why is firefox doing everything to make its users switch?

MikeRL: there's supposed to be a pref to disable forced signed extensions in developer and maybe the beta edition. it works for me in the current dev edition. xpinstall.signatures.required in about:config
also, they're supposed to release a non-branded version that has signing disabled completely.

b0at, what about release? Any hope?
Maybe they could make an extension that does it within reason.

stable, standard mozilla-branded firefox will have signed extensions forced, as far as i know.

I don't like lockin. I hope they use this responsibly.
Would it be feasible to include some way to let users have non-signed extensions?
Like via an addon.

i think they've said they refuse to do that

no

I have never had a malicious extension. I watch myself, use a hosts file with malware blocking, an ABP subscription that blocks malware, etc.
Well, what can I do then?

it'll be disableable in about:config if you really want to

Yeah, but didn't they say they'd remove the option in about:config?
That is worrisome.

not that i saw

I can list what I use that isn't signed.

before long every extension dev will be signing their stuff

Especially the Ubuntu bundled extensions. Stuff that brings global menu integration.

not every dev

Firefox would be quite less usable without that stuff.
Well, about about:config.

b0at, most. those who don't won't get much traction
and people will be reasonably cautious

I read they plan to remove the about:config switch.

well, the ones who don't already don't have much traction, to be fair

Why would they do that?

https://wiki.mozilla.org/Addons/Extension_Signing says release and beta will have no override by v42

It's just software these days is dumbed down for security reasons. Some of us know more than to install bs on their machines.
But why no override? What's so bad about an override?

oh you're right
just saw that

That honestly is quite pushy. I hope it's not final.

MikeRL, what

the tracking bug linked to from there has some opinions on it.

dumbing things down _hurts_ security
security reasons are good reasons

I've seen malicious sideloaded extensions, bu never on my machines.

and it also has some rationale, eg beta has no override because it's supposed to be as close to stable as possible

Only on a certain family member's PC with Windows on it. He wanted to use IE instead (yuck) and raced through installers without unchecking crapware, so Firefox had some nasties in it.
But it should be up to the user.

" The current plan is to have ESR work like 41, with a preference that can turn off enforcement, but that may change in the future. "
so so far they only plan to remove ability to disable in betas

If you're careless, life will catch up with you. We cannot idiot proof everything.

well, signed extensions by themselves are a good idea, in my opinion. especially with the pinned certs firefox already uses.

indeed

i guess they think that the whole verification mechanism could be undermined unless it's enforced, which is a good point.

i have a question. how are new developers to develop and test new extensions _before_ signing?

but if they roll out a capable webextension api, which can't undo that mechanism, maybe they could lighten the signing enforcement. though that's unlikely.

But doesn't Chrome allow sideloading?

seems there must be a way to disable

Yeah how would they even test on the current stable? I don't think the developer edition is based off stable.

and why would the force extension signing but not plugin signing?

i guess with an unbranded one or via a pre-release pipeline

Yeah malicious plugins do exist.
If they do that, it would mess up my Pipelight and Pepper flash plugins.

but yeah: Firefox Release and Beta versions will not have any way to disable signature checks. Signature checks can be disabled in other versions, as described in detail below.

it looks like you can upload the extension as unlisted and iterate like that. don't know if that's the intended workflow.

from faq

Isn't that going to break a ton of stuff?

existing addons are grandfathered in
at least, on addons.mozilla.org

yeah, most of these are answered in the faq on https://wiki.mozilla.org/Addons/Extension_Signing
and they say that's where most up to date info is/will be
looks like they'll be doing something similar to google with chrome & chromium
branded & unbraded

Let's see - Complete Youtube Saver, Downthemall Nightly, MEGA, PDF.JS dev branch from GitHub, Ubuntu Online Accounts, Unity Desktop Integration, Unity Integration for Firefox, and Unity Websites Integration all give me warnings that they couldn't be verified.

branded version more secure with forced signing, but unbranded more free
pdf.js? really?

Yep.

does downthemall change often enough for the nightly to matter?

I use a ton of stuff.

i guess you're safer on linux at least

if any of the ubuntu stuff is official, i expect they'll eventually get those sorted out

Are they planning to speed up the review process?

supposedly with more and better automated tools, yes
automated testing in general seems to be getting better. it helped the js engine development.

Is it likely that any of these addons are going to break on me with an update?

not until 42

Yeah, but then is what I'm afraid of.

then drop in the unbranded release or iceweasel and you should be fine

Wish there was some way I could do something.
Maybe contacting the addon developers would be a good idea.
Why am I using a nightly of DTA? I think it's still on 2.x and that gave me issues.
I'm also worried that less than 12 weeks won't be enough time.

hm, yeah the 2.x is aging

looks like all they have to do is submit to AMO and they'll be automatically signed
on review

Would the nightlies still come daily?
Or would there be a big delay?

beta versions are treated like non-AMO

So, what do you mean?
Isn't there a way they could automate their builds to forward them to AMO?

i'm reading from the faq
i'd read it before asking more questions :P

OK. I'll read it myself as well.
So, it looks like hell won't break lose.

Hi all!

If it does, I'll just downgrade or live without the extensions for an extra week or two.