance to be honest.


Same, though I've switched to uBlock in Kiwi Browser.

I switched to ublock in orion on iOS.

The remaining problem is that iOS has subpar podcast and Bluetooth support.


This isn't about uBlock though. Just uBlock Origin Lite.

you mean, this isn't about uBlock Origin though. Just uBlock Origin Lite.

plain old uBlock is another add-on which may no longer exist. (uBlock was the original original, but the same developer, gorhill, mistakenly let it slip into the wrong hands and it became a pay-to-play leaky ad blocker)


I knew that, but the person I replied to just said uBlock. Still, good to point it out.

But this is not about a high profile plugin. The high profile plugin is "uBlock Origin", and this is about "uBlock Origin Lite", which is a big thing for Chrome, but not for Firefox. Why would anyone want to use uBOL, when they have the option to use uBO?

Perhaps Mozilla does have a higher tier of review, but it's for specific plugins, not for specific authors.


Generally, anything published by the guy who maintains your most-installed plugin is by definition high profile. That’s why we’re talking about this case on HN.

If Mozilla is providing tiered support by plugin rather than publisher, this latest kerfuffle is evidence that they should reconsider the approach. But if I were betting, I’d guess there’s no one at Mozilla whose job responsibilities include keeping their marquee plugin authors happy.


And, in contrast, that job (or parallel jobs for different 'online stores') definitely exist at Google and Microsoft. At Google, there's a whole army of open-secret glad-handlers for liaising between high-profile or high-relevance Cloud customers and the development teams inside Google that work on Cloud (because sometimes a customer comes up with a novel way to use the tool that exposes the cracks in the abstraction and lets the underlying implementation leak out undesirably). Customers don't get to choose to be handled that way (though they can, of course, indirectly signal it by how much money they spend); it's Google's decision to maximize company value / security.

If it is, indeed, the case that they don't bump the entire account to a higher tier of service if one of their products justifies it, they've fundamentally conflated the technology with the humanity of the system and this is a predictable consequence.

They're the browser with 2% market share.

They're lucky he didn't also pull uBlock Origin because he felt insulted and let users figure it out. He doesn't owe Mozilla their tent-pole of "We make it harder for third-parties to track you", the tent-pole he set up for them for free.


We all agree that this case is a very bad outcome for Mozilla.

What I don't agree with, is that a system that is based on higher tiers for entire accounts, is necessarily better. If such a tier exists, then all the big players will apply pressure to be put in that tier. Suppose Amazon tries for that - surely they'll get it. And then they'll use it, not just for "the Amazon app", but for every crappy outsourced app they make for any purpose. Placing a huge burden on Mozilla, who now will have to spend extra resources to hand-check a lot of crap that could have been auto-rejected, just in case, because effectively the burden of proof has been shifted.

I'd like you all to try to abstract from this case for a second, and think about the strategic choice: Which is the better rule, evaluating apps, or evaluating accounts. Sure, now you're all thinking that you'll make a super-duper amalgam system that looks at both in some combination. That's the benefit of hindsight. But suppose you're making version 1, and you're keeping it simple. What would you start with?


> Which is the better rule, evaluating apps, or evaluating accounts

For now, evaluating apps.

... but only because gorhill decided not to go nuclear (and good on 'em for doing so). The unequal power dynamic you're painting of Amazon exists today, whether or not Amazon attempts to pressure Mozilla right now; they're at their discretion to decide that they'll only support a Firefox extension if Mozilla plays ball with a bunch of other crappy apps too (and then Mozilla can tell them to go pound sand, and then the users can't get to the Amazon app easily, and then someone writes a workaround... The human system is far, far squishier and more complicated than the technical system).

> But suppose you're making version 1, and you're keeping it simple.

Sadly, Mozilla does not have that luxury because they exist in an ecosystem of other corporations with web-store presences and it's incumbent upon them to be competitive if they want to survive in that configuration. If Google and Amazon can glad-hand high-value customers, Mozilla needs to learn how to do so also or risk those customers deciding the Mozilla ecosystem is more trouble than it's worth to participate in (because what do you get? 2% market share?).


> What I don't agree with, is that a system that is based on higher tiers for entire accounts, is necessarily better.

Almost every business looks after their biggest customer better than their smallest customer.


Sure. But now you're talking about the policy you expect, not the policy you want.

I also want Mozilla to roll out the red carpet for Gorhill. They should probably have him on payroll.

But it's the same dev who's been active for over a decade and has a solid reputation. Users rely on these extensions. Removing a popular, well established extension without warning or apparently even making sure it was in violation of said policies to begin with is irresponsible.

And the specific extension in question being a popular ad/tracker blocker while Mozilla has been cozying up to the adtech industry lately and selling access to Firefox user data isn't a good look for Mozilla. Maybe Mozilla is just being grossly mismanaged but this is all getting noticeably suspicious.


From what I remember, there are noticeable efficiency gains when using uBOL on mobile browsers.

It’s more efficient which can pay dividends in battery life on android, especially for those who have older phones.

Thanks for the info. Wikipedia describes uBOL solely as a reaction to Manifest V3, and that's what I was going by.

> But this is not about a high profile plugin. The high profile plugin is "uBlock Origin", and this is about "uBlock Origin Lite", which is a big thing for Chrome, but not for Firefox. Why would anyone want to use uBOL, when they have the option to use uBO?

uBlock Origin requires giving the extension full read and write permissions on every site you visit, which is a huge liability, security-wise.

uBlock Origin Lite uses Manifest V3, which doesn't require providing those permissions to the extension.

Perhaps you trust gorhill with that power, but it's pretty understandable why others might not want to give that power to a third party.


To have a reviewer under your employ that doesn’t know what UBO is or it’s dev, makes me feel pretty confident in siding with gorilla on this, but I hope that he does calm down a bit and put the extension back up.

> in siding with gorilla on this

Off topic, but this is such a funny autocomplete accident :)


I saw it after the fact, but I left it to alleviate some of the seriousness :)

I wouldn't really want to go up against King Kong

> To have a reviewer under your employ that doesn’t know what UBO is or it’s dev, makes me feel pretty confident in siding with gorilla on this, but I hope that he does calm down a bit and put the extension back up.

FYI, it's UBlock Origin Lite that is affected here, not UBlock Origin. Same developer account, but a tiny fraction of the installation base. I think I still have an extension that has more users than UBlock Origin Lite did on Firefox (only 5000 installations at the time it was taken down).

To be honest, neither party looks good here. It reflects poorly on Mozilla that they don't have guardrails in place to prevent adverse action on the developer account that publishes their most popular extension. Gorhill's reaction (particularly his most recent comment from an hour ago) comes off as petty and vindictive. Yes, it's his prerogative to spend his unpaid time how he wants, but expressing that sort of aggression and directing it at your users doesn't win over many allies in the long run.


I must have missed that update; I haven't seen any aggression directed at users of the plugin.

> Perhaps you trust gorhill with that power, but it's pretty understandable why others might not want to give that power to a third party.

I have been using the extension, now called ublock origin, for longer than I have been using the Firefox browser. Mozilla is the third party in this relationship.

In all those years, the extension project's principles were very strict, and the authors never disappointed. Mozilla, meanwhile, is just a constant stream of disappointments.

It's so many things, really. Magic opt-out tracking here and there, ads in new tab windows, nuking almost the entire extension ecosystem on Android for a couple of years just to grind down the user base, etc. It never ends.

You can also communicate with gorhill like a real person. Mozilla press communication is always a psychopathic mess of corporate speak. There is hardly anything in there.

I'm not even sure which project, ublock origin or Firefox, has more users by now.

My loyalties are pretty well sorted at this point.


This is exactly why Apple implemented the precursor to Chrome's v3 manifest in Safari (not to mention the performance implications).

It's a lot easier to just accuse Google of acting in bad faith, and Mozilla of being their lapdogs, and ignore any possible evidence to the contrary.


> It's a lot easier to just accuse Google of acting in bad faith, and Mozilla of being their lapdogs, and ignore any possible evidence to the contrary.

There are two issues at play here.

Manifest V3 is, undeniably, a security improvement over Manifest V2. Providing full read/write access to all websites is a huge security risk, and the fact that we're willing to do it is really a testament to how bad the state of the web is without adblockers.

However, the final standardized version of Manifest V3 limited the size of content filters - essentially, limiting the number of ad sources that you could filter. This severely limits the utility of adblocking extensions.

Mozilla responded to this by promising not to implement the cap in their implemention of Manifest V3 - ie, ignoring that part of the spec and allowing extensions to filter an unlimited number of sources in Firefox. Chrome and other browsers are sticking to the spec, though, including the cap on sources.

I believe UBlock Origin Lite is a downgrade feature-wise from UBlock Origin, but that's because it's targeting both Firefox and non-Firefox browsers. In theory, a Manifest V3 version of UBlock Origin Lite designed for Firefox could provide the same functionality as the Manifest V2 UBlock Origin.

Honestly, I hope someone (whether gorhill or someone else) takes up the mantle and does that, because there's no reason that Firefox users should have to use an adblocker with a less secure design, just because other browsers don't support it.


> Providing full read/write access to all websites is a huge security risk, and the fact that we're willing to do it is really a testament to how bad the state of the web is without adblockers.

That seems to be completely ignoring that extensions aren't just independent self-contained programs. They're intended to extend and modify the capabilities of your user agent to better suit the needs of the user. Trusting the user agent with full read/write access to the data it's fetching is fundamental to the purpose of a user agent. Sure, it's nice when you can sandbox a helper, but it's irresponsible to suggest there's anything wrong or unusual about having the kind of powerful extensions that Google doesn't want you to have.


> Sure, it's nice when you can sandbox a helper, but it's irresponsible to suggest there's anything wrong or unusual about having the kind of powerful extensions that Google doesn't want you to have.

You're arguing against a straw man here.


What's inaccurate? Do you really want to claim that Google isn't actively reducing the scope of what browser extensions can do on behalf of end users? Having security as a justification does nothing to erase the fact that they are locking down the browser platform and making some useful categories of extensions impossible.

It's not just the size of content filters. V2 had the ability to run code to block a web request before it was downloaded. V3 only gives you a (size-limited) set of declarative filters. If you want to block anything else, you'll have to do it after it has been downloaded already.

(all here is iiuc; I've never used any of these)

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...


Safari allows extensions to offer multiple block lists, each at the maximum size allowed (65k entries I think). Does manifest v3 not do the same?

Last I checked google didn't remove the read-only access to network requests in v3, so an extension that wants to track everything can still do that. It just can't block anything with custom code.

Good point, they should be on the phone "Mr G how can our developers help you getting this extension approved"

This developer one of the main reasons for many people to use Firefox, especially in this current chrome controversy manifestV2 vs V3

And ironically this uBOL success should be of very interest to Mozilla because if it had gained more success than the main one uBO then it would be one less reason for the company to invest resources into maintaining manifestV2


uBlock Origin is THE reason I am using Firefox Mobile. The moment it gone - there's no sense in keeping the browser.

Mozilla knows that. Which is why they excempted Ublock Origin from their user hostile all but that one extension ban on mobile. (In practice it was a ban. I think they called it something else.)

Yeah they've repeatedly used his name in advertising Firefox Mobile.

I'm not even surprised the addon got flagged. The linked files in the Github issue all had file names insinuating a direct connection to known trackers (which, of course, uBOL is blocking). Whatever automated scanning tool Mozilla uses probably latched on to "oh this is Google Tag Manager" and issued the warning that is normally handed out to addons that do include sketchy scripts like these.

HOWEVER: the email clearly states:

> Your Extension uBlock Origin Lite was manually reviewed by the Mozilla Add-ons team in an assessment performed on our own initiative of content that was submitted to Mozilla Add-ons

Either that is a lie, or the manual reviewer that did the "review" doesn't understand that the automated tool they ran is capable of false positives.

Nothing wrong with automated abuse assessments on a platform like Mozilla's, but don't lie in your communications about it (or hire people who know what they're doing when it comes to blocking addons).


Maybe a less crappy review system at least?

"The burden is that even as a self-hosted extension, it fails to pass review at submission time, which leads to having to wait an arbitrary amount of time (time is an important factor when all the filtering rules are packaged into the extension), and once I finally receive a notification that the review cleared, I have to manually download the extension's file, rename it, then upload it to GitHub, then manually patch the update_url to point to the new version. It took 5 days after I submitted version 2024.9.12.1004 to finally be notified that the version was approved for self-hosting. As of writing, version 2024.9.22.986 has still not been approved."

Doesn't sound like something I'd enjoy as a hobby.

https://github.com/uBlockOrigin/uBOL-home/issues/197


I agree with what you say about the tradeoffs of a review process, but strongly disagree that Raymond Hill overreacted. He's a solo dev working on uBlock as a hobby who doesn't even take donations; he doesn't owe us anything. He gets to decide if the review process frictionless enough for him to contribute his time and energy, and even though he decided it's not in this case, he made his extension open source, so anyone else is free to publish uBlock Origin Lite in his stead.

I don't think the author has overreacted, but your first paragraph doesn't seem to match the timeline, so maybe the article didn't portray it correctly. For a better understanding have a look at the Github issue: https://github.com/uBlockOrigin/uBOL-home/issues/197

It was not an automated review, it was a manual review, poorly done. The author then explains that they don't want to deal with the stress (there are also some extra explanations of what's involved in the AMO review process), and also that they left a somewhat harmful version of the plugin up. Not wanting to deal with stress is a perfectly understandable reaction.


Sometimes, people apparently forget how much of this ecosystem is built on volunteers: their time and their talent.

You can lose a volunteer army fast if you don't provide them the warm fuzzies of the experience they don't get working with a faceless corporation.


> manually review every add-on revision for safety in a timely manner

Sure, but uBlock Origin, lite or not, is one of the most important browser add-on, if not the single most important one. This may not justify to give it a pass without looking, but it should certainly be reason enough to jump it in front of the queue and review it manually every time.


Lite is meaningless to 99% of Firefox users. The real deal is available and they aren't force to use the inferior Chrome version.

No he did not. Mozilla is in situation where they should bend backwards with very popular extensions, which I believe both uBlock Origin versions must be. Ensure anything you do with them is absolutely correct.

In general quite many extensions are done for passion. And any chance of destroying that passion will make your product less desirable to work with and thus in long run less popular.


Mozilla is not a single person in a basement with a 20 year old second hand computer. They spend hundreds of millions $ per year. uBlock origin has 8+ million installs. The second extension by install count has 4 (four) times less. If if anything to do with gorhill and their extensions is not priority one in their review system, then something is really wrong at Mozilla.

This was for uBlock lite, a much lesser used plugin

If they piss off a dev they risk losing all the plugins of that dev. So they must not look at uBOL, the subject of the review, but at uBO, the most popular plugin of that dev. And it turns out that it's Firefox's most popular plugin among all its plugins. They should immediately escalate the review even if gorhill submitted a plugin to log Hello World in the console.

> This was for uBlock lite, a much lesser used plugin

Sure, but it's published by the same developer and has existed for a while. It's not a brand new extension under his account, or published on a different developer account.

I've built review systems before, and you typically have safeguards in place to prevent mistakes that impact your biggest users. No matter how you cut it, this isn't a good look for Mozilla.


And behind the scenes is one human being maintaining both.

If you make maintaining one of them more stressful than the other, the maintainer dropping one to focus on the other is a predictable consequence.


> They spend hundreds of millions $ per year

Most of which coming from Google, whose web enshittification created the need for Ublock Origin and later Ublock Origin Lite. If Mozilla, which takes boatloads of money from Google, does something absurd that would please nobody else but Google, how could one not assume something fishy is going on?

https://archive.ph/jQPTt

( https://www.bloomberg.com/news/newsletters/2023-05-05/why-go... )


...and the extension this article is about had about 5000 (five thousand) installs before being taken down. That doesn't really scream "priority" to me.

It may be true, but your point of view isn't the sole possible. Many people have to use more than one browser and for them, the Google decision (effectively forcing the creation of uBOL) was really painful so Hill's new product is of big value. Also, there are people who don't know anything about uBO since they never used Firefox but they probably will start to use uBOL as other blockers for Chromium-based browsers are incomparable to it. Thus 5k downloads of uBOL are no measure of its importance.

How is that relevant to hosting on AMO?

Don't remove stuff that are used for some time using only automatic tooling ...

And from the start the review was supposedly: "Your Extension uBlock Origin Lite was manually reviewed by the Mozilla Add-ons team".


> No pre-release review at all?

certainly not leaving only the oldest version of the extension up.


Can we build a better sandbox? exfiltrating data is the issue, but if the extensions just weren't able to reach out arbtrarily but could only download a specified url, then that would eliminate the problem for plugins that could adapt to only using a specific permission and then not need manual review.

Meh, it's perfectly reasonable to decide that you don't want to deal with this kind of bullshit and pull the extension from problematic stores. There's probably a miniscule amount of people using uBO Lite on Firefox anyway.

I think that the alternative is some form of "per review", where the effort of performing reviews is spread out among a volunteer f with reasonable "reputation" management and in which a party can accelerate their own review by contributing to the reviews for others.

Exactly. And this is why we need paid browsers. If the ad-supported/donation-supported browsers like Firefox need to apply low-quality automated solutions to approving/rejecting even their most popular addons, then clearly the business model isn't working.

I think not everyone thinks that money solves all things. Look at the $8 blue check “verified” accounts on Twitter that are easily identified as CCP/Russian spam bots. We’ve had free browsers for nearly 30 years, so I’d say we don’t need paid browsers just yet. There are of course some out there for those who like the idea, but overall it’s not a solution. n=1 failure doesn’t mean flushing the whole enterprise down the toilet. There is an easy policy change for this. Fire one high level executive and get 10 more quality reviewers so that the more experienced reviewers can get high traffic items like those from gorhill

> I think not everyone thinks that money solves all things.

I'd go further and say money ruins most things.


You jump immediately to money. But less crappy automation in this case is almost certainly a question of configuration and then thoughtfulness on the part of follow up reviewers, not just throwing money at the problem. It feels like you are shoehorning your own agenda in the conversation a bit.

Wow, stirred up a latent hornet's nest with this one. I should have known, people love "free" stuff (even if it's obvious to everyone, even themselves, that it is not at all "free"). Anyway, I think a paid browser would help solve this problem. If you don't agree, please, keep using Firefox or Chrome or whatever "free" browser you prefer.

> their most popular addons

It’s the lite version. It’s not popular at all.


However gorhill is quite a high tier extension dev which should get him more attention and at least a second set of eyes on any drastic action like cutting his extensions.

...except there is no evidence that paid, manual review works. Closest thing we have is Apple's App Store, which infamously has manual review cycles worse than an automated malware checker: https://www.pcmag.com/news/beware-theres-a-fake-lastpass-app...

This is why you should be happy that you don't pay for a browser.


Anecdotes are not data, and requiring perfection is a really odd bar for working or not working.

> Anecdotes are not data

When you blatantly violate the IP of a well-trusted dev, posing as a third-party and successfully tricking Apple, yeah, you are a pretty big data point. You can't call CloudStrike an anecdote.

My bigger intention is to fight the idea that automated solutions are necessarily better than inept human-reliant ones. Firefox doesn't even have remotely Apple's scale or revenue to work with - who seriously expects Mozilla to do better than them?


I'm not sure, if moz revenue is something like 600 m and the ceo makes 7 m while apples revenue is something like 400 b and the ceo made 63 m. You get something like 7/600 vs 63/400000 ?

Then Mozilla should do at least 1000 times better even if it is just a forgotten side project like Firefox?

uhhh what were we talking about again... ah right extension reviews.

Well, just let the developer pay for 50 different tiers of review with prices scaling with the size of the code base or upgrade. Display the level of scrutiny on the extension page, have a donate to the cause button so that funds contribute only to reviews.

If you've installed any extensions you should regularly be made aware of the security risk and have a nice overview of the level of hazard and fund raising efforts.

If you've reached a high level of security further upgrades will either be expensive or install should be discouraged.

In the same place the developer can explain how urgent or useful the upgrade is and users can donate to bring the patch up to the desired level.

Code changes can be displayed with public discussion. This will be useful for doing the different reviews as cheaply as possible. Let there be bidding wars.

In addition there should be an extremely granular permission system that triggers dialogs in an amount sensible for the review level. Developers should be allowed to buy reviews for tiny functions that accurately define permission requests.

For example: Rather than full access to all pages I want access to all links pointing at example.com and I want to fetch the title of the pages on example.com Or say: I don't want access to the entire internet but only to things in valid RSS or Atom format.

Seems a sensible solution to me and I don't even know anything.


So? Mozilla inserted themselves as middlemen into addon delivery. Even for the so-called selfhosted addons. They can just not do that if doing it properly and without undue delays means more work than they can handle.

I'd pay for speedy reviews. I don't think it would resolve to paywall, but the reviewers are not free.

It's very annoying you have to submit your extension to gatekeepers to even distribute them to normal users. As gorhill said on GitHub it took days for a self-hosted version to be approved - that's unacceptable. Imagine you would need approval from Microsoft to distribute software. Not even Android is this closed. Enforcing signatures and removing XUL were the worst things Mozilla has ever done. And yes, Google does the same and it's even worse there but this it to be expected from them, but not from Mozilla.

> removing XUL

Nah, XUL had to go. The other stuff wasn't really related. It was a more "if we are going to break most extensions we may as well use this time to push everything else we want". If anything XUL is a scapegoat.

I know because I maintained VimFx for a while after the XUL removal. It was difficult to keep up with internal APIs that are changing, but I can't blame them, they need to develop their product. The thing that really made me give up on maintaining VimFx was the signing enforcement. They just keep tightening the screws so that I couldn't even run "my own" code with any reasonable UX.

What I would have like to have seen:

1. Provide WebExtensions as the recommended way to do things with some compatibility and deprecation guarantees.

2. Stop caring about compatibility of other APIs.

3. Still allow outside "full access" extensions that use those internal APIs. You can give warnings in the store "this extensions uses unsupported APIs and may break at any time and steal all of your personal data" and make the install button bright red but still allow it.

4. Keep supporting self-distributed extensions with developer managed signing keys and update URLs.

Since there are no compatibility guarantees on these APIs it wouldn't have been much extra work. Just a bit of UX work to add scary warnings and maintenance of the non-store update code.


> 4. Keep supporting self-distributed extensions with developer managed signing keys and update URLs.

Mozilla followed the big corps in the 'store' model, instead of keeping it open free-form. We might have a viable developer certification trust system by now, but with that too, only the corps have enforced signing systems (that are closed and fragmented.)


> We might have a viable developer certification trust system by now

Don't we already have that system, in the form of distributions? More specifically, I'm thinking of something like Ubuntu's PPA system, where each developer publishes their packages with their own signing key.


> Imagine you would need approval from Microsoft to distribute software.

You mean like how you need permission to distribute software on MacOS/iOS? More and more platforms are moving in this direction and I wouldn't be surprised if Windows goes the same way in the future.


You don't need permission from Apple to distribute macOS software. Your users will just see a warning dialog when they try and run it for the first time and have to go to System Settings to allow it to run[0]. If you want to avoid this, you have to pay the $99 USD per year to join the Apple Developer Program, codesign your software with the certificate they give you, and submit it for notarization (which for macOS is a fully-automated security and malware review, unlike iOS notarization which is basically App Store review). It's not ideal (many open-source projects don't want to spend $99 USD per year, and it does tie the software to your real name), but it's not like iOS.

[0]: https://support.apple.com/en-nz/guide/mac-help/mh40616/mac


>More and more platforms are moving in this direction and I wouldn't be surprised if Windows goes the same way in the future.

I think MS has already tried this several times, such as with Windows RT and the Windows store. It never caught on, and they pissed off the independent software vendors who make the Windows ecosystem valuable in the first place. Maybe they just didn't push it hard enough; maybe they could have just forced everyone to use it anyway, and maybe it would have worked because what are Windows users going to do, switch to Linux or Mac? But maybe the real danger was that users simply wouldn't upgrade to the new locked-down Windows in the first place and just stick with older versions forever, which is something they've been doing all along (look how mad people were when they finally killed XP).


What?You can install extensions in Firefox easily without going through the Firefox extension store. XUL had to go.

No, you can't. Extensions must be signed by Mozilla for Firefox to let you install them.

This is simply not true. I've been using unsigned extensions for years. You drag-drop a zip file into the extensions window and it will let you install it.

I looked at this just a few months as I have a few extensions with some very me-specific stuff that I don't really need/want to distribute – it's just not going to be useful for anyone except me. I couldn't find a good way to permanently install an unsigned or self-signed extension.

You can temporarily add unsigned extensions in about:debugging, but those are lost on restarts, which is pretty annoying. I used this for a while until I got fed up and tried to find a better way.

"Unbranded" Firefox builds allow adding unsigned extensions, but then I need to either 1) compile my own Firefox, or 2) Use "Firefox Developer Edition", which is mostly just the same as regular Firefox but based on beta versions (I'd rather just use release versions). Neither really appeals to me.

So my solution now is to just create "unlisted" extensions and sign them with the web-ext CLI. It works and it's not entirely horrible, but it's a lot more hassle than I'd like.

And the requirement for extensions to be signed is fine; I have no problem with that. But it should allow adding my own signing key. Or something.

I kind of get why Mozilla is so restrictive about this; with banking and credit card stuff and whatnot all being browser-based, adding an extension is basically giving the keys to the castle. I can see some support scammer instructing someone to add some malicious signing key. But there does need to be some limit to how much we protect people from themselves, because at some point you just start making life hard for regular users.


> So my solution now is to just create "unlisted" extensions and sign them with the web-ext CLI. It works and it's not entirely horrible, but it's a lot more hassle than I'd like.

Wait. web-ext allows the signing of arbitrary extensions without review? Wouldn't that defeat the purpose Mozilla is sacrificing technical users for?

While I didn't come across web-ext, I also tried my hand at working around firefox's limitations for my own extensions, but eventually decided it would be easier to give up and switch to a chrome-based browser instead. To this day, I still don't understand the "significant" threat that Mozilla sees (and other browser vendors apparently don't) that warrants such heavy-handed Apple-esque control over their users' ability to control their browser. Whatever it is, I no longer care.


> web-ext allows the signing of arbitrary extensions without review? Wouldn't that defeat the purpose Mozilla is sacrificing technical users for?

It takes about ten minutes to sign, and only seems like it uses automatic checks. I do get an email that "any extension may be reviewed by a human at any time".

I don't know if it matters that it's unlisted, or that they're all very simple extensions with very limited permissions. I'm not an expert on any of this and I've never published a public extension; I just have a few for my own use. But it does seem that they apply some heuristic to determine what is worth reviewing and what isn't.

> To this day, I still don't understand the "significant" threat that Mozilla sees (and other browser vendors apparently don't) that warrants such heavy-handed Apple-esque control over their users' ability to control their browser.

There are support scammers and such that will phone you with "hi, we are from Microsoft support to help you. You need to go to h4xx0r.ru to install an extension to protect your computer".

There are other ways of doing this of course, but an extension is a simple abd easy way.

I don't really know how to best solve this. I agree with your dislike of the current heavy-handed approach without escape hatch. But I also think the concerns are real, and you're being a bit too dismissive about that.


Given that 90% of normal people use browsers that don't have this restriction, I don't think Mozilla's threat model makes sense. Also, users who are susceptible to being tricked into installing an addon can just as easily be tricked into going to bank.com.h4xx0r.ru, editing hosts file, changing DNS settings, or even installing chrome or a different browser.

Franky, I don't think this move is motivated by security concerns at all. (Not that it matters anymore)


You must be using either the Developer Edition, ESR, nightly or some unbranded version. Vanilla Firefox doesn’t allow to install unsigned extensions permanently.

As of recentlyish, I noticed this is not an option on ESR, either. Only Nightly and Dev.

https://wiki.mozilla.org/Add-ons/Extension_Signing#FAQ

The FAQ says that in ESR, xpinstall.signatures.required should be respected but this is out of date IME (ESR 115).


On desktop Firefox, you can download an extension from anywhere and install it. All they're gatekeeping is their own repository, which I think most of us would like them to do.

I think mobile requires using a nightly build to install extensions from outside Mozilla's repository, and that suggests their thinking is becoming contaminated by the rest of the mobile ecosystem.


You can no longer package extensions yourself and if you try using "Load add on from file" you get that extension loaded but it's gone after a restart. All extensions have to be signed first to be permanent and Mozilla denied to fix that on their bug tracker.

Signing is such a low bar to pass I agree that not offering that as an option is reasonable. It takes seconds to do.

We're talking about signing by Mozilla to indicate the extension has passed some sort of review process, not signing by the author. It isn't a low bar because it gives Mozilla veto power over what extensions users can install.

To add on to the other replies, you *can* load unsigned extensions with desktop Firefox if the build you're using disabled the signing requirement at build time. A bunch of distros' FF packages do that, for example, and is why I use a bunch of extensions I wrote myself (and thus trust) for myself without having to deal with Mozilla. (Zip up the files, change the file extension to `.xpi`, drop it in `$libdir/firefox/browser/extensions/`)

Are you certain extensions can be downloaded and installed from anywhere? Firefox's documentation[1] states "Extensions and themes need to be signed by Mozilla before they can be installed in release and beta versions of Firefox." If UBlock Lite was rejected through Mozilla's signing API, they'd have no ability to create an XPI that can be installed by release/beta version of Firefox.

[1]: https://extensionworkshop.com/documentation/publish/signing-...


No, the normal version blocks (at least permanent) installs. You need the developer version to install unsigned extensions.

I see. The extension I installed to test that actually is signed, though it's not in AMO.

I don't like this. I know there have been issues with malicious extensions, so it makes sense to me that installing unsigned extensions is turned off by default, but requiring developer builds is a step too far.


What release made this change effective?

That was many years ago, there was a bit of a public complaint.

Correct. It's incredibly how much misinformation there is about signing, even here where people should know better. It's very tiresome.

> The organization issued an apology for the "mistake" and recommended to Hill to reach out whenever he has questions or concerns about a review.

Before taking drastic action like pulling addons from the store, Mozilla should reach out if they have questions or concerns about a review.


It appears all of the companies that are gatekeepers to apps, extensions and similar user-generated stuff are really quick to overreact and unless you are a high-profile person, have a lot of followers or a really popular app or an extension, good luck resolving it in a timely manner.

Gorhill is a pretty high profile person considering uBlock Origin and yet still got it taken down and overreacted though. So the issues seem to run deeper than that.

This is literally the most high profile person Mozilla has. He's carrying the entire browser.

On first glance, it really does seem to be the case, regardless if one is "big tech" (e.g. Apple) or a non-profit organization (e.g. Mozilla).

Gorhill's full uBlock Origin might be the only remaining selling point for Firefox.

With the outrageous sum of money that the Mozilla top executive was recently taking for themself, they could've instead staffed an entire team of first-rate people, with the sole mission of doing whatever Mr. Gorhill needed.


They are too busy working for the advertising companies Mr. Gorhill is blocking. Most recently adding ‘privacy preserving attribution’ - a feature that no user has asked for.

People don't want 3P cookies tracking them around the web. They also don't want to pay to visit sites. Mozilla is trying to provide a middle path, I salute the effort.

Is everyone who claims the Internet cannot work without advertising only 20 years old? Why try to gaslight so many people who remember the Internet without advertising just fine. It was just a few decades ago!

I remember the BBS's, Compuserve, AOL, and the Internet before (ubiquitous) advertising. It was fun yet spartan.

In light of the alternatives (like paying for everything with discrete purchase or subscriptions), I'd prefer that advertising survive. Ideally with less invasive ways of detecting my interests.

My intention is certainly not to gaslight anyone. Not sure how you came to that conclusion.

Full disclosure, I work for a paywall SAAS.


There's nothing wrong with wanting advertising to survive. It's a creative powerhouse and a huge cultural influence.

But what most people really mean when they say that is: I want to preserve ways of coercing or tricking people into consuming content that they do not actually want to consume at the time of consumption.

And I think that is a very bad idea, regardless of the expectations people put into that ability.

No one should be force-fed advertising.


I pay to visit many sites on the internet. Netflix, Hulu, Disney, Max, Twitch, etc. They provide value for my money.

I don’t pay for news. Intelligent employees of news organizations would learn from that but no…

Instead we get advertising apologists trying to gaslight me into thinking tracking is ok.


> Intelligent employees of news organizations would learn from that but no

They did learn from it, that's why many "news" sites are now content-free entertainment, and why intelligent non-employees of news organizations complain that they're not providing news.


Why does this extension even exist on AMO? The article says it's the "Lite/Manifest v3 version" - why would you ever install the inferior edition meant for legacy browsers, instead of the one that blocks ads properly that's meant for Firefox?

For the few good reasons Google had for restricting addon manifests: performance and security. Declarative domain lists are easier to cache and lead to fewer (unnecessary) addon activations. Fewer permissions means the impact of a malware-infected version hitting the addon store in the future is a lot lower. uBlock's rule engine is incredibly powerful, to the point where a custom ruleset can inject code into any website. That applies to custom rulesets, but also to the built-in ones that may or may not get their accounts/hosting hacked, or bought out in the future.

Not that I would use the lite version myself, or that I agree with Google's choice, of course; they killed ad blocker APIs without providing an alternative API, after all. With the code already out there anyway, for the people stuck in their ways still using Google Chrome, they may as well make this version available for Firefox.


The other good reason that Google has is that it puts them entirely in control of the lists. If they don't want Chrome to block ads on Google properties they can opt them out of the block lists.

Because it's lighter on power usage, and that matters for firefox on android.

And because it can block ads without infinite permission to read and change every site you visit.

You know what else uses power? Ads! Particularly the flashy animated ones that fingerprint the browser and hoover up data to prove you're a real human ad impression. I'd wager it doesn't take too many of those slipping through the net to completely undo your "power saving" of a slightly more efficient way of blocking resources.

Has anyone actually done some quantitative research here? I've been using Firefox with uBO for years on Android and of all the apps on my phone, Firefox is not the one that's chewing through battery.


But now it's not even possible to use the add-on in Firefox for Android, as only add-ons from AMO can be installed.

I was curious if trying to load it via file:///storage/emulated/0/Download/... would work (as my recollection is that .xpi installation is content-type: sensitive) but insult-to-injury is that FF Nightly for Android searches for the string "file:///storage...", so they seemingly have nuked even the file: protocol handler for Android. Good times over there at Mozilla

file:/// is gone in Firefox Android since at least 2 years ago. I discovered it a few days ago https://bugzilla.mozilla.org/show_bug.cgi?id=1806171

It works in Chrome on my Android 11 phone.


Pretty sure file:// is very broken in different ways on every android browser.

For example, on kiwi browser typing in a file URL causes it to be searched, but using the "go to URL in clipboard" button (with the file url in your clipboard) works. Except when you randomly run into some weird android file permission issue and the browser just can't see certain files...


That's not true anymore. You have to press the Firefox logo on the about screen a few times, which will make the menu option appear in settings to install an extension from the local filesystem

Fixing this explanation:

You need to go Settings -> About Firefox -> Click the logo a bunch of times on this page specifically -> Press the back button

You will now see the Install extension from file option.


Wow, that's good to know, thanks!

It can run with way less permission as opposed to UBO.

I don’t think people care about giving permissions to one of the most popular extensions ever. The advantages of giving that extension full access are quite clear and the dangers minimal.

I do care. I trust Gorhill but that doesn't mean mistakes can't slip through. Maybe criminals attacked his system to steal his credentials, or maybe criminals just used old fashioned violence to force Gorhill to release a malicious extension update. Exactly because this is the most popular extension ever, criminals have so much higher incentive to take over his trusted extension to do criminal things.

Of course all of us have our own assessment of trust and danger.


> I don’t think people care about giving permissions to one of the most popular extensions ever.

I'm going to fail to go out on a limb and say that those people shouldn't use this version in order to avoid that, then. I suspect this extension been made available for others, like those you're replying to here.


I care. I'll probably just switch to Brave instead of either installing this manually (risky) or using the full-blown addon (risky). The value proposition for Firefox has just diminished.

You care, but you’ll probably just switch to a fringe browser that has far more permissions than an extension. Ok.

It’s faster and has less security implications. I accept that UBO is more powerful even if it has a slightly less secure footprint, but that’s a decision, others may choose for more security per V3

> why would you ever install the inferior edition

It's my computer. I paid for it and I maintain it. I'll do whatever I please with it.

> instead of the one that blocks ads properly that's meant for Firefox?

I have a better question. Why even use Firefox if it refuses to do what I want?


manifest v3 is actually not a bad idea at all. it's more efficient, more private.

It’s bad though in that it reduces your power over your browsing experience. We should get a choice on that. uBO is a good actor and I trust them. Also good crippled storage for lists in v3 while Firefox did not. Clearly it’s to limit size of Adblock lists on google’s part to make the adblockers more irrelevant and in their interest to put as many ads in your face as possible.

> We should get a choice on that.

this is it exactly. They should not remove manifest v2, they should make it more explicit that an addon is v2 or v3, and let the end user choose (with the default being v3, and deny v2 addons).

When an untrustworthy addon asks to be a v2 addon, the user can be made more suspicious, but allow addons like ublock to remain working at full power.

Of course, the whole reason google did it is to remove effective adblocking.


>The last message from the developer in a now-closed GitHub issue shows an email from Mozilla admitting its fault and apologizing for the mistake. However, Raymond still pulled the extension from the Mozilla Add-ons Store, which means you can no longer find it on addons.mozilla.org.

This seems pretty harsh. Mozilla made a mistake, Mozilla apologized, Mozilla fixed the mistake (maybe even improved their processes), and the author still pulls their choose and criticizes Mozilla. On my opinion either author took this a bit up personally, or cares about improving the review process and wants to make a strong point (with some hurt done for their project visibility).


Remember why uBlock Origin exists in the first place: Raymond Hill was fed up with the chore of all the administrative crap around uBlock¹. They wanted it to be a hobby and it started feeling like a job.

https://github.com/gorhill/uBlock/issues/38#issuecomment-918...

So it’s predictable they’d get fed up with that Mozilla review process and call it quits too.

¹ Which led them to hand the project to an unscrupulous rando that immediately tried to monetise it, leading Raymond to hate the outcome and having to decry his own previous project and ending up essentially where it all started but with a bunch of extra work in the middle.


The author is a volunteer and the software is a labor of love: of course it's personal. Such projects thrive when the author feels like they are giving a valuable gift to a community which is receiving and appreciating it. Being required to submit your creation through an impersonal "review" process which rejects you in such a way that it's obvious nobody cared enough to even look is not just a buzzkill: it's an insult.

I would walk away, too.


> when the author feels like they are giving a valuable gift to a community which is receiving and appreciating it.

Who is the "community" in this case? Mozilla? Or is it us users? If the former then fine, but if the latter, then who is being hurt by this, and how does Mozilla being annoying reflect ingratitude in the community?


> who is being hurt by this

See Raymond’s comment five days ago:

https://github.com/uBlockOrigin/uBOL-home/issues/197

Who is being hurt is Raymond Hill (their sanity / mental stability / desire to work on this popular extension); Firefox users who preferred the Lite version; Firefox users on Android; Everyone who would’ve been recommended this extension and now won’t (see other comments in this thread); Mozilla (taking yet another hit to their reputation) and by extension the open web as more reasons to abandon Firefox lead to less browser diversity.


Mozilla sent a template email and you're acting like they did anything beyond that. They didn't even assure the author that their add-on wouldn't be removed without prior two-way communication ever again.

Mozilla has a press page -- they could issue a clear, open press release talking about what went wrong, how they're changing going forward, etc. They could even acknowledge that this extension is awesome and contribute capital to making it available to their users.

But, instead, they did the minimum amount possible to save face after one of their reviewers royally messed up. The things the reviewer cited in the first review are plainly wrong and a junior JS developer could tell you that.

Heck, an AI reviewer would have done better (ChatGPT 4o mini):

"No, this file does not appear to contain minified code. Minified code is typically compressed to remove all unnecessary characters such as whitespace, line breaks, and comments to reduce the file size, making it harder to read.

The code you provided contains readable formatting, including comments, indentation, and well-structured functions, which are not characteristics of minified code."


> author took this a bit up personally

Yea, those pesky unpaid developers, letting their emotions get mixed into their personal projects. Why can't they be cold and unfeeling, like the people who run the firefox "store?"


I can’t fault gorhill for not wanting to play the “give large rich organization infinite second chances” game. Sometimes enough is enough even if you think you’d act differently in his shoes.

> Mozilla apologized

No they didn’t. Now I’m not here to play apology police or anything. But that’s just a perfunctory customer service voice statement which happened to include the word “apologize”. And that’s fine. Nobody expects more. We can acknowledge it for what it is tho.


What could the email have said that would have made you believe they had apologised? If the literal string “we apologize” isn’t it, what is?

"Our review processes are not fit for purpose. We commit to replacing them with ones which acknowledge our entire ecosystem is built on the goodwill of unpaid volunteers, and we must not squander their time or resources. People like you are our lifeblood and we must not lose your trust."

"We admit we used automated scanning here and tried to pass it off as human review. We got caught. Badly. All our future scans will have to pass our own internal reviews before we make demands of extension authors."

these sorts of things


Come on, be realistic. They’re not going to grovel and humiliate themselves over it, especially on a first apology contact. Expecting that kind of response would be ridiculous.

The other comment was much more plausible.

https://news.ycombinator.com/item?id=41711187

I’m interested in what the original commenter thought, though.


The anodyne ass-covering apology they did send out, is massively more humiliating for Mozilla than a sincere mea-culpa would have been.

Hill made their initial emails public and the discussion of AMO's incompetence had already happened. Mozilla have been able to see this and formulate a response. Their response was not a full PR face-saving, it was a single further email from the AMO review system. That speaks volumes.

Dear Mr Hill

sorry we are such idiots. Now please reply to us so you comply with the mandatory review process governed by idiots. Our policies require that we do not unilaterally fix any mistakes we unilaterally made. We must first waste more of your time to acertain that you agree our direction is the right one.

Yours Sincerely

The Idiots

https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco...


Look, I’m not taking Mozilla’s side. As should be obvious by my other comments on this thread, I think Raymond Hill should do what they think is right for themselves and the project.

But I’m trying to have a productive conversation on what would be a realistic response that Mozilla could have plausibly sent that would show true remorse and constitute a proper apology.

Insulting them and giving absurd examples that would never happen does not advance the discussion. I’m not interested in unabashed mocking. There are people on the other side too, it doesn’t cost anything to have a little empathy. Yes, Mozilla is in the wrong here, no one disagrees. How about we discuss what they could’ve done right?


That's what my mooted better-apology email covered. Acknowledge the failings of their processes. Mozilla should stop thinking they're a big swinging dick of a "platform" like Google and Apple are, instead accept they're reliant on continuing donations of time and effort by volunteers and it needs to keep them sweet.

Edit: and if they want to continue thinking they're a "platform", they need to invest in more and better staff for doing these reviews they insist on. They need to accept that false positives are just as bad, if not worse, than false negatives.


> That's what my mooted better-apology email covered. Acknowledge the failings of their processes.

But you did it in a way that ridicules Mozilla. It was an unrealistic example of something they would never have sent. For what? There’s no point to that. Surely you can come up with something that is apologetic, honest, real, and that a manager at a company could approve. I was looking for something sensical, not a caricature.

> Mozilla should stop thinking (…)

That, and most of your post, gets to the heart of it. You’re displeased with Mozilla and want them to look bad. Look, I get it, I don’t like Mozilla’s direction either, I am plenty critical of them. But you can be critical and constructive. Your comments that made them look like absolute bozos are the kind of rhetoric any Mozilla employee would skip over as not being serious. I would like Mozilla to be better, not just burn them to the ground.


The problem with Mozilla may be unrecoverable; that's my concern. They're currently spending Daddy Google's money like it's endless, schmoozing with SV investor types, pissing about chasing the latest trends and bunging money to their friends. Because they can.

I'm not sure that anything that anyone could say to them could change their minds.

My worry is that there are no organisations that campaign to keep the web open, fight against those who would lock it up and Balkanise it, and to offer a web browser that empowers its users and hasn't been captured by surveillance-capitalist money.

Mozilla don't need my help to look bad:

* https://www.pcmag.com/news/mozilla-temporarily-suspends-cryp...

* https://lunduke.locals.com/post/4387539/firefox-money-invest...

* https://www.theregister.com/2024/01/02/mozilla_in_2024_ai_pr...

* https://arstechnica.com/gadgets/2024/02/mozilla-lays-off-60-...

* https://www.theregister.com/2024/06/24/mozilla_product_chief...


> But I’m trying to have a productive conversation on what would be a realistic response that Mozilla could have plausibly sent that would show true remorse and constitute a proper apology.

For a though experiment lets take those suggestions earlier in the thread that you already dismissed. Make them 10% less blunt. Have they become realistic? No? OK, another 10% less blunt. Keep going until it seems realistic. Does it still show true remorse? No? Quelle surprise! I don't think there is any overlap to be found in this Venn Diagram.

The closest thing we might ever see is the mozilla dev elsewhere in this thread. They're opining that mozilla should probably just give Hill reviewer creds so he can rubber stamp his own addons and explaining why.

I'm not saying that if Mozilla were to give him those permissions that it would constitute an apology. I'm saying that the case this Mozilla dev is making, that alone is already more remorse from Mozilla about how broken their internal process and priorities are, more than any "realistic" official communication from Mozilla will show.


> Make them 10% less blunt.

That’s… Not how communication works.

> Have they become realistic? No? OK, another 10% less blunt. Keep going until it seems realistic. Does it still show true remorse? No? Quelle surprise!

What a bizarre straw man. You invent an argument unrelated to what the other person said, then argue with yourself pretending to know what the other person would respond ultimately making the imaginary opponent agree with you. That’s quite something.

Your post is so far removed from the point of the thread I have no idea how to respond to it. Nor would I want to, I believe this has gone so far off the rails there’s no salvaging it.

Again, I’m not defending Mozilla. Anyone who cared to find my other comments on the thread can easily verify I defended Raymond Hill from the start. The one thing I was interested in with the original question were serious arguments of what Mozilla could have done better. Straw man arguments lacking in empathy that makes everyone on the other side look like clowns are unproductive.


That reply essentially sounds like "We realize you are in a position of power over us and so we should have been more careful; we thereby explicitly note the power imbalance and pledge to respect you--specifically, just you--a bit more because of it (though let's not get into the details of how)."... which is, I guess, an "apology" of sorts, but it isn't even close to an apology for the thing they actually did wrong.

FWIW, the comment you were replying to had a bit of hyperbole in it, and I guess you seem to be expecting it to be an exact quote? I think that same sentiment can be done in a way that is more neutral in tone, which is what seems to be irking you? Which is awkward, I guess, as, frankly, the one you prefer comes off much more to me as "groveling": the issue at hand is procedural and technical and maybe a bit political, but that reply is intensely personal and is directly "bending the knee" to Gorhill while not admitting any actual mistake.

But like, maybe, sometimes, an apology inherently requires some humility, and if Mozilla isn't willing to actually state that they did wrong -- not that Gorhill deserves respect, not that this situation went badly, certainly not merely that Gorhill felt bad about it -- then what, pray tell, even is an apology?


> but it isn't even close to an apology for the thing they actually did wrong.

I didn’t say the one I linked was perfect, I said it was more plausible. I don’t understand why everyone seems to have such a hard time understanding what that word means.

> and I guess you seem to be expecting it to be an exact quote?

That is exactly what I asked for. I asked what the email could have said. Words have meanings. Why oh why does that seem to be a novel concept?

> But like, maybe, sometimes, an apology inherently requires some humility

Yes, yes it does. I agree.

> then what, pray tell, even is an apology?

For crying out loud. HN, the community that is ridiculed everywhere else for being too literal, was today incapable of understanding a literal question.


"Statistically your extensions are one of the most used on Firefox. We will handle all related matters with higher priority and care in the future, and are deeply sorry about this."

Why does it matter if they apologize? Are there brownie points that make a rote ineffectual interaction somehow better if that check box can be checked?

> What could the email have said

If the goal is finding the right magic incantation for apology, then answer to your question is “nothing”. If it’s not, then the answer is “almost anything”.


An apology is an admission of wrongdoing and shows remorse for one’s actions. It means the perpetrator is committing to improving themselves and not make the same mistake. You can’t change a mistake in the past, but you can promise to do better in the feature.

So yes, apologies matters. It is baffling, and honestly worrying, that this has to be explained.

It is important to realise the people steering the apology are not the same ones that caused the offence. The organisation is the same, but you can’t control what every single individual does.


> It is baffling, and honestly worrying, that this has to be explained.

Hey man, you’re the one that seems to be of the impression that the person sending form letter extension review responses is in a position in Mozilla to be able to do any of the shit you just said apologizes represent.

I asked what’s it matter if they tick the apology box because they can’t actually apologize.

I just don’t get why, in my previous post, I was supposed to pretend like the person who wrote that “we apologize” statement even intended to apologize.

—-

And in the odd chance the person who sent that email is in that position (or it’s a personal apology limited to their own reviewing failures) they need to use their words and distinguish themselves from a prefunctory customer service script. Rote apologies are not apologies, they’re simply someone saying what they believe are the right polite words for a situation.


> the impression that the person sending form letter extension review responses is in a position in Mozilla to be able to do any of the shit you just said apologizes represent.

Yeah, that’s fair.

> Rote apologies are not apologies, they’re simply someone saying what they believe are the right polite words for a situation.

I agree. And rereading the email I also agree that their apology was lacklustre to say the least. Initially that seemed to be to have come from a position of authority, but I see I was wrong.

My only disagreement is that I do think there is some apology that would be valid. Something like a personalised email (not from a form) from someone with a modicum of power (e.g. the manager of the add-ons division).

Note, however, I’m not saying a valid apology must be accepted.


> Something like a personalised email (not from a form) from someone with a modicum of power (e.g. the manager of the add-ons division).

Okay… but I still get the feeling you’re talking about a non-apology here. No matter how hard they work to craft the right words, unless that manager does something differently they’re just being manipulative in addition to the original wrong they’re pretending to apologize for.

I know I’m not being maximally charitable here, but look how far you’ve strayed from “If the literal string ‘we apologize’ isn’t it, what is?”


> but look how far you’ve strayed from “If the literal string ‘we apologize’ isn’t it, what is?”

Wasn’t it clear that I changed my mind through the conversation? That’s the point for me, my goal isn’t to pick a position and claim I’m right to the end, but to learn and improve my views. Like I said:

> I agree. And rereading the email I also agree that their apology was lacklustre to say the least. Initially that seemed to be to have come from a position of authority, but I see I was wrong.

If the literal strings “I agree” and “I was wrong” don’t convey that I agree with your points and I think I was wrong, what does?

To be absolutely clear, I’m being tongue-in-cheek. I have no desire to continue this.

And to be even clearer, what I offered as a suggestion was a response to you saying there was “nothing” they could do. That’s the one part I disagree with by the end.


> what I offered as a suggestion was a response to you saying there was “nothing”

There was an if clause separating different circumstances into “nothing” and “almost anything”.

And I stand by that. If an apology is actually meant it becomes trivial to come up with the words to apologize.

Laboring over the process of apologizing is a good sign you’re trying to avoid actually apologizing.


Judging from his replies, this is not the first time he had problems with the review system

Feels like they were just waiting for a reason to pull out – likely feels its a hassle to upload and have it review and just want everyone to trust them and keep it simple

And I guess some people would claim that since its an open source addon no one can feel entitled to anything else


Fair play. uBO is THE killer extension, and apparently it never occured to Mozilla that if they were going to insist on using some hideous, Google style, machine led review process for extensions, perhaps they should at least make a carve out for one of the single most important extensions that exists.

I can totally understand gorhill becoming completely insensed by the whole thing and refusing to play ball when Mozilla "realises their mistake". Their mistake was assuming he would simply put up with being subjected to the drudgery that so many extension and open-source developers allow themselves to be subjected to in return for little thanks and ever increasing demands.

The outcome is far from ideal, but the fault, sadly, lies squarely with Mozilla. Real shame.


This is about uBOL. I haven't seen much delays for the main extension. It is always more up to date on Firefox compared to Chrome/Edge.

OK? So you support Mozilla's actions or something? What is the purpose of your comment?

The purpose of their comment is to correct your statement that:

> perhaps they should at least make a carve out for one of the single most important extensions that exists.

uBOL is not an important extension on Firefox.


>uBOL is not an important extension on Firefox.

Perhaps you should read some earlier comments then you wouldn't say such things?

Hints: Firefox mobile; range of privileges required.


I did, it does not change what I said. uBO works perfectly fine on Firefox Mobile and doesn't use much battery. People can prefer uBOL, but that doesn't make it important to the ecosystem.

Out of all the criticism Firefox fans make of the mobile version, excess CPU usage and excess RAM usage are at the top of the list. Maybe high-end phones run Firefox decently now, but not everybody has a high-end phone. If uBOL has a place on Firefox, mobile Firefox is where it's best.

It's the same author, essentially same project. Mozilla shouldn't be wasting the maintainer's time and resources with this stuff, and that is the point of my comment. Their comment was nothing but failed pedantry and added nothing if that was its purpose.

> uBO is THE killer extension

Now that you say that, I wonder if that's Google's end game: keep Mozilla on the payroll, disincentivise them from innovating on their product and wait for Firefox to slowly bleed users until nobody is using them and solidify Chrome's position. And that's how they take care of adblockers. They already have wide control over Chromium so that would only leave Safari as the last viable browser alternative (a much harder product to attack).

Now, Google can't stop Firefox from allowing ad blocker extensions, but they can encourage Mozilla to run Firefox in all but abandonware mode, until it dies out.

It's embarrassing how hard the Mozilla Foundation has fumbled their position and I'm having a hard time attributing their actions simply to incompetence.


uBlock Origin is likely the primary reason Firefox has any amount of meaningful browser market share today. If Firefox didn't support it then I would be using another browser. Seeing as Mozilla has been struggling to get anything right, they should be kissing gorhill's behind.

I really hope Raymond Hill won't do the same for uBlock Origin (the manifest v2 version). I'm not too comfortable recommending others to install a self-hosted extension.

It's a shame Mozilla and Raymond Hill can't/won't solve this together. I get that the review he got simply should not have happened for an extension like this (see the Github thread¹) and that he is simply done with bothering, but I worry about how that will affect uBlock Origin's long-term stability as a project. The whole situation sounds decidedly unhealthy.

1: https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco...


> I worry about how that will affect uBlock Origin's long-term stability as a project.

I wouldn’t be surprised if UBO has more users across all browsers than Firefox has users at all, and expect it’s at least within an order of magnitude.

To imply it’s in any danger at all because a minor platform is recalcitrant is ridiculous.


Easy. I have 3 browsers installed. All of them have uBO as a first thing installed.

Latest update from the link you provided: The Mozilla review team acknowledged their error and rectified it. Hopefully that allows it to continue existing.

Hill seems intent on self-hosting, so I mean it will exist, but will be a lot harder to discover and as GP mentions, probably harder to convince people to install.

uBlock Origin 1.60 is still held back for review by Mozilla. Despite it being out for about a week 1.59 is the latest available on the Firefox add-on site.

Without Gorhill's uBlock Origin, the internet would be a really awful place. Thank you, Raymond!

There's nothing more frustrating than being gatekept by incompetent, lying idiots. Sad day for users but the right choice by Hill.

Mozilla wanted in on the $CURRENT_THING of being a "platform" where devs bow and scrape and they claim to be the great custodian of stuff, protector of users. Don't do this if you can't be competent at it. Devs _can_ leave, and they will if you fuck up often enough.


Doesn't this behavior from Mozilla staff indicate that using Firefox extensions at all is a security issue?

This shows that the reviewers may not be competent enough to catch actual malware uploaded to their add-ons site.


Yes. I never took the review process seriously, I assumed people could publish pretty much whatever. Today I learned it's meant to be tight as well as that you can't run your own code anymore; that it needs to go through review or you get to reinstall every time you start your browser.

I've held out for a long time with Mozilla, trusting they thought it's a useful thing to do when they partner with Facebook to make privacy preserving adtech. This is a big ask of me though. I don't use it myself but I'm constantly running into limitations on Android and, at work, iOS because you can't simply do what you want on the devices without all sorts of hoops and fearmongering surrounding having actual access to your own device—the stuff I use my phone for simply doesn't run without root and one can't even make a full system backup without. It's not your device. Learning this about Firefox makes me feel it's not my browser...


> The organization issued an apology for the "mistake" and recommended to Hill to reach out whenever he has questions or concerns about a review.

It's unclear why the author of the article decided that the word 'mistake' deserved the scary quote treatment.


Because there was a privacy policy it's hard to understand how that could be a mistake. The insinuation is the reviewer was not acting in hood faith.

Which brings us to: It's unclear why the author of the article decided that the reviewer was not acting in good faith.

The reviewer asserts that the addon transmits data. It does not.

That may not be malice, of course. It could just be incompetence (someone running an automated scanner and not verifying that the results are correct), someone trusted with a job they're not capable of doing, or maybe it's just Mozilla pretending someone reviewed the addon while using shitty AI like ChatGPT to do all the work.

The email even directly links to resources that are supposedly "minified, concatenated or otherwise machine-generated". That's simply not true.


Maybe it's the fact that 80+% of Mozilla's revenue comes directly from payment by Google who are extremely hostile to ad blockers (and UBO in particular) at the moment.

That should be obvious, honestly. The extension is a threat to the reviewer's paycheck...


UBO isn't even the extension that was scrutinized, and besides how do you even know that the reviewer (if they are a human which seems open to question) is a Mozilla employee rather than a volunteer, and that they were not acting out of sheer incompetence?

Lot of people in this thread not familiar with Hanlon's razor..

Obviously this could all just be incompetence. It's just a convenient excuse to do some more Mozilla-bashing, (lack of) facts be damned.

Not that any of this excuses the experience Gorhill had, of course.


You can be familiar with Hanlons's razor and disagree that it is a good rule for dealing with faceless corporations. If you excuse everything as bening incompetence then that's exactly how malicious actors will hide.

Pretty clear: because it's a quote form the Mozilla's response

"We apologize for the mistake and encourage"


If Raymond Hill endorsed a Firefox fork, I would switch to it immediately.

Yes, uBlock should incorporate Firefox, rather than Firefox incorporating adblocking.

I fully agree with Gorhill's decision to pull the addon. Any downgrade of user experience on Firefox is solely due to their addons review team.

Maybe if more developers refuse to put up with such bullshit in the name of gatekeeping the extensions store, browser vendors will start acting properly.


For anyone confused by the real title:

> uBlock Origin Lite maker ends Firefox store support, slams Mozilla for hostile reviews

“Review” here means the Mozilla review to allow the extension in the store, not user reviews of the extension.


It's a blog post about something that happened a month ago and boils down to "some (obvious) mistake happened during review". Not much to see here.

That obvious mistakes can happen is itself a problem.

Have you never been at work being forced to do something because you need money but you just are not feeling it that day? Obvious mistakes will ALWAYS happen, regardless of rules, regulations, human involvement, process, etc. It's thoughts like this

"How can we make sure this doesn't happen again"

"Its unacceptable than an obvious mistake happened"

that make corporations so full of random rules, because they think it's possible to prevent things like this. What matters is the frequency with which they happen, and how gracefully you handle yourself after it happened.


And problems like this could still have been avoided if their system required review by a second party before blocking an addon by a developer of good standing who has addons with a huge number of users.

Sure, the individual doing the check might be incompetent, but that doesn't mean that Raymond needed to be bothered by Mozilla about it - they could have handled it internally instead.


"But the bias-variance tradeoff doesn't really apply to us" - every bureaucracy ever.

Obvious mistakes are an issue with most software stores. Less a matter of attention being paid, and more a consequence of scale: https://www.pcmag.com/news/beware-theres-a-fake-lastpass-app...

Software management doesn't scale as much as google would like.

Software management doesn't scale at all. It relies on an individual human element that is free to make the wrong choice apropos of nothing. They have no motivation to explain their reasoning and by-and-large are protected by the marketing of a multi-million dollar business.

Kinda why it's a mistake to charge money for a process that is demonstrably incorrect.


latest message from moz on the GH issue is from the day back

This again shows the problem of automatic reviews. There should be a person name in every review that was responsible for it, currently it's blamed on our automated system. If the law would require someones name on it then I'm pretty sure the review process would be much better and the explanation would include more than an apology.

It seems to me that any platform with a review gateway should treat failing a review erroneously as a critical failure.

In fact it does literally constitute denial-of-service.

When a failure like this occurs, it needs more than an apology, it should have an incident report to show that the failure was understood and steps were taken to prevent future failures.


From a security standpoint the opposite is true: false negatives are to be avoided at all costs, even when that posture increases false positives. There’s always a trade-off.

Or there isn't and such level of competence just increases the chances of both types of negatives: there is no good reason to think that people who can't see the obvious in cases like this one will catch hidden vulnerabilities

Automated process have so far managed to destroy the experience of the world wide web as a whole for developers and users both. And AI based tools seem like gas to this fire. Seems very soon web will die out of it's quality and only bots will remain.

Because no one ever have taken over and compromised high profile extensions?

Chrome battles with it a lot, see eg. https://news.ycombinator.com/item?id=36146278

I find Mozilla's process to be quite reassuring, but would be good to have alternative "addon stores" that also have a review process


Mozilla is definitely doing the right thing by reviewing the extensions, but the issue here is that were wrong, they found issues that didn't exist (such as claiming it contained obfuscated code and collected private data).

It appears the issues were found using simple heuristics (e.g they detected string pagead2.googlesyndication.com in a comment) and these detections weren't then manually reviewed as claimed, which is wasting everybody's time.


Why does lying about manual review seem so commonplace?

For example, during basically any YouTube copyright or moderation controversy, there is always "manual review" of videos that have obviously been caught in automated systems that in case of actual manual review, would be cleared of problems by any reasonable human.


Maybe "manual review" here is that someone "manually" runs the automation tool for that specific entity.

Absolutely. But: I don't think anybody is saying that high profile extensions should receive less scrutiny?

For high-profile extensions, the impact is higher for both false negatives and false positives. So they should receive more attention.

I do not know anything about Mozilla's internal procedures regarding add-on approvals. However, for a high profile extension like uBO/uBO Lite... it should either require multiple reviewers, or maybe just an escalation to a senior reviewer or something. You should never be a single human error away from a high impact mistake.

Maybe they do that already, I dunno. But it seems hard for me to believe that multiple people approved uBO Lite's yoinking.

Extensions are SUCH a crucial part of FF's appeal. And uBO/uBO is arguably the most important of them all.


> I find Mozilla's process to be quite reassuring

The fact that a review process exists might be reassuring, but the way they went about it surely isn’t.

https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco...


Mozilla has the capability to handle compromised addons; this whole mess happened because they wiped out every version of uBOL except for the earliest one.

They just haven't used that capability responsibly... Yet.


There is a difference between questioning if a review process should exist for the official addon index and questioning if the implementation is any good.

You address the former when it seems like the issue is the later.


What's reassuring about the lack of basic competence? Why would you think such people/processes will help catch the types of issues mentioned in the Chrome link?

If you want another example of difficulty with the AMO review process: https://github.com/adam-p/markdown-here/issues/21

And that's just one of the examples; another resulted in me having to add a preprocessor that removes code at build-time, which was annoying. I like Firefox, but it wasn't always easy to justify the effort.


Curious why Firefox doesn’t just start incorporating uBlock into the browser? Make it a standard feature that comes pre-installed… but maybe not automatically enabled? Thoughts?

Mozilla has been trying to become an ad company for a while now. A built-in ad blocker would mess that up for them.

Have they? I haven't seen this. They have a lot of tracking protection built in, but no ad blocker. I'm not doubting you, I just haven't seen any action or posts on their part about this.

They developed Privacy Preserving Attribution with Facebook to collect data from browsers. It's enabled by default in fresh Firefox installs. They also acquired an advertisement subsidiary, Anonym, earlier this year. So when Mozilla makes a statement about advertisements, it's worth a little extra scrutiny.

You get sponsored content in the new tab page by default.

So many people in this comment thread commenting stuff like this, that it should be included, it's the only reason to use Firefox, etc. Meanwhile I use Firefox every day at work without uBlock Origin or any other ad blockers, and it's perfectly fine. Why do you think they should it?

Tangentially has anyone else noticed chrome extensions management page now saying unlock origin will soon be disables and to please find a replacement?

The replacement is Brave browser https://brave.com/. Skip the crypto. Enjoy the integrated ad blocking.

Yep. Fuck Google, I won’t use a desktop browser without it.

I wouldn't use a mobile browser without it either.

Wish I could say the same but that would require using an OS by Google... we can't win :P

Luckily there are other good options on the iOS front but I wish uBO was one of them.


I'd hoped Google sabotaging uBlock Origin would be an opportunity for Mozilla to pick up some new users for Firefox. Lol.

One of Firefox's value is uBlock origin for it's users yet not for Mozilla's money train Google and others.

With uBlock, pop up blocker extensions and Mac Minis connected to my TVs (wireless mouse as remote) I have totally ad free Internet experience; every site there is & from my couch or in my rooms.


Mozilla is an absolute joke of an organization, and it's tragic that they are still the primary alternative to Google having a total monopoly on browsers. I suppose you shouldn't expect much from a company that is just there to maintain a facade to fend off regulators.

We're at a really dangerous point with browsers at the moment where there's really no consumer-friendly option available.

I'm scared to say that Safari comes closest but you're just in Apple's walled garden then instead of someone elses'.

Our only hope seems to lie with Ladybird, if that even ends up being good and it seems extensions aren't on the agenda at least for a while.


The issue is bigger than that. The web standards process relies on two independent implementations for something to become a web standard. This just about works when there are three big players, but if Mozilla drops out, then it’s just Google and Apple arguing. It’s bad enough that two out of the three rendering engines that participate in the web standards process are funded by Google. We really need another independent rendering engine to step up. Hopefully Ladybird will get some traction.

Less churn in web standards would be a good thing though.

I'd say we're past that point. Less than 5% of global users (and going down) and NO mobile presence at all. The newer generation of devs and power users won't even care.

You're absolutely right, but I'm trying to retain a shred of optimism, especially with a high amount of focus and interest on this area lately with projects like Ladybird and even new Gopher and Gemini clients.

If the vast majority of endusers want to live in the moat, I can't stop them, but at least I'd like an alternative to explore interesting content even if my bank, etc will never support it.

At least banks are regulated enough that I don't expect their websites to be running full-page video ads anytime soon.


It's past time to give up on Mozilla.

I told our dev teams to not even bother testing because, on our b2b site, Firefox usage was under 0.01%. That is not a typo. I can't spend dev time on that.

They're doing the same, and now playing VC, an industry at which they have no apparent expertise.


Have you heard of Brave? It's a great browser with a built-in ad blocker founded by Brendan Eich, one of the co-founders of Mozilla and the creator of Javascript. I'm not a shill, I swear - I just think it's a great initiative that should be more well known than it is.

Brave is Chromium/Chrome.

Every browser alternatives you can reasonably choose today is going to be either Blink (Chromium-based) or Gecko (Firefox-based). And then you have WebKit (Safari).

Ladybird, Flow and Dillo are really the only true alternative browsers in active development other than a few others running on niche operating systems (to which I'm throwing in all of the DOS browsers...).


But... ublock is like the main reason I use FF

ublock origin is still available in the Firefox add-on store.

The developer has pulled the 'lite' version, which is developed mainly for Chrome because Google killed some APIs the full version was using.


You can continue to use Ublock Origin, which uses the v2 manifest.

The delisted extension, Ublock Origin lite, is a v3 manifest plugin. Apparently it was created to address chrome blocking the v2 extension, but you can continue to use the v2 extension on Firefox


uBlock Origin 1.60 for desktop (not lite) has also been stuck in Mozilla review for a week now. On the firefox add-on site it is still 1.59 which doesn't really work for common things like youtube.

The sooner people realize Mozilla is not your friend, the better. They’ve been compromised by the Google money. Want an alternative to Chromium? Go support Servo or Ladybird, Firefox can’t be saved.

Neither of those work with ublock. I'd sooner disconnect from the net than not use ublock. (Same reason i don't use qutebrowser.)

I like SeaMonkey, it works with a legacy version of ublock. It's like using firefox back when it didnt suck.


Blink is to Servo what Chromium is to Firefox.

Supporting Servo on its own doesn't really move the needle a whole lot if it's missing all of the rest of the bits that make a comprehensive browser.

Firefox is already using Servo (at least in the form of Quantum) under the hood and is still the best option available to prevent more of a complete Blink monoculture than already exists with every other major browser being Blink-based or some reskin/fork of Chromium


This used to be true. The Servo project is actually building a full browser, now.

https://servo.org/blog/2024/09/11/building-browser/


Seems a bit extremist. I get being mad at microsoft for trying to charge for their software (gasp). I also get being mad at Chrome for trying to monetize their software (gasp) with ads. But now if you somehow get upset at Mozilla, it's more likely that you are the problem.

According to your argument, if Gorhill gets upset at Mozilla, then Gorhill is the problem? Who is the extremist here?

That's obtuse, I'm talking about users.

Is it even possible to connect to the public Internet in a way that isn’t completely compromised by a corporation or state?

TOR is busted at this point

DNS have been MITMed

Almost all hosts are under the control of a few players who are compelled by their respective states for ubiquitous and server monitoring

Any advertised IP has to have tons of routing info and local pointers so local hosting is just as risky if not more

What are the remaining options for a free (as in speech) internet?


Nostr.

Technically intriguing, but the people involved don't inspire the slightest trust.

https://archive.ph/TLwch

( https://www.businessinsider.com/jack-dorsey-fiatjaf-nostr-do... )


Thanks I’ve heard of this but hadn’t looked too hard

FWIW, I've seen Firefox being unreasonable to other extensions as well — OldTwitter has been gone for a while and BlueBlocker has been trying to push an update to change the domain from Twitter to X for a while with no success...

If you would group those woes, by type of addon, i guess there is "irrelevant " and "a world of pain for those threatening google add revenues " .. the hand that feeds.

It‘s not only that, Firefox also forces you to use the Developer edition (which updates about daily, FORCING you to restart it) if you want to install extensions that aren’t signed by Mozilla (e.g. your own).

This behavior reminds of Apple. They say it‘s for security (where have I heard that before), yet Chrome doesn’t seem to need such a restriction.

To me it seems like another step in many of Mozilla‘s enshittification.


I am pretty sure Chrome has also added the forced restart for a bit now. It might not show up right after the update, but it doesn't take long. I don't remember if it was straighforward, or just crashed new tabs.

You don't have to use the developer edition to run unsigned addons; you can use the ESR version or nightly as well.

A first effect of Mozilla's new "focus on AI"...

Apparently, as the article says, the lite version is the recommended one by the author to be used

The article is misleading. The lite version is recommended on chrome because very soon the non lite version will stop working.

It doesn't apply to firefox.


Recommended for Chrome. I'm not sure why anyone would want this for Firefox.

It's lighter on resources and requires less permissions (so it's more private).

manifest v3 is not as bad idea as some people are saying


It seems like customer service/PR/UX has really taken a nosedive since the start of COVID or maybe 2022. The pendulum seems to be swinging from "the customer is always right" to "give me your money, shut the fuck up, and go away until I want your money again."

Gorhill threw in the towel on uBOL after dealing with repeated bullshit from Mozilla, from the sounds of it. Multiple reviews, multiple people not understanding what the most famous FF extension in the world does, multiple appeals.

Personally, in just the past month, USPS has dropped active email conversations twice; a vendor I use often at work has disabled important web pages and there's utter silence from their support email; Verizon is deprecating their messaging app in a month and I learned this through reddit; and my bank returned a canned response to an issue I raised two months ago.

I remember a comment on this site from several months ago from someone who worked in customer service who shared a list of things that deprioritize you in a company's eyes, but it sounded like if you express the least bit of frustration at a bad experience, it goes on your permanent record. Companies, however, are allowed to shaft you however they please.


I wish we could add PPAs to browsers just like we can in Debian/Ubuntu.

Maybe the EU should look into this, and also allow the users to "weaken" their security in order to continue using Manifest Version 2.


Mozilla just can't help themselves, can they? Seriously, once Google is broken up and their donations to Mozilla stop, I won't be sad when Mozilla is forced to shut down.

These "lapses in judgement" are driven by Mozilla's brass representing the desires of their real masters. A post-Google Mozilla may be smaller, but I bet Firefox would be better and more popular.

I wish they'd get smaller first, build up a fund so they could literally just invest in the stock market and run indefinitely off the returns, and only then go Google-free. That would be a more permanent solution.

That sounds like it'd make less money for the CEO, why would they be interested in that?

Mozilla no longer does what is good for Firefox.


Yeah, I think getting sold to a company like Proton AG would be the better outcome for Firefox.

I hope so, but I wouldn't count on it.

honestly we arent missing much by a manifest v3 ublock origin lite extension going away on firefox because firefox is still compatible with v2 so realistically we wouldnt have any use for it.

nevertheless it still is a sucky situation


We need an industry movement of just saying no to app stores.

Those don’t seem like unreasonable asks on Moz side

I'm glad he put it back up, I for one use it knowing that it's saving me battery on my phone and it works quite well.

This is why app stores / extension stores are simply an antipattern. The intent is to make usability easier, but it's actually useful functionality.

Get rid of the app and extension stores and let users just install software they find on the internet. Safe and secure software is found on websites dedicated to reviewing them, like the Freshmeat of old, Tucows, etc.


Oof. I get gorhill is pissed about the whole thing, but, this feels like cutting off your nose to spite your face. It's going to be much trickier for people to get uBO Lite onto their Firefox for Android installations now, or even if they can, they might just not bother.

And, while I suppose gorhill could make the case that he's protesting this egregious process on behalf of the little guy, the fact is, he's not the little guy as far as Firefox add-ons go. uBO was one of the first (if not the first) 3rd-party addon to be offered as part of Firefox for Android after Mozilla's reorg started rolling out. He clearly has Mozilla's attention. I'm not sure what he gains from continued intransigence offers after Mozilla admits their mistake and apologizes.


> It's going to be much trickier for people to get uBO Lite onto their Firefox for Android installations now, or even if they can, they might just not bother.

Why would they bother? Firefox - Android or desktop - runs full/regular uBo just fine.


> Why would they bother? Firefox - Android or desktop - runs full/regular uBo just fine.

gorhill himself stated[0]:

> This is unfortunate because despite uBOL being more limited than uBO, there were people who preferred the Lite approach of uBOL, which was designed from the ground up to be an efficient suspendable extension, thus a good match for Firefox for Android.

[0] https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco...


He gains by not having to interact with them for UBOL.

When you waste people's time sometimes an apology is not enough for them to want to continue to work with you ...


An outlook like that will really limit who you work with in the future. I don't know anyone, corp or otherwise, that doesn't mess up from time to time. What matters is the acknowledgement of the mistake and taking steps to rectify it.

IMO, as much as I highly respect his products, the dev pulled a hissy fit over a mistake.


The unpaid dev who produces something of value to users of Firefox. Removing the addon doesn't hurt him, and may hurt Firefox if people switch to Brave over this. Mozilla need to make changes to their review process or risk losing users.

So, half of what you say matters seems to be missing.

They restored his extension (until he removed it again), what more do the Mozilla-haters want?

An apology, a post mortem, and lessons learned and implemented so it doesn’t happen again.

> I'm not sure what he gains from continued intransigence offers after Mozilla admits their mistake and apologizes.

What would he gain from submission to Mozilla? Either way he gains $0 for all the work he's done to improve the Internet for millions of people.


He gains Mozilla's distribution model and audience, which allows users of Firefox to download add-ons from their browser's UI and updates automatically, rather than having to manually pull an extension file from a Github page for each new release and install it.

That's a long-winded way to say $0

You gain $0 for uploading your Linux package to yum/apt/dnf as well, but you recognize that there's value in being able to install such packages easily through a well-curated repository, no?

Well you, the programmer, usually don't upload it. Some package maintainer does it since they want your software and ideally they should handle the bug reports for their package as well.

Time and effort are usually considered to be worth some amount of money.

Time and effort is what he spends, $0 is what he gains.

> allows users of Firefox to download add-ons from their browser's UI and updates automatically, rather than having to manually pull an extension file from a Github page for each new release and install it.

only because mozilla is gatekeeping that away otherwise.


For extensions which have full access to all websites, I appreciate that. That is one of the main reasons for ManifestV3 because not all extensions can be reviewed.

I agree with one exception:

> [...] and audience [...]

If you take into account small market share of Firefox and even smaller percentage of Firefox user needing uBOL then "audience" isn't anything important in this case. Perhaps this whole story will increase popularity of uBOL more...


[flagged]


True, I never thought about it that way.

/thread

[flagged]


Generally, yes: follow the money.

But that does not mean that random errors can be always attributed to malice or financial interests.

You think that's how Mozilla would kiss up to Google? "Hey, we disabled an ad-blocking extension (although not its more popular and powerful big brother) for half a day! And then we put it back up!"

If I'm Google, that is not really thrilling me or making an impact.

Also, the Google/Mozilla relationship goes both ways. Mozilla is dependent on Google for cash, which I absolutely dislike.

However, Google also needs Mozilla as a hedge against antitrust claims. From an antitrust standpoint the ideal situation for Google is that Google continues to fund Mozilla, and Mozilla continues to allow ad-blocking (looks good to regulators) while continuing to have a tiny market share (so that FF's uBlock users don't actually have much of an impact on Google's advertising biz)


[flagged]


> They had no idea that uBlock Lite was the most popular ad blocker for Firefox.

Did I miss anything? Unless you really care about resource usage (on mobile, perhaps), there's hardly any reason to use uBlock Origin Lite on Firefox. It exists because of Chrome.


How is that at all relevant here? Google doesn't have this same review process for Chrome?

If it does, that only strengthens the point.

Another Mozilla classic...

From the article:

> uBlock Origin Lite is a Manifest V3-compatible version of the content blocker. It is less powerful, but since Google is disabling Manifest V2 support in Chrome, it is what will remain from uBlock Origin for Chromium-based browsers.

> Does it affect uBlock Origin? The core extension remains available for Firefox. Unlike Google Chrome, Firefox will continue to support Manifest V2 extensions. Mozilla has not flagged this extensions or disabled it

But somehow it is Mozilla who is the bad guy not Chromium-based browsers.


This story is about Mozilla removing the Lite/Manifest v3 version from Firefox's extensions, this has nothing to with Chromium.

Now why does such a version even exist when the "normal" uBlock Origin is available on Firefox, I don't know. But there's no question it was a mistake by Mozilla. Mistakes do happen, I'm just explaining why it's only related to Mozilla's actions here.


To be clear, the complaint is not about Manifest V2 vs. Manifest V3 (which is of course its own can of nonsense), but about Mozilla's review:

> Mozilla says that it has reviewed the extension and found violations. The following claims were made:

> The extension is not asking for consent for data collecting.

> The extension contains "minified, concatenated or otherwise machine-generated code".

> There is no privacy policy.

The article points out that all three points are false, and this, or—I'll go ahead and trust the author of an extension I rely on heavily—what the author says:

> In a follow-up, Hill criticized the "nonsensical and hostile review process" that put added burden on developers. Mozilla disabled all versions of the extension except for the very first one. It still flagged the extension for the very same reasons, but nevertheless decided to keep the outdated version up.

is what makes Mozilla the bad guy here. (It also says Mozilla restored the extension a few days later, which is better than doubling down but, of course, worse than not making the ridiculous error in the first place.)


The article seemed to highlight the inconsistencies or errors in the plugin review process which puts undue burden on developers trying to add value to the ecosystem. It was not about the differences in Manifest v2/3 and the issues with Chrome, though this was mentioned and is the reason why the 'Lite' version of uBlock Origin exists in the first place.

tl;dr - continue using Firefox and installing uBlock Origin. If you develop Firefox plugins for distribution through their official channel beware the review process I guess.


I mean, those are _completely_ separate issues? People can be mad at Google/Chrome about Manifest V3, whilst also being mad at Mozilla/Firefox for randomly flagging UBOL with bullshit reasons.

> But somehow it is Mozilla who is the bad guy

Sounds like it, yeah.

> not Chromium-based browsers.

Nobody said that.


I think this is bad for the general population. Chrome is already planning to disable uBlock origin and many folks I know were ready to move browsers to Firefox to keep uBlock functionality. Now if uBlock is removed from Firefox extension store as well, there is no clear path to execute it from Github on managed machines. Sure if you are a developer and have admin rights, you can get it to work on Firefox, but a lot of people don't.

Per the article, uBlock Origin is still in the Firefox store at https://addons.mozilla.org/en-US/firefox/addon/ublock-origin... ; it's the lighter MV3-based uBlock Origin Lite that was removed. So the general population can continue to use the full Origin.

And because the original non-lite uBlock Origin supports much more complicated rulesets, it should be effective even without code updates... but it still is concerning that the same Mozilla errors that caused Origin Lite to be flagged might extend to time-sensitive updates to the original Origin as well.


Mozilla decided at some point to kill extensions - whether following Google Chrome or of its own volition. It took an axe to its ecosystem by disablign the loading of anything external other than WebExtensions - and note that it's just an artificial disabling, as internally, Firefox is still basically some bundled "extensions" over a C++ core.

And now there's the "manifest v3" change, and making people jump through hoops to be on AMO.

This is very sad, almost as much as the internal governance over there.


So Mozilla goofed, apologised of their own accord and corrected the mistake? And in response this dev is throwing his toys out of the pram? Do I read this right?

You do not read this right. Mozilla goofed, then goofed again, then again, then again, then again, then the developer got fed up of having every single version reviewed incorrectly and pulled it, then Mozilla apologised.

I'd do exactly the same thing.


I can see how having to jump pointless bureaucratic hoops in a volunteer project can cause throwing out toys.

Yeah, it's kind of wild to see the general reaction to this being "the developer is being unreasonable".

It's like... I, too, find it burdensome for a review that claims to be "manual" to suddenly flag a file my code has been utilizing for years, and puts the onus on me to refute it's findings. Not only is it trying to prove a negative, it's ridiculous that an unchanged file needs re-review for things like "is it minified?".

As far as I can see, there are errors here and they are ALL on Mozilla's side. Better training, maybe, but probably just stop lying that a manual review has happened when it hasn't. And then, when you have whatever semi-automated review is being done flag a thing, then actually have a human review it. And, since that would be a firehose, implement simple standards to filter out spam and publish those standards - and what effect each infraction will have on the review process, including steps for remedy. Make them able to be completed as automatically as possible for the developers, so that you don't have to manually review, again. If it's a minification issue, require the devs to re-upload non-minified versions, check it automatically, and then allow the publish.

I'm being simplistic and flip, but a reasonable generalization is just that bureaucracy should be imposed on the implementers of the bureaucracy, not the people who are trying to engage with it.


What pointless hoops? The extension was restored.

After pointless hoops. And the process seems to involve pointless hoops even when the review is not rejected.

https://github.com/uBlockOrigin/uBOL-home/issues/197


Again, what pointless hoops?

> After re-reviewing your extension, we have determined that the previous decision was incorrect and based on that determination, we have restored your add-on.


When Mozilla is being gifted enormous amounts of free labor, they should be more careful with the donor.

First came NetScape and all was good. Then came Internet Explorer, but apparently bundling a web browser with an operating system was bad, ok. Then came Google's Chrome trying to profit from a web browser with ads, and that was deemed 'bad' again. Then it was not sufficient for the browser manufacturers to push no ads, but the consumer demands that the browser block ads from websites. Now the browser developer and the third party ad blocker have some fight over who gets to serve clients that not only don't pay, but don't want advertisers to foot the bill either.

I have no sympathy for users that don't want to pay for software, or for developers that cater to that demographic. Enjoy fighting for crumbs.

Sent from Microsoft Edge.


Nobody is forcing you to put your website on the open internet, you're doing it because you're making a value judgement about how much money you can make by not closing or paywalling your system. Nobody cares what your business model is (that's your business and your decision barring illegality), and if it's not working for you, you should change it or shut down. Why should anyone have any sympathy for you?



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: