1. 42

  2. 21

    Awesome they announced this at the same time as banning every extension. No potential for confusion.

    1. 18

      News like this usually go out to journalists a little before and the second issue is a technical blunder. It’s unfortunate, but not like this was planned.

    2. 5

      I bet there aren’t a lot of Firefox extension developers remaining to be affected by this. I wrote an extension for Firefox 3.5 in 2007, and was able to keep it working with minor changes until Firefox 56 (2016, IIRC). I gave up on jumping through all their hoops after that point - first they disallowed self-hosted add-ons, then required code reviews by Mozilla staff for add-on approval and automated code checks prior to making each new version public. Random changes in their code checking would get an add-on banned with no warning. These recent changes are piling on to an already over-encumbered, unyielding and ever-changing process. Super frustrating.

      1. 1

        Self-hosted add-ons? Does that mean I can’t create an add-on that only I use?

        1. 2

          From what I remember, you can create an add-on that only you use, but you have to upload it to Mozilla to get it scanned for threats and then signed before Firefox will accept it. Uploading your add-on to get it signed is separate from uploading it to be published on AMO.

          There are a few alternatives that don’t involve signing. You can visit about:debugging and temporarily install any add-on you like, but it will be deactivated when you restart the browser. Or you can run Firefox Developer Edition or Firefox Nightly and then disable signature verification of all add-ons, at the risk of possibly installing a fake add-on later.

      2. 8

        Does the obfuscated Pocket add-on bundled with Firefox count as an extension?

        1. 9

          The Pocket Addon is open source and on github, not obfuscated to my knowledge other than minified.

          1. 1

            Pocket’s server-side is not yet open, so you can’t self-host the service. There is Wallabag for those who want a similar self-hosted service.

          2. 2

            Maybe this move will accompany a release of Pocket source.

          3. 2

            You’d think this is common sense. It should have been done long ago.

            1. 1

              It’s going to be hard shipping extensions that contain Web Assembly with that policy in place. Does compiling from one language to JavaScript also count as an obfuscation step?

              A better policy would be for Mozilla to request the source code and build the extension themselves, just like Docker Hub does with Dockerfile. That way it’s possible to trace back to the original source. Bonus points for extensions that are independently-verifiable by providing stable outputs.

              1. 1

                We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included.

                Sounds like they’re doing something like that. Although, they could just be using source maps of author compiled code rather than building it themselves. (Pure speculation on my part.)