Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For Firefox extensions, Mozilla has a "recommended extensions program" [0] which involves "rigorous technical review by staff security experts" before extensions are included, but it's not clear from their support article if every update is reviewed before it's published.

If they do review every update, that would this problem at least for the more popular extensions, although I wonder how much delay it introduces when an extension needs an urgent security update.

[0] https://support.mozilla.org/en-US/kb/recommended-extensions-...



They do review every update. Even overly popular ones like uBlock Origin gets stuck sometimes.

Currently my personal policy is to only allow those curated extensions to run on all sites/tabs.


It's almost as if you wish there was some kind of onerous "marketplace" where participation had rules and there was some kind of enforcement taking place, and organizations that break the rules could, no matter how popular or well known, be banned if they repeatedly violate the rules of the marketplace, or work to subvert the marketplace's function.


Just sounds good in theory:

- More malicious apps found in Mac App Store that are stealing user data - https://appleinsider.com/articles/18/09/07/more-malicious-ap...

- How 18 Malware Apps Snuck Into Apple's App Store - https://www.wired.com/story/apple-app-store-malware-click-fr... ...


The existence of crime isn’t a logical reason for eliminating law enforcement. Having a choice of marketplaces… imagine if Mozilla gave you that!

A corollary… just because one piece of software has fewer reported CVEs, doesn’t mean it is more secure.


> Having a choice of marketplaces… imagine if Mozilla gave you that!

It sort of does, it's just not something devs take advantage of or that exists in an official way.

If you don't want to be listed in the addon store, you can do a signed addon that goes through a much less rigorous check and then distribute it however you want. Similarly within the addon store Mozilla has a concept of "vetted" and "unvetted" addons. You end up with roughly 3 layers of validation.

There's technically nothing stopping anyone from setting up a separate addon store using only the 1st-layer of validation (or even adding a wrapper around the 3rd layer of validation since it's all still ultimately XPI files). Automatic updates would even work, you can specify URLs to check updates from. I haven't fiddled around with it much though.

And sure, it would be nice to be able to skip even the 1st-layer signing when necessary, but what exists is still better than what a lot of other app-stores allow and in practice I suspect most addons aren't going to have trouble getting their stuff signed, so it's (likely?) not a huge deal if you wanted to make a 3rd-party store to require Mozilla-signed extensions. Maybe there's something I'm missing though.


Better read the terms...

https://extensionworkshop.com/documentation/publish/add-on-p...

> All add-ons are subject to these policies, regardless of how they are distributed.

and

> Add-ons with the sole purpose of promoting, installing, loading or launching an outside website, application or add-on are not permitted.

I believe the only way to bypass this would be to disable add-on signing in your browser, which is probably a bad idea.


Apple can deal with those as they are uncovered. With alternative approaches, they can’t. So your point defeats itself.


Do the links you provide mean it’s partially working not only in theory but for real?


Almost, yes, but not quite.

Curation and integration by a trusted party is a valuable service, and I very much appreciate Mozilla, Debian and others doing this work and enforcing their inclusion policy, e.g. the Debian Free Software Guidelines and whatever Mozilla's technical review involves. Debian's onerous rules in particular are great for the user – I can rely on packages to be appropriately licensed, to receive security patches without breaking my system with incompatible changes, to be compatible with the rest of the packages in the distribution, etc.

Some important differences from "marketplaces" provided by various for-profit companies are 1) the user can choose whatever curator they wish, or opt to install whatever they want at their own risk; 2) the service doesn't usually involve payments, selling, shopping, etc. which would usually be associated with a marketplace.


I get that you're jabbing at the Apple situation, but nobody has a problem with what you're suggesting. The problem arises when that is the only avenue to get onto a platform. Apple actively blocks sideloading and there's no way for a user to trust something that Apple has branded as "untrusted." Curation can coexist with untrusted code just fine, and in fact that's what Mozilla already does with their system mentioned in this thread!


Firefox has a marketplace with participation rules and enforcement where organizations that break the rules can be banned for violating them. That already exists.

They want something stricter. What they're asking for is the ability to have multiple marketplaces and validation measures, some of which have stricter rules than others. That these requests pop up in scenarios where marketplaces already exist suggest that singular universal marketplaces that attempt to be one-size-fits-all gatekeepers aren't scalable or sufficient to meet everyone's needs, and that a multi-marketplace setup would allow some of those marketplaces to offer stricter quality standards for the people who need them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: