Bug#798005: Allow disabling Add-on signing in IceWeasel 42+
Alexander Schlarb
alexander at xmine128.tk
Fri Sep 4 11:54:05 UTC 2015
Package: iceweasel
Version: 42.0b1
As of Firefox 42 Mozilla will disallow running unsigned Add-on entirely.
Currently (Version 41) its still possible to disable strict add-on signature
checking by setting the preference "xpinstall.signatures.required" to false.
Please consider retaining the current (v41) behaviour for future versions of
IceWeasel.
Some reasons why I believe that strict add-on signature verification should not
be enforced in IceWeasel:
# Target audience #
Mozilla's official announcement of add-on signing[1] makes it pretty clear that
they added this feature to Firefox to combat Windows Crapware that was
installing misbehaving stuff into their browser and whose behaviour would then
mainly be blamed on Firefox (from an inexperienced user perspective).
> Extensions that change the homepage and search settings without user consent
> have become very common, just like extensions that inject advertisements
> into Web pages or even inject malicious scripts into social media sites. To
> combat this, we created a set of add-on guidelines all add-on makers must
> follow, and we have been enforcing them via blocklisting (…). However,
> extensions that violate these guidelines are distributed almost exclusively
> outside of AMO and tracking them all down has become increasingly
> impractical. Furthermore, malicious developers have devised ways to make
> their extensions harder to discover and harder to blocklist, […].
To my knowledge there hasn't been a single piece of browser-offending Crapware
release for Debian to this day.
# Slow signing process #
In the last year I've been releasing 2 add-ons on AMO and each of them
required about 3 MONTHS! to be reviewed. In one case that would have been
particularly bad since its was an add-on written specifically for a certain
user that needed it somewhat urgently. (Background story: I've abandoned the
maintenance of a very old add-on [no serious development in the last ~5 years]
that would have required a major rewrite to make it work again, but I told my
users that, if they needed some feature of this add-on that was not available
anywhere else, I'd write them separate extensions with just these extra
features.) How would I have given this add-on to this user if we had had
strict add-on signing back then?
# Taking away user freedom #
Sometimes there abandoned, unsigned, self-made, … add-ons that are important
but are just not available through AMO[2].
I don't think I need to expand on this topic though as, I think, its pretty
obvious how having to ask somebody else which software I may run, limits my
own freedom.
Summary: Strict add-on signing is something that Debian's browsers neither
need nor, in my opinion, want. Debian is not haunted by Crapware vendors
trying to install malicious add-ons and generally tries to provide a very
flexible system that gives users the most possible freedom while still being
stable and reliable. Strict add-on signing is not something that is in any way
helpful in making this possible. Warning users of unverified add-ons is not a
bad idea, nor is requiring some basic technical background (about:config) to
use them, but there are always use-cases that neither Mozilla nor Debian can
predict that are broken when you tell users which software they may or may not
run.
Yours sincerely,
Alexander Schlarb
[1]: https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/
[2]: http://forums.debian.net/viewtopic.php?f=20&t=120409#p590937
More information about the pkg-mozilla-maintainers
mailing list