"we encourage developers to link to self-hosted privacy policies"
So now, extensions can change to anything they want at any time they want with our without consent?
somat · 6h ago
Why do they need to change anything?
As far as I know a privacy policy has zero legal weight, that is, a company can put anything it wants into the privacy policy, it has no effect on what is actually done.
bartvk · 8h ago
Yes and this actually is the same when you publish an app in the App Store.
Sporktacular · 6h ago
Maybe I'm misunderstanding, but under the previous process, submitting a policy with an update freezes it to a specific version. That holds the developer to account at least for that update.
arp242 · 3h ago
In the end a privacy policy is little more than the proverbial "ink on a piece of paper". It's doesn't actually prevent anything. Where and how it's published seems like a minor detail.
proaralyst · 9h ago
> “Closed group” prohibition lifted
This is great: I've wanted a personal extension for a while (roughly to replace my userscripts but with more power and better sync) but was put off by it having to be public or manually installed. Now I can make this!
sdovan1 · 8h ago
I have to reinstall my personal extension every time Firefox restarts. It's so annoying that I ended up writing an AutoHotKey script just to automate it (go to about:debugging#/runtime/this-firefox -> load temporary extension -> select manifest.json). Glad to see the announcement!
arp242 · 3h ago
You can already use web-ext to sign it; it doesn't need to be published (you can keep the extension private). It's just that you need to be logged in to download it and can't really provide a "share link" (but you can of course upload/send that .xpi to anyone).
I have a few private extensions like this (e.g. for HN, GOG, my own new tab page, etc.). I don't have the exact steps for this at the handy, been meaning to do a write-up at some point, but my mk script is just "$webext sign --channel unlisted --api-key $jwt_issue --api-secret $jwt_secret" – I don't recall if you need to create it the extension in the Mozilla web UI first, but I don't think so(?)
sdovan1 · 48m ago
Thanks! I thought this was impossible. Gonna try it out today.
gruez · 7h ago
>but was put off by it having to be public or manually installed
Even prior to this there was an option to upload an extension to AMO for "private distribution". Mozilla will sign your extension so it installs without a fuss, but it won't be hosted on AMO. You can still host it on your personal website, or share the .xpi file though.
qiine · 8h ago
Wow so I can upload my extension to firefox servers privately and without needing review process maybe ? and install it on all my device ? (via autosync I suppose?)
Thats handy.
quintu5 · 6h ago
But do they still have an arbitrary 4mb max file size on extension assets?
This makes chunking for any sizable extension an absolute nightmare!
Melatonic · 8h ago
Sounds great - Closed Group extensions could be very useful!
account42 · 8h ago
Add-on policies shouldn't be a thing in the first place - it's my computer, not Mozilla's.
abraham · 8h ago
> We’ve updated Add-on policies for addons.mozilla.org (AMO).
Their policy doesn't apply to your computer. Only to developers that want to use Mozilla's infrastructure for distribution.
Zak · 7h ago
There are artificial limitations to that. For example, stable versions of Firefox for Android won't install extensions from anywhere but Mozilla's infrastructure.
I find that limitation bizarre from an open source browser; it's the sort of behavior I'd expect from Apple.
arp242 · 2h ago
I get why they do it; for better or worse, the browser is a major way many people interact with email, banking, etc. etc. A malicious extension would be a world of hurt. Some of that is moving to mobile, but with 5 billion people on the internet, Firefox's "low" market share at 4 or 5% is still over 200 million people, so it's still used by dozens or perhaps even hundreds of millions of people for these high-security tasks.
When I did IT support I've seen so many people do completely crazy things. I've seen people with 6 or 7 different browser toolbars and they use none of them. People with 3 different virus scanners they never remember installing, and of course ransomware they never recall installing either. etc. etc.
And honestly, can you really say you'd never click on the wrong "allow this untrusted extension" button when distracted, engaged in something else, tired, or whatnot?
I agree it can be annoying, but it's not impossible to maintain your private (signed) extensions. And for >99% of people, it's probably a sensible thing to do – this includes most tech people because most tech don't have a bunch of private extensions.
For everyone else, you can sign your own private extensions (some effort, but fairly minor) or use the Developer Edition, which allows installing unsigned extensions.
TheCraiggers · 5h ago
And it's their browser, which they have an interest in. If an extension goes rogue and gets in the news, that would be bad for a variety of reasons.
You're right that it's your computer, and you're free to change and recompile Firefox to do whatever you want, so I don't see what the issue is. The polices are for what extensions they allow on their store not what you can install on your computer. Last I knew, you could make your own extension and load it yourself with the store being involved at all. Go nuts.
Am4TIfIsER0ppos · 8h ago
If you're not removing the DRM on them (code signing) then what do I care?
_verandaguy · 8h ago
Code signing doesn't stop redistribution of unmodified copies of software, and it allows for cryptographic attestation of its origin (when used properly). If you modify the software, you'll have to re-sign it and make sure your code's consumers trust that signature's chain of trust.
DRM prevents you from redistributing original media (with varying degrees of effectiveness) and doesn't do much for cryptographic attestation (nominally).
These are two very different systems for different purposes.
Am4TIfIsER0ppos · 1h ago
No both prevent me from using my computer as I want without 3rd party permission or even just after some date.
_verandaguy · 1h ago
In what way does code signing prevent you from using your computer as you want?
As far as I know you can run unsigned code pretty easily still (especially, though not uniquely, as a technical user), and the process of stripping attestation/signing information from an executable on most popular platforms is well-documented with freely-available tools in most cases.
I'm almost certain there are ways to disable code signature checking completely on the major OSes if you really want to, but why you'd want to do that, I don't get.
Is your argument that running code with an invalid signature should happen with no notice, no hurdles, no nothing, by default?
kevingadd · 8h ago
By what standard is code signing DRM? Lots of stuff is codesigned.
akkartik · 8h ago
10 years too late. I'm never going back. These days I try to use my browser as vanilla as possible so I don't get my heart broken.
motorest · 8h ago
> 10 years too late. I'm never going back. These days I try to use my browser as vanilla as possible so I don't get my heart broken.
Pray tell, which usable browser do you believe provides better assurances than Firefox? Certainly it's not Chrome or Edge, is it?
gr4vityWall · 7h ago
> which usable browser do you believe provides better assurances than Firefox?
I think they meant that they are not going back to publishing Firefox extensions/add-ons. That doesn't imply they started writing extensions for another browser.
akkartik · 8h ago
Oh I use a Firefox fork. I just don't develop extensions for it anymore.
Firefox could have been the chosen one, the hackable browser. But it's just another hermetically sealed product.
arp242 · 3h ago
> It's just another hermetically sealed product.
Everything is open source, mostly under a fairly permissive license.
You can still do quite a lot with extensions or various tweaks (more than most programs, including open source ones).
It's demonstrably not "hermetically sealed".
akkartik · 2h ago
"Everything is open source" does not contradict "hermetically sealed product".
I built myself an extension. Just for myself, nobody else. It worked great, then in one of these "policy changes" I couldn't use it anymore. Just for myself. That is a betrayal of trust. If I could use it before, and now I need to hack/mod Firefox by building it on a machine with umpteen hundreds of gigabytes of storage, that is a betrayal of trust. Firefox is "demonstrably" a hermetically sealed product. As demonstrated by my lived experience.
arp242 · 2h ago
You can use private extensions; you just need to use web-ext to sign it. Doesn't need to be published.
Also the "developer edition" allows installing unsigned extensions. No need to build your own.
akkartik · 2h ago
Hmm, I'm not familiar with web-ext. I'm not sure it existed 10 years ago, back when Firefox went through their Quantum transition.
When software auto-updates and stops working, we consider that breakage. When software auto-updates and code I wrote stops working, we say "oh, it affects just 0.01% of users." For me, the inescapable lesson is to not write code for extension eco-systems, because they're all too immature for serious use. At least as of the year 2015.
msgodel · 8h ago
tbh it's a lot easier to install ad-hoc extensions in Chromium than Firefox.
So now, extensions can change to anything they want at any time they want with our without consent?
As far as I know a privacy policy has zero legal weight, that is, a company can put anything it wants into the privacy policy, it has no effect on what is actually done.
This is great: I've wanted a personal extension for a while (roughly to replace my userscripts but with more power and better sync) but was put off by it having to be public or manually installed. Now I can make this!
I have a few private extensions like this (e.g. for HN, GOG, my own new tab page, etc.). I don't have the exact steps for this at the handy, been meaning to do a write-up at some point, but my mk script is just "$webext sign --channel unlisted --api-key $jwt_issue --api-secret $jwt_secret" – I don't recall if you need to create it the extension in the Mozilla web UI first, but I don't think so(?)
Even prior to this there was an option to upload an extension to AMO for "private distribution". Mozilla will sign your extension so it installs without a fuss, but it won't be hosted on AMO. You can still host it on your personal website, or share the .xpi file though.
This makes chunking for any sizable extension an absolute nightmare!
Their policy doesn't apply to your computer. Only to developers that want to use Mozilla's infrastructure for distribution.
I find that limitation bizarre from an open source browser; it's the sort of behavior I'd expect from Apple.
When I did IT support I've seen so many people do completely crazy things. I've seen people with 6 or 7 different browser toolbars and they use none of them. People with 3 different virus scanners they never remember installing, and of course ransomware they never recall installing either. etc. etc.
And honestly, can you really say you'd never click on the wrong "allow this untrusted extension" button when distracted, engaged in something else, tired, or whatnot?
I agree it can be annoying, but it's not impossible to maintain your private (signed) extensions. And for >99% of people, it's probably a sensible thing to do – this includes most tech people because most tech don't have a bunch of private extensions.
For everyone else, you can sign your own private extensions (some effort, but fairly minor) or use the Developer Edition, which allows installing unsigned extensions.
You're right that it's your computer, and you're free to change and recompile Firefox to do whatever you want, so I don't see what the issue is. The polices are for what extensions they allow on their store not what you can install on your computer. Last I knew, you could make your own extension and load it yourself with the store being involved at all. Go nuts.
DRM prevents you from redistributing original media (with varying degrees of effectiveness) and doesn't do much for cryptographic attestation (nominally).
These are two very different systems for different purposes.
As far as I know you can run unsigned code pretty easily still (especially, though not uniquely, as a technical user), and the process of stripping attestation/signing information from an executable on most popular platforms is well-documented with freely-available tools in most cases.
I'm almost certain there are ways to disable code signature checking completely on the major OSes if you really want to, but why you'd want to do that, I don't get.
Is your argument that running code with an invalid signature should happen with no notice, no hurdles, no nothing, by default?
Pray tell, which usable browser do you believe provides better assurances than Firefox? Certainly it's not Chrome or Edge, is it?
I think they meant that they are not going back to publishing Firefox extensions/add-ons. That doesn't imply they started writing extensions for another browser.
Firefox could have been the chosen one, the hackable browser. But it's just another hermetically sealed product.
Everything is open source, mostly under a fairly permissive license.
You can still do quite a lot with extensions or various tweaks (more than most programs, including open source ones).
It's demonstrably not "hermetically sealed".
I built myself an extension. Just for myself, nobody else. It worked great, then in one of these "policy changes" I couldn't use it anymore. Just for myself. That is a betrayal of trust. If I could use it before, and now I need to hack/mod Firefox by building it on a machine with umpteen hundreds of gigabytes of storage, that is a betrayal of trust. Firefox is "demonstrably" a hermetically sealed product. As demonstrated by my lived experience.
Also the "developer edition" allows installing unsigned extensions. No need to build your own.
Looks like web-ext came out in 2016: https://blog.mozilla.org/addons/2016/04/29/webextensions-in-.... My extension is at https://github.com/akkartik/spew, and it looks like there might have been a period of a year when I wasn't able to use it.
When software auto-updates and stops working, we consider that breakage. When software auto-updates and code I wrote stops working, we say "oh, it affects just 0.01% of users." For me, the inescapable lesson is to not write code for extension eco-systems, because they're all too immature for serious use. At least as of the year 2015.
No comments yet