It's very annoying you have to submit your extension to gatekeepers to even distribute them to normal users. As gorhill said on GitHub it took days for a self-hosted version to be approved - that's unacceptable. Imagine you would need approval from Microsoft to distribute software. Not even Android is this closed. Enforcing signatures and removing XUL were the worst things Mozilla has ever done. And yes, Google does the same and it's even worse there but this it to be expected from them, but not from Mozilla.
Nah, XUL had to go. The other stuff wasn't really related. It was a more "if we are going to break most extensions we may as well use this time to push everything else we want". If anything XUL is a scapegoat.
I know because I maintained VimFx for a while after the XUL removal. It was difficult to keep up with internal APIs that are changing, but I can't blame them, they need to develop their product. The thing that really made me give up on maintaining VimFx was the signing enforcement. They just keep tightening the screws so that I couldn't even run "my own" code with any reasonable UX.
What I would have like to have seen:
1. Provide WebExtensions as the recommended way to do things with some compatibility and deprecation guarantees.
2. Stop caring about compatibility of other APIs.
3. Still allow outside "full access" extensions that use those internal APIs. You can give warnings in the store "this extensions uses unsupported APIs and may break at any time and steal all of your personal data" and make the install button bright red but still allow it.
4. Keep supporting self-distributed extensions with developer managed signing keys and update URLs.
Since there are no compatibility guarantees on these APIs it wouldn't have been much extra work. Just a bit of UX work to add scary warnings and maintenance of the non-store update code.
> 4. Keep supporting self-distributed extensions with developer managed signing keys and update URLs.
Mozilla followed the big corps in the 'store' model, instead of keeping it open free-form. We might have a viable developer certification trust system by now, but with that too, only the corps have enforced signing systems (that are closed and fragmented.)
> We might have a viable developer certification trust system by now
Don't we already have that system, in the form of distributions? More specifically, I'm thinking of something like Ubuntu's PPA system, where each developer publishes their packages with their own signing key.
> Imagine you would need approval from Microsoft to distribute software.
You mean like how you need permission to distribute software on MacOS/iOS? More and more platforms are moving in this direction and I wouldn't be surprised if Windows goes the same way in the future.
You don't need permission from Apple to distribute macOS software. Your users will just see a warning dialog when they try and run it for the first time and have to go to System Settings to allow it to run[0]. If you want to avoid this, you have to pay the $99 USD per year to join the Apple Developer Program, codesign your software with the certificate they give you, and submit it for notarization (which for macOS is a fully-automated security and malware review, unlike iOS notarization which is basically App Store review). It's not ideal (many open-source projects don't want to spend $99 USD per year, and it does tie the software to your real name), but it's not like iOS.
>More and more platforms are moving in this direction and I wouldn't be surprised if Windows goes the same way in the future.
I think MS has already tried this several times, such as with Windows RT and the Windows store. It never caught on, and they pissed off the independent software vendors who make the Windows ecosystem valuable in the first place. Maybe they just didn't push it hard enough; maybe they could have just forced everyone to use it anyway, and maybe it would have worked because what are Windows users going to do, switch to Linux or Mac? But maybe the real danger was that users simply wouldn't upgrade to the new locked-down Windows in the first place and just stick with older versions forever, which is something they've been doing all along (look how mad people were when they finally killed XP).
This is simply not true. I've been using unsigned extensions for years. You drag-drop a zip file into the extensions window and it will let you install it.
I looked at this just a few months as I have a few extensions with some very me-specific stuff that I don't really need/want to distribute – it's just not going to be useful for anyone except me. I couldn't find a good way to permanently install an unsigned or self-signed extension.
You can temporarily add unsigned extensions in about:debugging, but those are lost on restarts, which is pretty annoying. I used this for a while until I got fed up and tried to find a better way.
"Unbranded" Firefox builds allow adding unsigned extensions, but then I need to either 1) compile my own Firefox, or 2) Use "Firefox Developer Edition", which is mostly just the same as regular Firefox but based on beta versions (I'd rather just use release versions). Neither really appeals to me.
So my solution now is to just create "unlisted" extensions and sign them with the web-ext CLI. It works and it's not entirely horrible, but it's a lot more hassle than I'd like.
And the requirement for extensions to be signed is fine; I have no problem with that. But it should allow adding my own signing key. Or something.
I kind of get why Mozilla is so restrictive about this; with banking and credit card stuff and whatnot all being browser-based, adding an extension is basically giving the keys to the castle. I can see some support scammer instructing someone to add some malicious signing key. But there does need to be some limit to how much we protect people from themselves, because at some point you just start making life hard for regular users.
> So my solution now is to just create "unlisted" extensions and sign them with the web-ext CLI. It works and it's not entirely horrible, but it's a lot more hassle than I'd like.
Wait. web-ext allows the signing of arbitrary extensions without review? Wouldn't that defeat the purpose Mozilla is sacrificing technical users for?
While I didn't come across web-ext, I also tried my hand at working around firefox's limitations for my own extensions, but eventually decided it would be easier to give up and switch to a chrome-based browser instead. To this day, I still don't understand the "significant" threat that Mozilla sees (and other browser vendors apparently don't) that warrants such heavy-handed Apple-esque control over their users' ability to control their browser. Whatever it is, I no longer care.
> web-ext allows the signing of arbitrary extensions without review? Wouldn't that defeat the purpose Mozilla is sacrificing technical users for?
It takes about ten minutes to sign, and only seems like it uses automatic checks. I do get an email that "any extension may be reviewed by a human at any time".
I don't know if it matters that it's unlisted, or that they're all very simple extensions with very limited permissions. I'm not an expert on any of this and I've never published a public extension; I just have a few for my own use. But it does seem that they apply some heuristic to determine what is worth reviewing and what isn't.
> To this day, I still don't understand the "significant" threat that Mozilla sees (and other browser vendors apparently don't) that warrants such heavy-handed Apple-esque control over their users' ability to control their browser.
There are support scammers and such that will phone you with "hi, we are from Microsoft support to help you. You need to go to h4xx0r.ru to install an extension to protect your computer".
There are other ways of doing this of course, but an extension is a simple abd easy way.
I don't really know how to best solve this. I agree with your dislike of the current heavy-handed approach without escape hatch. But I also think the concerns are real, and you're being a bit too dismissive about that.
Given that 90% of normal people use browsers that don't have this restriction, I don't think Mozilla's threat model makes sense. Also, users who are susceptible to being tricked into installing an addon can just as easily be tricked into going to bank.com.h4xx0r.ru, editing hosts file, changing DNS settings, or even installing chrome or a different browser.
Franky, I don't think this move is motivated by security concerns at all. (Not that it matters anymore)
You must be using either the Developer Edition, ESR, nightly or some unbranded version. Vanilla Firefox doesn’t allow to install unsigned extensions permanently.
On desktop Firefox, you can download an extension from anywhere and install it. All they're gatekeeping is their own repository, which I think most of us would like them to do.
I think mobile requires using a nightly build to install extensions from outside Mozilla's repository, and that suggests their thinking is becoming contaminated by the rest of the mobile ecosystem.
You can no longer package extensions yourself and if you try using "Load add on from file" you get that extension loaded but it's gone after a restart. All extensions have to be signed first to be permanent and Mozilla denied to fix that on their bug tracker.
We're talking about signing by Mozilla to indicate the extension has passed some sort of review process, not signing by the author. It isn't a low bar because it gives Mozilla veto power over what extensions users can install.
To add on to the other replies, you *can* load unsigned extensions with desktop Firefox if the build you're using disabled the signing requirement at build time. A bunch of distros' FF packages do that, for example, and is why I use a bunch of extensions I wrote myself (and thus trust) for myself without having to deal with Mozilla. (Zip up the files, change the file extension to `.xpi`, drop it in `$libdir/firefox/browser/extensions/`)
Are you certain extensions can be downloaded and installed from anywhere? Firefox's documentation[1] states "Extensions and themes need to be signed by Mozilla before they can be installed in release and beta versions of Firefox." If UBlock Lite was rejected through Mozilla's signing API, they'd have no ability to create an XPI that can be installed by release/beta version of Firefox.
I see. The extension I installed to test that actually is signed, though it's not in AMO.
I don't like this. I know there have been issues with malicious extensions, so it makes sense to me that installing unsigned extensions is turned off by default, but requiring developer builds is a step too far.
