I don't think that's necessarily true. After all, the policy is effective against undesirable-but-not-malicious extensions. Before signature verification I had extensions installed in Firefox that I didn't install; today I don't. [1]

And the clearly malicious action of modifying Firefox to disable signature verification can and should be flagged by anti-malware software, which runs at a higher privilege level.

[1] Putting aside for the moment the fact that most users now have no extensions installed due to the certificate expiration issue. No Firefox user, myself included, is happy about that.

> Before signature verification I had extensions installed in Firefox that I didn't install

... How?

I agree with the sibling poster; it sounds like you already lost.

I consider these to be mental acrobatics to find a position to justify wresting away any control from the user. It is not mozilla's responsibility to attempt to protect the user from the very slim line of "effectively malicious but still somehow principled" malware, picking a near-by line of verifying once would be far less problematic.

If the user does not want that crap on their machine they should remove the origin instead. We would not have the current situation if mozilla did not assume responsibility and control for problems outside their domain.

At least they could have made this opt-in by asking the user if they want an extra locked down version of firefox that might disable their addons if they are deemed malicious. Then the user could have made an informed choice.

On a typical Linux install, the Firefox binary is not writeable by a malicious extension installer that runs with user privileges. Thus baking the check into the binary fully protects the integrity.

Then overrides could also be made configurable as root.