Mandatory extension signing in Firefox

Here you can discuss every aspect of Debian. Note: not for support requests!

Mandatory extension signing in Firefox

Postby Magnusmaster » 2015-02-12 04:42

Mozilla will soon require ALL Firefox extensions to be checked and signed by Mozilla for "security reasons".

https://blog.mozilla.org/addons/2015/02 ... xperience/

Here’s how it will work:

  • Extensions that are submitted for hosting on AMO and pass review will be automatically signed. We will also automatically sign the latest reviewed version of all currently listed extensions.
  • Extension files that aren’t hosted on AMO will have to be submitted to AMO for signing. Developers will need to create accounts and a listing for their extension, which will not be public. These files will go through an automated review process and sent back signed if all checks pass. If an add-on doesn’t pass the automated tests, the developer will have the option to request the add-on to be manually checked by our review team. A full review option will also be available for non-AMO add-ons, explained further ahead.
  • For extensions that will never be publicly distributed and will never leave an internal network, there will be a third option. We’ll have more details available on this in the near future.
  • There will be a transition period of two release cycles (12 weeks total) during which unsigned extensions will only generate a warning in Firefox.
  • After the transition period, it will not be possible to install unsigned extensions in Release or Beta versions of Firefox. There won’t be any preferences or command line options to disable this.
  • Installation of unsigned extensions will still be possible on Nightly and Developer Edition, as well as special, unbranded builds of Release and Beta that will be available mainly for developers testing their extensions.

All Firefox extensions are affected by this change, including extensions built with the Add-ons SDK. Other add-on types like themes and dictionaries will not require signing and continue to install and work normally. Signature verification will be limited to Firefox, and there are no plans to implement this in Thunderbird or SeaMonkey at the moment.


I hope the Debian devs add an option to allow running unsigned extensions in Iceweasel...
Magnusmaster
 
Posts: 168
Joined: 2010-06-12 22:50

Re: Mandatory extension signing in Firefox

Postby emariz » 2015-02-12 21:39

Why would you run an unsigned extension?
emariz
 
Posts: 2923
Joined: 2008-10-17 07:59

Re: Mandatory extension signing in Firefox

Postby aicardi » 2015-02-12 22:11

emariz wrote:Why would you run an unsigned extension?

+1
Jessie/Xfce
User avatar
aicardi
 
Posts: 388
Joined: 2009-11-18 01:30
Location: Chicago

Re: Mandatory extension signing in Firefox

Postby Magnusmaster » 2015-02-13 00:11

Why would you run an unsigned extension?


Maybe because the extension is unmaintained and wasn't signed by Mozilla (there are one or two which I'm not sure will be signed because they are no longer in development and I would like to keep using them), or for some reason Mozilla refuses to sign it. Keep in mind that only extensions signed by Mozilla will work, this is a walled garden we are talking about.
Magnusmaster
 
Posts: 168
Joined: 2010-06-12 22:50

Re: Mandatory extension signing in Firefox

Postby emariz » 2015-02-13 01:23

Magnusmaster wrote:Maybe because the extension is unmaintained and wasn't signed by Mozilla (there are one or two which I'm not sure will be signed because they are no longer in development and I would like to keep using them), or for some reason Mozilla refuses to sign it. Keep in mind that only extensions signed by Mozilla will work, this is a walled garden we are talking about.

Why would you run an unmaintained extension?

I would not install an unmaintained extension, even less an unsigned unmaintained one. But I guess that there might be very specific cases where a no-longer-maintained-yet-trustworthy-and-working extension exists. An extension that might become unusable in the next API change, anyway.

I fail to see the conspiracy within Mozilla that you implied. But I have been using Firefox for about twelve years, and if I had to choose between Mozilla and the developer of an obscure extension, I would pick the former any day.
emariz
 
Posts: 2923
Joined: 2008-10-17 07:59

Re: Mandatory extension signing in Firefox

Postby robert-e » 2015-02-13 02:30

All well and good...but linux is about choice (lack of choice is why I left Microsoft OS). By all means, Mozilla should protect some users from themselves, but do it by DIRE WARNINGS if an unsigned addon is about to be installed, and make it very difficult to do so, but at the end it should be the users choice. If I should over-ride after sufficient warnings then it is all on me. That said, I do not like paternalistic attitudes on the part of any software dev, Mozilla included.

My .02 and enough said.

Regards,
Bob
robert-e
 
Posts: 44
Joined: 2011-12-09 21:29

Re: Mandatory extension signing in Firefox

Postby swirler » 2015-03-14 22:22

robert-e wrote:but at the end it should be the users choice. If I should over-ride after sufficient warnings then it is all on me. That said, I do not like paternalistic attitudes on the part of any software dev, Mozilla included.


Right on. There are (and will probably be more) very good extensions no longer hosted on Mozilla servers because their authors could not/would not cope with Firefox's faster release cycles, it should therefore be my choice whether to trust them anyways and force installation or not.
They can put a warning (and rightly so) but they can't put in place mechanisms that I can't override if I wish so, after all it's my installation of an open-source browser -that's how it works.
If I liked to be told what I can and cannot do, I would be using other software.
swirler
 
Posts: 166
Joined: 2013-11-24 11:19

Re: Mandatory extension signing in Firefox

Postby edbarx » 2015-03-15 07:22

This is symptomatic of the same disease: the attitude that the 'experts' know better than the user, whoever that happens to be. Unfortunately, it reminds me of the infamous Inquisition, which used torture and force to convert people, so that, they do what the Inquisition defined as good. Here, the 'good deed' is what the experts want, or bluntly put, what their sponsors, explicit or hidden, want. The reason behind all this, is no conspiracy, but monetary profit by faceless companies. Big companies are pushing to increase their profits even more, and the victim is choice and all those who found refuge in it.

Paternalism reminds me of totalitarian states like those that existed in Europe during the past century. They are a shame to all humanity, but it seems, they are returning back under a friendly looking face with a benevolent attitude.

Sad, but it seems to agree with reality. :(
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
User avatar
edbarx
 
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E

Re: Mandatory extension signing in Firefox

Postby swirler » 2015-05-29 08:44

Apparently they are also thinking about alternatives for developers, the main one seems to be what they call "unbranded builds" , which by default will accept unsigned addons.
Someone also suggested other alternatives, such as create a signing key for your unsigned addons and then import this key in the browser.
swirler
 
Posts: 166
Joined: 2013-11-24 11:19

Re: Mandatory extension signing in Firefox

Postby mikg » 2015-05-31 14:09

+1 for a warning but free choice without jumping through hoops
mikg
 
Posts: 1
Joined: 2015-05-31 13:04

Re: Mandatory extension signing in Firefox

Postby TeknoBug » 2015-06-03 21:57

Good, Chrome has too many unsafe extensions and it's a step ahead for Mozilla since Google has been doing things to Chrome to make life more difficult.
Linux user since 1995, Debian user since 1998
TeknoBug
 
Posts: 2
Joined: 2015-06-03 21:48

Re: Mandatory extension signing in Firefox

Postby jidanni » 2015-08-30 03:25

I live in the remote mountains.
I want to use the bank online ATM.
Luckily in ICEWEASEL 42 I was able to turn off xpinstall.signatures.required .
Otherwise I wouldn't be able to live on my remote mountain.
No it won't be anytime soon before the bank hires somebody to update their linux stuff.
User avatar
jidanni
 
Posts: 1
Joined: 2015-08-30 02:24
Location: Taiwan

Re: Mandatory extension signing in Firefox

Postby millpond » 2015-08-30 05:31

I stopped updating Firefox when they kept deprecating my extensions.
I have v22 for 'safe' browsing, and v34 for when I'm adventurous.
millpond
 
Posts: 658
Joined: 2014-06-25 04:56


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable