Two details: the extensions need to be signed by Mozilla, and only US English speakers will be allowed to disable this requirement.
The point of free software is that users, individually and collectively, are free to modify it as they wish, without requiring approval from third parties. (And of course to use, copy, and redistribute.) This is a sharp turn away from the free-software ethos that made Firefox possible in the first place.
I understand the issue of users being tricked into downloading and installing malicious extensions. If you let someone program, they will be able to paste malicious code. I just don’t think that taking away users’ ability to modify their own browsers is an acceptable solution to that.
If this disturbing move sticks, Mozilla will become an increasingly tempting target for whatever group wants to control what software you can install on your own computer — whether that’s Sony Pictures, the NSA, or Amazon.
The old free software movement has died. We need a new free software movement.
In addition to the "en-US locale only" restriction, I wonder if unbranded builds will be made available for non-desktop platforms. I would like to run my own extension, or that of the company I work for, on multiple platforms and especially without having to share proprietary source code with Mozilla et al.
I think they removed alternate signature checks from the base code (may affect other browsers), and the preference to disable Mozilla signature checks is a global switch. So they've made things even harder than they have to be for those who don't want to comply with the new model.
According to Mozilla, they have to do this because a user who has control of their OS might install malware and might grant it root/admin privileges. Such malware could not only tamper with extensions, it could tamper with the permission and preference systems and other key components and files. IOW, if Mozilla continues to pursue this policy, we may be looking at the beginning of a more comprehensive lockdown of Mozilla applications.
It might be wise to try to hold the line somewhere. In general, we aren't going to be more secure if we allow ourselves to be locked into simplified configurations that suit the mass market.
Perhaps they assume that to program enough to write an extension, you need to learn English. I’ve met people here in Argentina who say that. My view is that, even if that is the status quo ante (and I’m not sure it really is) it’s a status quo we must disrupt, not ossify.
China [1] and Brazil [2] feature strongly non-English developer communities. Regardless, keying such features to a language is just painfully ignorant. On a closer look though, it appears that beside the developer edition having the setting, the unbranded version will only be released for en-us.
ESR has some bits about "Learn English if you want to code" - but politics of it aside, this isn't even about coding. This is about using a plugin that someone has not signed (like, for instance, RES for Chrome which for the longest time did not have a Store entry iirc).
Wise words, kragen. With the excuse "you need english because" a new form of imperialism is on the making. And what is worse, is that this attitude is often self-imposed.
Because there is no such a thing like “English, the lingua franca”; changing the name do not change the content.
We should stop self-deluding ourselves in believing that English exits in a geopolitical void. English is the language of the anglosphere, and speaking English is a huge favor to those economies, and that comes with a sense of cultural inferiority as well, in many peoples.
There is a such thing as "English, the lingua franca" no matter how much one tries to will it away.
Aviation is a curious industry. English is commonly spoke between flight crews and ground stations world wide (with few but notable exceptions). Circumstances where the English meaning of a word wasn't well understood by the flight crew or the wrong words were spoken have, on occasion, lead to disaster--Avianca Flight 52 [1] comes to mind, among others.
I simply cannot agree that mutual intelligibility is bad simply on the merit that it somehow creates a "sense of cultural inferiority."
It sounds like you're saying that using English as the lingua franca of aviation puts at risk the lives of flight crews for whom English is not a native language, as well as their passengers. This seems like a good example of how English-as-lingua-franca gives special worldwide advantages to native English speakers.
What I'm suggesting is that having a standard for communication is less likely to put lives at risk. I can't help but wonder if you're invoking Poe's Law by advocating from what is arguably an extremely fringe standpoint.
Otherwise, the alternative would be to require air traffic controllers to learn a dozen languages, and then you wind up with an even worse problem than having everyone settle on a single language with codified standards.
This sounded super weird. But I guess what you are referring to is that the will only release en-US-localized builds of the "unbranded firefox" editions. That I can understand, the logistics of building and shipping all the i18n editions for an off-brand build is probably significant.
This requirement is ridiculous, a lot of developers can't speak English at all. And what about British English ? Is it not as good as American English for development ?
> The point of free software is that users, individually and collectively, are free to modify it as they wish, without requiring approval from third parties.
You've been on HN for over six and a half years. Surely you can't be this jaded or obtuse?
That freedom is absolutely, unequivocally preserved: The entire source to Firefox is available under OSI-approved libre licenses.
APIs change, but the freedom of the software isn't determined by its exposed APIs, but by your ability to exercise the Four Freedoms enumerated by the FSF at http://www.gnu.org/philosophy/free-sw.html. Debian exercises these freedoms with every build of the IceWeasel browser from Firefox's source.
I'm not jaded, and as to whether I'm obtuse, I have to let the other commenters judge.
I agree that, yes, in theory, you legally have that freedom. But if Mozilla thought users were practically able to exercise that freedom, there would be no way for them to impose a change like this; all the users would switch to a fork. In practice, maintaining a fork of a major active software project is a huge amount of work and easily to do poorly (think of the Debian OpenSSL hole), and nearly all the people qualified to do it work at Mozilla or are burned out. And Mozilla, if they want to make it harder to maintain a fork, has a wide variety of strategies at their disposal.
(In case it matters, I'm typing this comment in Iceweasel!)
As a side note, it seems to me rather in poor taste to attack my intelligence in the first line of your comment, and suggests that you think your arguments won't stand on their own merits.
I apologize for the disparagement; I was miffed at your statement that "only US English speakers will be allowed to disable this requirement," which completely misrepresents the situation, followed by doubt about Firefox's status as F/OSS. Instead of ascribing that to malice, I should have assumed good intent and that the communications from our end were unclear.
As to the English issue, we have absolutely no intent to restrict the signature opt-out to English speakers.
Much like with our Nightly builds, the unbranded copies of Firefox will only be pre-compiled with en-US strings. Additional locales can be added at any time through https://addons.mozilla.org/firefox/language-tools/.
For users that want to disable verification without installing a language pack, the Developer Edition and ESR builds will always allow for opting out and will continue to be released will a full complement of pre-compiled locales.
As a Debian user, I'd like to draw a parallel between these measures and the default requirement for GPG signatures on packages installed by apt, which has been the case since version 0.6 in 2003. These signatures are tools to ensure integrity and provenance, not to restrict your freedoms. Much like with the secure apt initiative, it's entirely possible for users to opt out of these protections after jumping through minimally invasive hoops.
Oh, hey, yep. Tripping over my own ignorance there.
I didn't realize that latest-mozilla-central-l10n/ subdirectory existed; I've always gone straight for latest-trunk/, which it turns out is a symlink to latest-mozilla-central/, which only contains the en-US builds. Thanks for pointing that out. I'll file a bug to get https://nightly.mozilla.org/ updated to point to the localized builds.
> As a Debian user, I'd like to draw a parallel between these measures and the default requirement for GPG signatures on packages installed by apt
Said parallel is imperfect. With APT, you can add custom signatures (say, if you run a private or organization-specific repo). AFAICT, Firefox offers no such capability.
Thank you for clarifying, but I am still very skeptical.
I would have no problem with signature verification if, as with apt, users can decide which keys to trust. (And you don't have to download a whole new copy of apt to do it!) But the intent of this announcement seems to be that Mozilla will prevent users from doing that, on the theory that they will make bad choices. Well, some of them will!
But it's far more dangerous to take those choices away from them — that guarantees that they're trusting the wrong company.
Mozilla have been doing odd things in recent years, almost like they are transitioning into an authoritarian movement. Want to use unsanctioned extensions? No, go away. Want to use non-secure HTTP? Sure, but we will take away your features. Want to work for them but have unapproved views? Fired. All this is from viewing them as an outsider, so you never know, but something is different.
There was a large outcry, then he resigned. His resignation can be directly traced to his views. Whether he was technically fired or "decided" to resign seems largely irrelevant.
I understand the issue of users being tricked into downloading and installing malicious extensions. If you let someone program, they will be able to paste malicious code. I just don’t think that taking away users’ ability to modify their own browsers is an acceptable solution to that.
I think it's just another battle in The War on General Purpose Computing. I like to keep this quote in mind: "Freedom is not worth having if it does not include the freedom to make mistakes."
> only US English speakers will be allowed to disable this requirement
You can install any non-English locale (language-pack) on top of Firefox. I do that (because I want to be able to switch from a language to another). So it is a two-steps installation.
> The old free software movement has died. We need a new free software movement.
There is nothing wrong with the free software movement just because someone does something disagreeable---that's like saying there's something wrong with your operating system because you have malware on it.
Two details: the extensions need to be signed by Mozilla, and only US English speakers will be allowed to disable this requirement.
The point of free software is that users, individually and collectively, are free to modify it as they wish, without requiring approval from third parties. (And of course to use, copy, and redistribute.) This is a sharp turn away from the free-software ethos that made Firefox possible in the first place.
I understand the issue of users being tricked into downloading and installing malicious extensions. If you let someone program, they will be able to paste malicious code. I just don’t think that taking away users’ ability to modify their own browsers is an acceptable solution to that.
If this disturbing move sticks, Mozilla will become an increasingly tempting target for whatever group wants to control what software you can install on your own computer — whether that’s Sony Pictures, the NSA, or Amazon.
The old free software movement has died. We need a new free software movement.