I am shocked, people actually think that automatic updates are very good? Because for me, it is trivial that automatic updates are very bad. One of the greatest security risk of extensions are due to automatic updates, they can't be verified, since they change.
edit : BTW I've submitted a related submission about Guerilla Script, a userscript injecting engine, where userscripts are not even updateable: https://news.ycombinator.com/item?id=39620863 This is the ideal way of safe extensions IMO
I don't think anyone (at least not me) is claiming that auto-updates are very good. However, I will argue 'till the cows come home that they are better than the alternative in many cases.
Installing software in the first place is placing a lot of trust into whoever made that software from the get-go. There are a myriad of ways a bad vendor can abuse a software installation without having to involve auto-updates. Singling that as a specific abuse vector that's orders of magnitude worse than giving filesystem access to an opaque binary just doesn't make much sense to me.
If I don't trust a vendor enough to allow auto-updates, then I don't trust them enough to install the software in the first place (dev dependencies notwithstanding for obvious reasons). Combine this with the well known fact that optional updates just don't get installed, and the cost/benefit calculus of the feature becomes not that hard to motivate.
Fwiw, I also think that a switch to disable the feature should always be present for those of us who care.
I am shocked, people actually think that automatic updates are very good? Because for me, it is trivial that automatic updates are very bad. One of the greatest security risk of extensions are due to automatic updates, they can't be verified, since they change.
edit : BTW I've submitted a related submission about Guerilla Script, a userscript injecting engine, where userscripts are not even updateable: https://news.ycombinator.com/item?id=39620863 This is the ideal way of safe extensions IMO