logs archiveIRC Archive / Freenode / #firefox / 2015 / August / 25 / 1
MapMan
why is firefox doing everything to make its users switch?
b0at
MikeRL: there's supposed to be a pref to disable forced signed extensions in developer and maybe the beta edition. it works for me in the current dev edition. xpinstall.signatures.required in about:config
also, they're supposed to release a non-branded version that has signing disabled completely.
MikeRL
b0at, what about release? Any hope?
Maybe they could make an extension that does it within reason.
b0at
stable, standard mozilla-branded firefox will have signed extensions forced, as far as i know.
MikeRL
I don't like lockin. I hope they use this responsibly.
Would it be feasible to include some way to let users have non-signed extensions?
Like via an addon.
b0at
i think they've said they refuse to do that
tanath
no
MikeRL
I have never had a malicious extension. I watch myself, use a hosts file with malware blocking, an ABP subscription that blocks malware, etc.
Well, what can I do then?
tanath
it'll be disableable in about:config if you really want to
         

MikeRL
Yeah, but didn't they say they'd remove the option in about:config?
That is worrisome.
tanath
not that i saw
MikeRL
I can list what I use that isn't signed.
tanath
before long every extension dev will be signing their stuff
MikeRL
Especially the Ubuntu bundled extensions. Stuff that brings global menu integration.
b0at
not every dev
MikeRL
Firefox would be quite less usable without that stuff.
Well, about about:config.
tanath
b0at, most. those who don't won't get much traction
and people will be reasonably cautious
MikeRL
I read they plan to remove the about:config switch.
b0at
well, the ones who don't already don't have much traction, to be fair
MikeRL
Why would they do that?
b0at
https://wiki.mozilla.org/Addons/Extension_Signing says release and beta will have no override by v42
MikeRL
It's just software these days is dumbed down for security reasons. Some of us know more than to install bs on their machines.
But why no override? What's so bad about an override?
tanath
oh you're right
just saw that
MikeRL
That honestly is quite pushy. I hope it's not final.
tanath
MikeRL, what
b0at
the tracking bug linked to from there has some opinions on it.
tanath
dumbing things down _hurts_ security
security reasons are good reasons
MikeRL
I've seen malicious sideloaded extensions, bu never on my machines.
b0at
and it also has some rationale, eg beta has no override because it's supposed to be as close to stable as possible
         

MikeRL
Only on a certain family member's PC with Windows on it. He wanted to use IE instead (yuck) and raced through installers without unchecking crapware, so Firefox had some nasties in it.
But it should be up to the user.
tanath
" The current plan is to have ESR work like 41, with a preference that can turn off enforcement, but that may change in the future. "
so so far they only plan to remove ability to disable in betas
MikeRL
If you're careless, life will catch up with you. We cannot idiot proof everything.
b0at
well, signed extensions by themselves are a good idea, in my opinion. especially with the pinned certs firefox already uses.
tanath
indeed
b0at
i guess they think that the whole verification mechanism could be undermined unless it's enforced, which is a good point.
tanath
i have a question. how are new developers to develop and test new extensions _before_ signing?
b0at
but if they roll out a capable webextension api, which can't undo that mechanism, maybe they could lighten the signing enforcement. though that's unlikely.
MikeRL
But doesn't Chrome allow sideloading?
tanath
seems there must be a way to disable
MikeRL
Yeah how would they even test on the current stable? I don't think the developer edition is based off stable.
tanath
and why would the force extension signing but not plugin signing?
b0at
i guess with an unbranded one or via a pre-release pipeline
MikeRL
Yeah malicious plugins do exist.
If they do that, it would mess up my Pipelight and Pepper flash plugins.
tanath
but yeah: Firefox Release and Beta versions will not have any way to disable signature checks. Signature checks can be disabled in other versions, as described in detail below.
b0at
it looks like you can upload the extension as unlisted and iterate like that. don't know if that's the intended workflow.
tanath
from faq
MikeRL
Isn't that going to break a ton of stuff?
b0at
existing addons are grandfathered in
at least, on addons.mozilla.org
tanath
yeah, most of these are answered in the faq on https://wiki.mozilla.org/Addons/Extension_Signing
and they say that's where most up to date info is/will be
looks like they'll be doing something similar to google with chrome & chromium
branded & unbraded
MikeRL
Let's see - Complete Youtube Saver, Downthemall Nightly, MEGA, PDF.JS dev branch from GitHub, Ubuntu Online Accounts, Unity Desktop Integration, Unity Integration for Firefox, and Unity Websites Integration all give me warnings that they couldn't be verified.
tanath
branded version more secure with forced signing, but unbranded more free
pdf.js? really?
MikeRL
Yep.
b0at
does downthemall change often enough for the nightly to matter?
MikeRL
I use a ton of stuff.
tanath
i guess you're safer on linux at least
b0at
if any of the ubuntu stuff is official, i expect they'll eventually get those sorted out
MikeRL
Are they planning to speed up the review process?
b0at
supposedly with more and better automated tools, yes
automated testing in general seems to be getting better. it helped the js engine development.
MikeRL
Is it likely that any of these addons are going to break on me with an update?
b0at
not until 42
MikeRL
Yeah, but then is what I'm afraid of.
b0at
then drop in the unbranded release or iceweasel and you should be fine
MikeRL
Wish there was some way I could do something.
Maybe contacting the addon developers would be a good idea.
Why am I using a nightly of DTA? I think it's still on 2.x and that gave me issues.
I'm also worried that less than 12 weeks won't be enough time.
b0at
hm, yeah the 2.x is aging
tanath
looks like all they have to do is submit to AMO and they'll be automatically signed
on review
MikeRL
Would the nightlies still come daily?
Or would there be a big delay?
tanath
beta versions are treated like non-AMO
MikeRL
So, what do you mean?
Isn't there a way they could automate their builds to forward them to AMO?
tanath
i'm reading from the faq
i'd read it before asking more questions :P
MikeRL
OK. I'll read it myself as well.
So, it looks like hell won't break lose.
vmonteco
Hi all!
MikeRL
If it does, I'll just downgrade or live without the extensions for an extra week or two.
« prev 1 2 3 4 next »