As far as I know a privacy policy has zero legal weight, that is, a company can put anything it wants into the privacy policy, it has no effect on what is actually done.
Maybe I'm misunderstanding, but under the previous process, submitting a policy with an update freezes it to a specific version. That holds the developer to account at least for that update.
In the end a privacy policy is little more than the proverbial "ink on a piece of paper". It's doesn't actually prevent anything. Where and how it's published seems like a minor detail.
This is great: I've wanted a personal extension for a while (roughly to replace my userscripts but with more power and better sync) but was put off by it having to be public or manually installed. Now I can make this!
I have to reinstall my personal extension every time Firefox restarts. It's so annoying that I ended up writing an AutoHotKey script just to automate it (go to about:debugging#/runtime/this-firefox -> load temporary extension -> select manifest.json). Glad to see the announcement!
You can already use web-ext to sign it; it doesn't need to be published (you can keep the extension private). It's just that you need to be logged in to download it and can't really provide a "share link" (but you can of course upload/send that .xpi to anyone).
I have a few private extensions like this (e.g. for HN, GOG, my own new tab page, etc.). I don't have the exact steps for this at the handy, been meaning to do a write-up at some point, but my mk script is just "$webext sign --channel unlisted --api-key $jwt_issue --api-secret $jwt_secret" – I don't recall if you need to create it the extension in the Mozilla web UI first, but I don't think so(?)
Thanks! I thought this was impossible. Gonna try it out today.
Edit: I successfully signed the key on AMO. Here are the steps:
Get an access token from https://addons.mozilla.org/developers/addon/api/key/
In manifest.json, add browser_specific_settings.gecko.id and set it to something like "myext@example.com"
Run command: web-ext sign --api-key=<jwt-issuer> --api-secret=<jwt-secret> --channel=unlisted
That command will upload your extension to AMO. After an automatic review, you can download the .xpi file from AMO.
That said, it's not ideal for me since I make extensions for work. Looks like a human reviewer can check your code at any time.
> Looks like a human reviewer can check your code at any time.
Yeah, not entirely sure how this works. I've been doing this for a few years with a bunch of extensions, and thus far it's always just been automatically approved (although that does take a few minutes).
>but was put off by it having to be public or manually installed
Even prior to this there was an option to upload an extension to AMO for "private distribution". Mozilla will sign your extension so it installs without a fuss, but it won't be hosted on AMO. You can still host it on your personal website, or share the .xpi file though.
Wow so I can upload my extension to firefox servers privately and without needing review process maybe ? and install it on all my device ? (via autosync I suppose?)
Thats handy.
There are artificial limitations to that. For example, stable versions of Firefox for Android won't install extensions from anywhere but Mozilla's infrastructure.
I find that limitation bizarre from an open source browser; it's the sort of behavior I'd expect from Apple.
I get why they do it; for better or worse, the browser is a major way many people interact with email, banking, etc. etc. A malicious extension would be a world of hurt. Some of that is moving to mobile, but with 5 billion people on the internet, Firefox's "low" market share at 4 or 5% is still over 200 million people, so it's still used by dozens or perhaps even hundreds of millions of people for these high-security tasks.
When I did IT support I've seen so many people do completely crazy things. I've seen people with 6 or 7 different browser toolbars and they use none of them. People with 3 different virus scanners they never remember installing, and of course ransomware they never recall installing either. etc. etc.
And honestly, can you really say you'd never click on the wrong "allow this untrusted extension" button when distracted, engaged in something else, tired, or whatnot?
I agree it can be annoying, but it's not impossible to maintain your private (signed) extensions. And for >99% of people, it's probably a sensible thing to do – this includes most tech people because most tech don't have a bunch of private extensions.
For everyone else, you can sign your own private extensions (some effort, but fairly minor) or use the Developer Edition, which allows installing unsigned extensions.
And it's their browser, which they have an interest in. If an extension goes rogue and gets in the news, that would be bad for a variety of reasons.
You're right that it's your computer, and you're free to change and recompile Firefox to do whatever you want, so I don't see what the issue is. The polices are for what extensions they allow on their store not what you can install on your computer. Last I knew, you could make your own extension and load it yourself with the store being involved at all. Go nuts.
That attitude is exactly the problem. There is zero reason for anyone to use Firefox if its just another company's property and not a free and open piece of software.
Code signing doesn't stop redistribution of unmodified copies of software, and it allows for cryptographic attestation of its origin (when used properly). If you modify the software, you'll have to re-sign it and make sure your code's consumers trust that signature's chain of trust.
DRM prevents you from redistributing original media (with varying degrees of effectiveness) and doesn't do much for cryptographic attestation (nominally).
These are two very different systems for different purposes.
In what way does code signing prevent you from using your computer as you want?
As far as I know you can run unsigned code pretty easily still (especially, though not uniquely, as a technical user), and the process of stripping attestation/signing information from an executable on most popular platforms is well-documented with freely-available tools in most cases.
I'm almost certain there are ways to disable code signature checking completely on the major OSes if you really want to, but why you'd want to do that, I don't get.
Is your argument that running code with an invalid signature should happen with no notice, no hurdles, no nothing, by default?
I cannot place a file in my profile directory and have firefox execute it without having it approved by mozilla. I booted my old PC to check on something recently, opened firefox by opening an html file, and discovered that it had disabled all my extensions making it less secure by allowing every webpage to do RCE had I changed tabs.
Then there is secure boot which requires MSFT permission to use an OS, cell phones on which you cannot run your own code without manufacturer permission.
I hope you don't still think the R in DRM stands for rights.
When using the Debian builds of Firefox at least, you can just symlink the extension directory into the system Firefox extensions directory, even if the extension is in your home directory somewhere.
> which usable browser do you believe provides better assurances than Firefox?
I think they meant that they are not going back to publishing Firefox extensions/add-ons. That doesn't imply they started writing extensions for another browser.
"Everything is open source" does not contradict "hermetically sealed product".
I built myself an extension. Just for myself, nobody else. It worked great, then in one of these "policy changes" I couldn't use it anymore. Just for myself. That is a betrayal of trust. If I could use it before, and now I need to hack/mod Firefox by building it on a machine with umpteen hundreds of gigabytes of storage, that is a betrayal of trust. Firefox is "demonstrably" a hermetically sealed product. As demonstrated by my lived experience.
When software auto-updates and stops working, we consider that breakage. When software auto-updates and code I wrote stops working, we say "oh, it affects just 0.01% of users." For me, the inescapable lesson is to not write code for extension eco-systems, because they're all too immature for serious use. At least as of the year 2015.
So now, extensions can change to anything they want at any time they want with our without consent?