Pray tell, which usable browser do you believe provides better assurances than Firefox? Certainly it's not Chrome or Edge, is it?
Firefox could have been the chosen one, the hackable browser. But it's just another hermetically sealed product.
Everything is open source, mostly under a fairly permissive license.
You can still do quite a lot with extensions or various tweaks (more than most programs, including open source ones).
It's demonstrably not "hermetically sealed".
I built myself an extension. Just for myself, nobody else. It worked great, then in one of these "policy changes" I couldn't use it anymore. Just for myself. That is a betrayal of trust. If I could use it before, and now I need to hack/mod Firefox by building it on a machine with umpteen hundreds of gigabytes of storage, that is a betrayal of trust. Firefox is "demonstrably" a hermetically sealed product. As demonstrated by my lived experience.
Also the "developer edition" allows installing unsigned extensions. No need to build your own.
Looks like web-ext came out in 2016: https://blog.mozilla.org/addons/2016/04/29/webextensions-in-.... My extension is at https://github.com/akkartik/spew, and it looks like there might have been a period of a year when I wasn't able to use it.
When software auto-updates and stops working, we consider that breakage. When software auto-updates and code I wrote stops working, we say "oh, it affects just 0.01% of users." For me, the inescapable lesson is to not write code for extension eco-systems, because they're all too immature for serious use. At least as of the year 2015.
I think they meant that they are not going back to publishing Firefox extensions/add-ons. That doesn't imply they started writing extensions for another browser.
DRM prevents you from redistributing original media (with varying degrees of effectiveness) and doesn't do much for cryptographic attestation (nominally).
These are two very different systems for different purposes.
As far as I know you can run unsigned code pretty easily still (especially, though not uniquely, as a technical user), and the process of stripping attestation/signing information from an executable on most popular platforms is well-documented with freely-available tools in most cases.
I'm almost certain there are ways to disable code signature checking completely on the major OSes if you really want to, but why you'd want to do that, I don't get.
Is your argument that running code with an invalid signature should happen with no notice, no hurdles, no nothing, by default?
Then there is secure boot which requires MSFT permission to use an OS, cell phones on which you cannot run your own code without manufacturer permission.
I hope you don't still think the R in DRM stands for rights.
So now, extensions can change to anything they want at any time they want with our without consent?
As far as I know a privacy policy has zero legal weight, that is, a company can put anything it wants into the privacy policy, it has no effect on what is actually done.
Their policy doesn't apply to your computer. Only to developers that want to use Mozilla's infrastructure for distribution.
I find that limitation bizarre from an open source browser; it's the sort of behavior I'd expect from Apple.
When I did IT support I've seen so many people do completely crazy things. I've seen people with 6 or 7 different browser toolbars and they use none of them. People with 3 different virus scanners they never remember installing, and of course ransomware they never recall installing either. etc. etc.
And honestly, can you really say you'd never click on the wrong "allow this untrusted extension" button when distracted, engaged in something else, tired, or whatnot?
I agree it can be annoying, but it's not impossible to maintain your private (signed) extensions. And for >99% of people, it's probably a sensible thing to do – this includes most tech people because most tech don't have a bunch of private extensions.
For everyone else, you can sign your own private extensions (some effort, but fairly minor) or use the Developer Edition, which allows installing unsigned extensions.
You're right that it's your computer, and you're free to change and recompile Firefox to do whatever you want, so I don't see what the issue is. The polices are for what extensions they allow on their store not what you can install on your computer. Last I knew, you could make your own extension and load it yourself with the store being involved at all. Go nuts.
This makes chunking for any sizable extension an absolute nightmare!
proaralyst•7mo ago
This is great: I've wanted a personal extension for a while (roughly to replace my userscripts but with more power and better sync) but was put off by it having to be public or manually installed. Now I can make this!
qiine•7mo ago
sdovan1•7mo ago
arp242•7mo ago
I have a few private extensions like this (e.g. for HN, GOG, my own new tab page, etc.). I don't have the exact steps for this at the handy, been meaning to do a write-up at some point, but my mk script is just "$webext sign --channel unlisted --api-key $jwt_issue --api-secret $jwt_secret" – I don't recall if you need to create it the extension in the Mozilla web UI first, but I don't think so(?)
sdovan1•7mo ago
Edit: I successfully signed the key on AMO. Here are the steps:
That said, it's not ideal for me since I make extensions for work. Looks like a human reviewer can check your code at any time.arp242•7mo ago
Yeah, not entirely sure how this works. I've been doing this for a few years with a bunch of extensions, and thus far it's always just been automatically approved (although that does take a few minutes).
gruez•7mo ago
Even prior to this there was an option to upload an extension to AMO for "private distribution". Mozilla will sign your extension so it installs without a fuss, but it won't be hosted on AMO. You can still host it on your personal website, or share the .xpi file though.