Mozilla postpones Firefox add-on signing enforcement
Mozilla announced back in February 2015 that the decision was made to introduce add-on signing to Firefox's extension system.
The idea behind the move was to eliminate the majority of malicious or invasive extensions by making add-on signatures mandatory.
Signatures are only generated for add-ons which go through a review process on Mozilla's official add-ons store before they are pushed to the store.
Since malicious extensions would fall through the cracks, it should reduce a number of common issues that Firefox users face day in day out.
Mozilla's initial plan was to start showing notifications that unsigned extensions are used in Firefox 40, to block extensions but provide an override in Firefox 41, and to make signed extensions mandatory in Firefox 42 by removing the override option in Firefox Stable and Beta.
Firefox Developer Edition and Nightly users can override the requirement, while Stable and Beta users cannot.
A recent discussion on Bugzilla indicates that the add-on signing enforcement has been postponed by two releases.
This means that it will become mandatory when Firefox 44 is released to the stable channel and not with the release of Firefox 42 as initially planned.
This is the new schedule as it stands currently:
- Firefox 40 - Warnings are shown if unsigned extensions are installed.
- Firefox 41 - Warnings continue to show up.
- Firefox 42 - Warnings are still displayed if unsigned add-ons are run.
- Firefox 43 - Add-ons without signatures are blocked by default, but there is an override that is available in all versions of the browser.
- Firefox 44 - Only signed add-ons can be installed in Firefox Stable and Beta. There is no override anymore for those editions of the browser. The override remains in Firefox Developer and Nightly.
Firefox 44 is scheduled to be released on January 26, 2016.
Mozilla plans to release unbranded versions of Firefox to provide add-on developers with options to test their add-ons in Stable and Beta releases of Firefox without having to go through the review process each time they update the add-on during development.
It is unclear why Mozilla made the decision to postpone the enforcement of signed add-ons in the web browser. (via Sören Hentzschel)
Okay. That’s fine for me. The average user can rely on safe versions and developers and people, who want more individual features can use developer or nightly builds.
Why all the fuss? Just use the Aurora (developer) version and disable signing. Aurora is a pretty stable release — I have been using it on all of my machines at work and home for years without issues,
It’s not stable. Just look at the bugzilla reports
I agree, looking at bugzilla reports is not stable. Using it on the other hand…
If Mozilla does not want to fade into oblivion, it had better pull its head out, and get the idea that it is alienating a good many of its users. Between the signed add-ons, the Chromified extensions, the move to adopt the look and feel of Chrome, and the ads in the speed dials, it is annoying nearly all of its shrinking user base.
Someone should get the idea that Mozilla exists by the grace of its users, and it does not hold near-complete sway over the browser market, in the way that Microsoft does in the OS market, and therefore it cannot abuse the users with impunity in the same way.
Addons can be signed without being hosted on the store.
While true, it means that you still hand them over to Mozilla for review.
How about posthumously?
They should just keep the override option indefinitely. Problem solved.
I fully agree with you.
Already telling me Kaspersky could not be verified proceed with caution ,as addon for Browser Protection
Kaspersky anti virus
wtf ..Kidding
Il dump Firefox in a Heartbeat before letting this bunch disable Kaspersky
Who the fk is running this clown act at Mozzila
I hope they go through and sign all the orphans on behalf of the developers they can no longer contact. Signing going forward is a good idea but they must allow apps that work to continue to work.
all those little orphans will soon be buried due to e10s … in a pauper’s grave … in the rain
Finally, someone here with a sense of humor. :-)
I hope they will give up the signing idea completely, but in any case this is a step forward.
The add-on sighning doesn’t affect me either right now, but I oppose it anyway. I do however support the idea of add-on signing being turned on by default and only configurable via about:config.
Good news.
Looks like January-February 2016 will be the crossroad of many changes.
Good news, however all this mandatory add-on signing thing will be no problem with me, i think.
Almost all my addons, actively developing, commonly used ones.
Btw, thanks for tip on Privacy Settings addon.
Little, simple, nice, useful addon.
There are users within the defense and military sector who locally deploy addons they’ve written themselves and they cannot have Mozilla vet their code. Even Chrome is apparently more flexible about this than they are.
If the requirement were that the code be signed by a known CA but not that it go through Mozilla’s Add-on store, that would sting but still be feasible for developers unable to submit publicly. This was the model for some elevated privilege JARs in the later days of Netscape.
There’s a wiki here: https://wiki.mozilla.org/Addons/Extension_Signing
Checkout the response to “unbranded” versions or “What about private add-ons used in enterprise environments?”.
I was looking at Random Agent Spoofer addon’s comments (I think I read about it at https://www.privatesearch.io/about). I wondered if Mozilla had enough manpower to review addons in a timely manner… This blog entry,
https://blog.mozilla.org/addons/2015/09/04/turning-the-queues-around-new-forum/, talked about queue and the additional
staff.
snippet:
++++++++++++
29 Apr 15. Version 0.9.5.2 has been released on github. A limited version has been submitted to the AMO reviewers and should be available soon.
30 July 15 Version 0.9.5.2 is still in the review queue, It should not be much longer .
The latest full featured version will always be available on github, with certain features that are not allowed on this site. I will add what features I can to the AMO version within the terms allowed by the addon policy.
++++++++++++
So, what will an organization like yours do? An alternative build without such restrictions? Stick to an old version? Does anyone have a clue whether Mozilla listens what such users have to say?