Bug#798005: Allow disabling Add-on signing in IceWeasel 42+

Alexander Schlarb alexander at xmine128.tk
Fri Sep 4 11:54:05 UTC 2015


Package: iceweasel
Version: 42.0b1

As of Firefox 42 Mozilla will disallow running unsigned Add-on entirely. 
Currently (Version 41) its still possible to disable strict add-on signature 
checking by setting the preference "xpinstall.signatures.required" to false.

Please consider retaining the current (v41) behaviour for future versions of 
IceWeasel.

Some reasons why I believe that strict add-on signature verification should not 
be enforced in IceWeasel:

# Target audience #

Mozilla's official announcement of add-on signing[1] makes it pretty clear that 
they added this feature to Firefox to combat Windows Crapware that was 
installing misbehaving stuff into their browser and whose behaviour would then 
mainly be blamed on Firefox (from an inexperienced user perspective).

> Extensions that change the homepage and search settings without user consent
> have become very common, just like extensions that inject advertisements
> into Web pages or even inject malicious scripts into social media sites. To
> combat this, we created a set of add-on guidelines all add-on makers must
> follow, and we have been enforcing them via blocklisting (…). However,
> extensions that violate these guidelines are distributed almost exclusively
> outside of AMO and tracking them all down has become increasingly
> impractical. Furthermore, malicious developers have devised ways to make
> their extensions harder to discover and harder to blocklist, […].

To my knowledge there hasn't been a single piece of browser-offending Crapware 
release for Debian to this day.

# Slow signing process #

In the last year I've been releasing 2 add-ons on AMO and each of them 
required about 3 MONTHS! to be reviewed. In one case that would have been 
particularly bad since its was an add-on written specifically for a certain 
user that needed it somewhat urgently. (Background story: I've abandoned the 
maintenance of a very old add-on [no serious development in the last ~5 years] 
that would have required a major rewrite to make it work again, but I told my 
users that, if they needed some feature of this add-on that was not available 
anywhere else, I'd write them separate extensions with just these extra 
features.) How would I have given this add-on to this user if we had had 
strict add-on signing back then?

# Taking away user freedom #

Sometimes there abandoned, unsigned, self-made, … add-ons that are important 
but are just not available through AMO[2].

I don't think I need to expand on this topic though as, I think, its pretty 
obvious how having to ask somebody else which software I may run, limits my 
own freedom.



Summary: Strict add-on signing is something that Debian's browsers neither 
need nor, in my opinion, want. Debian is not haunted by Crapware vendors 
trying to install malicious add-ons and generally tries to provide a very 
flexible system that gives users the most possible freedom while still being 
stable and reliable. Strict add-on signing is not something that is in any way 
helpful in making this possible. Warning users of unverified add-ons is not a 
bad idea, nor is requiring some basic technical background (about:config) to 
use them, but there are always use-cases that neither Mozilla nor Debian can 
predict that are broken when you tell users which software they may or may not 
run.

Yours sincerely,
Alexander Schlarb


  [1]: https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/
  [2]: http://forums.debian.net/viewtopic.php?f=20&t=120409#p590937



More information about the pkg-mozilla-maintainers mailing list