So, Addons are mostly reviewed by volunteers. Sometimes people make mistakes. The best course of action is to try to reach out for the AMO team on IRC or their mailing list.
My experience with firefox add-on reviewers has been hit or miss - One of the most frustrating things is that reviews often happen long after your add-on has been published. I'd rather have a longer waiting time, but once an add-on is published then it means it's been approved.
From the developer point of view it means that it's very hard to communicate on releases, because you never know when your addon is going to be reviewed. From the end user, it means that if someone maliciouly changes one of your addons, you may already have updated to that version before the review.
I also feel that the guidelines around reviews aren't well explained, and the reviewers comments are often terse, bordering on the incomprehensible : at least with Apple, you get pointed to which part of the rules they think you didn't respect - with firefox, we often get broad comments that require a bit of back and forth to figure out what it is they're actually thinking is wrong.
This was the old model and it put a lot of pressure on the volunteer add-on reviewers and their were times where the delays stretched out to several months.
Or at least hire review coordinators who can manage the program effectively. Our volunteers review 15,000+ loans a month. Happy to share insights with Mozilla on how to run an effective volunteer community and keep the pipeline flowing.
Surely there should be a clear appeal process, and escalation if there is to be an app store like review for addons that can remove something. Particularly if they are assessed by volunteers who may vary significantly.
There seems something off when spyware infested stylish remains an acceptable addon and this gets arbitrarily blocked.
A vague "try and reach out" doesn't, to me, seem to come close to an appeal process.
There is a escalation process. I think the authors already did it and are now waiting. What I mentioned is not the escalation problem, it is a way to reach out for people when things fail.
Usually from your add-on admin dashboard you can reach out to the team and send messages to the reviewers, right from the same tool you use to admin everything.
Is it just me or there’s a lot of these ‘hot’ threads on GitHub lately? I don’t mean the issue at hand—validity is beside the point—but the fact is that these issues unravel on GitHub on a very predictable cadence, and Github Issues is fairly ill equipped to deal with making sense of this. So everyone just shouts at thin ether at the top of their lungs, hoping to attract some attention and answers, then it becomes an arms race.
That’s a design problem - if the voting system made things become more visible, then likely fewer people would feel the need to shout. That has its own drawbacks, though.
It’s a hard problem building anything remotely social. I don’t think they realised what they were putting themselves into when they were building Issues.
"It appears that your Add-on violates the Firefox Add-on Distribution Agreement and the Conditions of Use. Both prohibit Add-ons that violate the law. Your Add-on appears to be designed and promoted to allow users to circumvent paywalls, which is illegal.
...
We are responding to a specific complaint that named multiple paywall bypassing add-ons. It did not target only your add-on."
> Release and Beta versions of Firefox do not allow unsigned extensions to be installed
I'm really disappointed at Mozilla regarding this. I recently wanted to do some Firefox customization for my own private use (not even an extension, I just wanted to have some visual indication of which Firefox windows belong to which profile). I was surprised to find out that even just a header .png in a theme can't be loaded locally but must be on-line and vetted by Mozilla. Utter craziness.
I'm currently developing a browser extension, and was a bit shocked that I couldn't just load it on Firefox like on Chromium. It seems like such a basic thing, maybe that's because I'm a dev and expect that they will cater to development, but it was one of the first usability things where I preferred Chrome. I ditched iPhone for Android for similar reasons, and it seems that one thing Google does really well is make the developer workflow easy.
Any version of Firefox can load unpackaged addons for the current session. IIRC, with the CLI tool you can even auto-reload it as you make changes to source.
IIRC you can install unsigned extensions in the dev and nightly as well as unbranded versions of firefox (usually the last option means compiling it yourself).
Mozilla is, to some extend understandably, concerned with the image of Firefox and patrolling what Addons are available in the store is part of that. Apple does the very same thing.
> Mozilla is, to some extend understandably, concerned with the image of Firefox and patrolling what Addons are available in the store is part of that.
This is a non-sequitur. Reviewing things on their addon store has nothing to do with requiring a mozilla signature for sideloading.
Not quite. The signature is to ensure users install from the addon store. You can disable this if you wish to run non-store addons. Otherwise any website or external program (remember your A/V installing their safety toolbar?) could start adding fishy code to your browser.
That is a totally different issue. One thing is reviewing what's on your store. The other is restricting people to only installing what's on their store.
One is happening on their property. The other is happening on the user's property. They also want to exert control over the latter, which is causing these problems.
It's the difference between on the one hand some spyware or adware shoving an addon in the right location in the Firefox profile directory and either accepting any dialogs to confirm you want to side-load or social engineering the user into accepting them, and on the other the same spyware having to actually patch the firefox binary or exploit it to get the same behavior, since the binary has verification baked in.
It's a big annoyance for me too, because I use private extensions extensively for some business stuff (used by the users here), but had to switch to a different mechanism (because I don't want to deal with verification). It sucks for me, but I totally understand why they are doing it.
I am aware of mozilla's given rationale (and I disagree with the implementation), I was just pointing out that patrolling an addon store is orthogonal.
And the decision to not even let users add additional signing root keys is yet another axis on the decision space that was totally neglected.
The problem is that it's essentially just another dialog or control to be scripted or socially engineered around. You can make it more onerous because it's basically a one-time action that's not something most users will do, but to what degree is adding a signing key before install different that a dialog asking you if you really want to install this third party extension?
Until you have different access levels and can both restrict users/programs from running at the base level required to do this, and condition users to recognize when increased access is being requested, I don't see this problem going away. Windows UAC is basically what we're talking about, and it still took years to users to understand it and not just always allow it (if that's even true!), and that's a system shared over all of windows.
I think the only sane way to accomplish this that worked for users and didn't cause enterprise admins to totally shun Firefox would be to piggy back on Windows' certificate store and register certificate for Firefox use only (I assume this is possible, I'm pretty sure you can do this for app-to-app communication such as MSSQL encrypted connections), but then you have to make sure you also handle the mechanisms to do the same in Linux and OS X, and now we're seeing it's a much more complex undertaking.
Protecting users from their own stupidity is a tough and mostly unsolved problem. Punting and eating their own resources to provide the safest solution they can, even if it's annoying for a more technically literate subset of users, is a solution I can understand and respect, even if it's problematic for me, because it's putting safety and security the majority of users over a simple solution that would be worse overall.
UAC is already in place. Piggyback on that. Root on linux. And whatever osx does to protect application packages.
And I really dislike the "can be socially engineered around" buldgeon. If taken to its final conclusion you would have to lock-down systems and give users no freedoms at all because they could be convinced to do something bad with enough effort.
And yet you don't take the "freedom" argument to its final conclusion, which is that you must grant Freedom -1. That's the freedom for anyone, anywhere, to run any software on your hardware, at any time and for any purpose.
And this is only half-joking: all access restrictions, even ones as basic as filesystem permissions, impinge on freedom in some fashion. You can work around them, of course, but you can work around Firefox's extension signing (and Apple's app signing, and lots and lots of other systems that people insist are objectively reducing "freedom"). Which means that to be consistent, you either have to be against even those basic access-control mechanisms, or you have to compromise on absolute "freedom" and begin arguing about how difficult or complex a workaround can be before you personally would rule out allowing a system to require it.
That would go a long way to solving the problem once and for all. It would be nice if Mozilla would provide the ability to install private signing keys to the browser.
I would disagree this is a different issue, one leads to the other. Mozilla wants to make sure that any addon the user can possibly installed is something they can trust. Including addons that other applications install (ie AV toolbars).
If you don't like that, you can use the unbranded version of firefox or the dev edition.
As in the sibling, thread, no, you can't disable the signature check, not in the regular, mainline FF download. Even if you enable it in about::config!
This was a change introduced in ~August 2016, to ignore your preferences on that setting.
(As you note in the sibling thread, you can get it in a special development version, but that still contradicts your claim that you can toggle something to allow it.)
And I've explained that you can't expect the average newbie coder to navigate the recompilation process; I'm unsure why you blithely dismiss people who aren't as capable as you.
1. So you have the set of people who would be much better off in a “walled garden”, in my experience that is almost everyone.
2. You have the set of people who can compile the code from source and who want to get outside of the wall.
3. You have the set of people who want to get out of the wall but don’t have the technical expertise to know the dangers of doing so.
4. You have people who have the technical expertise to know the dangers but not the technical expertise to compile code.
I think people in group 4 should learn how to be in group 2, because we have almost four decades worth of evidence to know how badly people in group 3 can do.
Edit: changed group 2 to group 3 in the last sentence.
Perhaps, they forced them to do that in the middle of their workday in order to get their UX back. Imagine if your computer crashed and when it restarted it came with the mouse drivers disabled and you had to use the arrows to move the mouse around, and you were reassured you could sign up for WDN to restore use of the mouse.
And I don’t think expecting the user to personally recompile for every update is reasonable, especially if you claim to let users gain control of their machines again.
The same users who have complete “control of thier computer” who don’t know what they are doing is what causes all of the crapware, malware, ransomware on many Windows based PCs.
I’m all for platforms being in a wall gardener by default where you have to jump through a few hoops to unlock an “advanced mode”.
And signing up for WDN (Windows Developer Network?) hopefully you would get signed drivers.
You can’t imagine the number of times my mom has done the perfectly reasonable thing of searching for Windows printer drivers on Google and ended up installing crapware from a third party site instead of getting the official driver. Signing requirements from MS would hopefully alleviate that and let advanced users try to figure out how to load unsigned drivers.
(Also tangentially, why are printer drivers still a thing on Windows anyway? Anyone who connects a Mac, iPad, or iPhone to my home network - if I give them access to the non-guest network - automatically can print.)
I don't because I also mention the developer edition and nightly, which allows unsigned addons and has regular updates.
I'm not dismissing people who aren't as capable as me either, I've mentioned alternative approaches and I'm getting tired of having to repeat "there is the dev and nightly edition" to the same 5 people over and over again.
Mozilla is making tradeoffs in protecting the average user and giving the power users a little bit less freedom unless they use an edition of firefox intended for power users and developers. Simple as that.
Right, we can't. Unless we're promising to give users control over their machines and there are trivial ways to accommodate this means of giving them control.
Users will abuse the ability to control their own machines. Given full administrative privilege on their machine, it takes, by my experience, about a month until the machine either has various pieces of malware installed or their malware has malware installed.
The average user cannot be trusted with full control of their machine and it's fairly reasonable to say that power users need to take the extra steps to, for example, install a power user edition of firefox.
I'm asking for: "If the user goes into a deep part of the obscure developer options and bypasses the warnings about unsigned addons, and then uses a non-obvious but documented process for side-loading, something virus peddlers can't really walk users through, then Firefox should honor that while explicitly displaying the list of unsigned addons the users added."
>I'm not dismissing people who aren't as capable as me either, I've mentioned alternative approaches and I'm getting tired of having to repeat "there is the dev and nightly edition" to the same 5 people over and over again.
And I and others have explained how those involve unacceptable tradeoffs and run directly contrary to "give users back control over their machines" ethos, though not, of course, to your extremely limited version of the ethos.
>"If the user goes into a deep part of the obscure developer options and bypasses the warnings about unsigned addons, and then uses a non-obvious but documented process for side-loading, something virus peddlers can't really walk users through, then Firefox should honor that while explicitly displaying the list of unsigned addons the users added."
Any such process would have to be difficult for external programs. As it stands, the best way to get verification of such a setting is through the built in binary verification that firefox does, which require that any application needs to reverse engineer and patch the binary to install it's own addons.
Your process requires editing the about:config values, which is possible for an external application and installing an addon, which copies it into a specific folder and is also possible for an external application. We know this is possible because this is what other applications did to install their shitty toolbars.
>And I and others have explained how those involve unacceptable tradeoffs and run directly contrary to "give users back control over their machines" ethos, though not, of course, to your extremely limited version of the ethos.
It seems to me that further discussion is unnecessary considering you continue to ignore significant portions of my comments.
>Any such process would have to be difficult for external programs.
Why? If the user already has a malicious 'external application' running on their system with sufficient privileges to do any of this, then they're already screwed, and they have bigger problems to worry about than malicious WebExtensions.
More generally, I don't think we should hold applications responsible for the security or behaviour of parts of the software/hardware stack at equal or higher privilege level to them, including other applications. Mostly because, well, they can't do anything truly effective in that regard.
I see you're worried about average users unknowingly installing random malicious crap, and I've seen a lot of that myself. I think the way forward is pretty much what is being done on mobile platforms currently: universally applied application sandboxing, usage of existing fine-grained access control models (and also the development of ones that are saner to use), and better communication to the user about what their applications are doing and what the permissions they are requesting actually mean. Yes, it's still a clusterfuck, but it's an improvement.
A security model involving applications in an arms-war with one another, using increasingly byzantine restictions in an attempt to prevent external manipulation, feels less like something I would want any part of, and more like something out of a dystopian sci-fi novel.
: Although I think Google went too far on the "lock things down completely" side of things when they made it outright impossible to, say, use rsync to backup or sync the entire contents of a phone's sd card to/from the network
They could add a way to add signing keys to the stables. This gives you security updates and user freedom without significant downsides because the user would still be in charge of signing.
That would allow any third party software running on your computer to add malicious plugins to the browser (which has happened in the past and is in part why it requires Moz' signature now).
Most users, ie, the average user plus a significant amount, don't really care that they can't install random addons from outside the addon store.
The attack model is largely that fairly normal software wants to install adware on the computer. The software isn't direct malware but will attempt to install and activate addons, redirect the users homepage and search engine as well as setting various other options on the user behalf that are ultimatively harmful to the user experience in Firefox.
Mozilla wants their branded Firefox to be something the user can trust and that means controlling what code with elevated privileges (ie, Addons) can run in the browser.
edit: It should be mentioned that in response to the first question; Firefox performs some binary verification and won't run or attempt to repair if it detects tampering.
This threat model appears to optimized for the argument giving control to mozilla. It assumes that your system is essentially compromised but the attacker has just exactly so many self-imposed restraints that they can be thwarted just as long as things are under mozilla's control. But if you give the user control then suddenly the balance tips and their already-compromised system will be used for bad things.
It's a really long-winded way of saying "we know better, you cannot be trusted, freedom is slavery".
The correct solution is to remove malware, not to play games with it that require freedom-reducing gambits.
There is plenty of software that adheres to these constraints. Most adware doesn't want to actively damage the system and doesn't worm too far in. In the past, adware would simply drop it's toolbar payload into the Mozilla and Chrome addon directories, which would after confirming it with the user, activate. Same thing with homepage and search engine settings (which still get modified).
I think it's a bit unfair to quote Orwell when the overall goal is to prevent the user from hurting themselves, not brainwashing them into thinking they don't need unsigned addons. If they need those there is the developer edition, which is officially supported by mozilla and allows installing any addon you like.
The default installs that most users will see simply have a different default setting. If you don't like that you can choose another edition or compile Firefox yourself.
Requiring people to use a buggy beta (this is what betas are!) is not acceptable. I warned about this constantly before they jumped the shark in version 37 and was always downvoted here and ignored at Moz. Well, here's what you get. Another Apple product beholden to corporate power instead of for the user.
As my dear old mom used to say, 'if everyone else were jumping off a bridge, would you?' The fact that Apple constrain their users doesn't justify Mozilla doing the same.
My browser belongs to me, not to Mozilla and not to anyone else: I should be able to load any extension into it that I wish to, just as I should be able to load any program onto my phone or install any root cert in my operating system.
Also, Apple doesn't ground their existence in "we want software to be Free (as in Freedom) and we want you to be able to control your own device to do what you want". If anything, they want something that's mostly opposite.[1]
Mozilla does claim to live up to that standard.
[1] This isn't to say they're wrong; there are legit reasons to want a device with good defaults that are hard to bypass.
"if everyone goes off and gets vaccinated, would you?"
Apple constraints their users for certain reasons which they believe are good for the user (with some negative side effects that Apple also likes). Mozilla likely has a similar motive; doing good for their users.
It doesn't mean every user will be happy with that, the average user will however be better off. The non-average user can then install the developer or nightly edition of firefox or even compile it themselves too get unsigned addongs if they so choose. Choosing the branded release branch of firefox means that Mozilla wants to keep you safe to some extend. This means not allowing third parties to install arbitrary addons into your browser, for example. Users rarely know what they want or if they do, they go about it in destructive ways.
Install the developer edition and you get your "I want to be able to load any extension".
I understand that Apple does everything in its power to make the life of developers miserable (such as requiring a Mac to be used for iOS development), but Mozilla were supposed to be the good guys on the web.
Apple's primary aim by limiting the access to the store isn't to make devs miserable, it's to have users trust the app store.
Mozilla's aim is (likely) the same. If a user finds an addon in Mozilla's addon store, then Mozilla wants the user to fully trust that this addon will not violate their privacy in unexpected ways or install malware on their computer or otherwise interfere with them.
Similarly, Apple spends a lot of money on making sure the PR image of the app store is clean. People should be able to fully trust Apple's app store, in Apple's opinion.
That doesn't mean there won't be addons you don't like, it just means that malicious behavior is not allowed. If the user doesn't like it they can remove it without consequence.
But what about the whole "give users control of their machines again"? What if I have an extension originating elsewhere -- say, because I'm a sympathetic person Mozilla claims they encourage learning to code -- and I want to bypass the usual protections.
I compile a unbranded version of Firefox for each released version on my private repository for AUR packages, automated and without the need of intervention at all.
I'm currently running the branded release but I could pick unbranded, beta, dev or nightly editions of Firefox if I wanted. It's not hard to automate and especially with the unbranded version you have permission to distribute the binary that results, a permission you don't have with the branded edition.
You can also use the Nightly or Developer Edition of Firefox as well.
Yes, you could. What about the person Mozilla claims to want to get into coding? They have to choose between getting the regular updates vs being able to tweak their addons.
And do you plan to set that all up in the middle of your workday when a forced update disables your extensions?
Again, you can also use the developer edition, which also allows unsigned addons and has automatic updates but also doesn't disable your extension. It's specifically meant for people getting into coding.
Plus, there is more ways than developing FF addons to get into coding that Mozilla wants to stimulate, developing the browser itself or websites is also an alternate goal you can join in addition to trying out making your own addons.
It is not reasonable for a user-freedom-oriented browser like Firefox to require you to install a separate version to install unsigned extensions. Hiding it in about:config behind a "this is dangerous, are you sure" warning would be the right thing to do here.
I think it's fairly reasonable for a user-freedom-oriented browser that also markets itself as a safe and fast alternative to Google Chrome. This exists to some extend to protect users who will click on any button as long as it makes them able to do what they want no matter how dangerous (which is, for example, why HSTS doesn't have a "Add Exception" button).
Mozilla focuses on maximizing the user's freedom to browser the web without being hindered by harmful addons.
And at the end of the day, Firefox is a Mozilla brand, using the Firefox browser associated with their Brand means to some extend that Mozilla will want to ensure that the average user has a certain experience with that brand. The average user is perfectly fine not installing unsigned addons, which is arguably something the more advanced and above average user might want, who has the full freedom to use a edition of the browser that is explicitly marketed to them, no?
You can install unsigned or foreign-signed addons, you simply need either the developer editino or you use a unbranded version of Firefox (ie, any Firefox binary that isn't branded for Mozilla). It's a compile option.
>That doesn't mean there won't be addons you don't like
But it certainly guarantees there won't be any apps Apple doesn't like and haven't paid the appropriate fee.
It's incredibly naive to think the primary reason for Apple is trust and security. At least as far as their mobile ecosystem is concerned, their control over what the user can run is a major revenue source.
You are aware there is a difference between "primary" and "only", yes?
I'm not saying Apple's intent is pure but there is a primary driving factor behind it, that to my knowledge, seems fairly pro-consumer. Doesn't mean it has other, anti-consumer motivations.
Let's see if I got the hang of this: The average iPhone user can only install software approved by Apple, and their primary motivation for that setup is an anti consumer one.
> Apple's primary aim by limiting the access to the store isn't to make devs miserable, it's to have users trust the app store.
It really isn't. It's to prop up their own services through anti-competitive blocking, to maintain a level of terrifying censorship, and to rent seek on what remains.
That is a good side effect for apple but it's not the primary aim/goal of controlling the app store. They already control the ecosystem by virtue of not allowing sideloading easily so controlling the app store serves little additional effect other than cleaning it up and increasing trust.
Not sure where you are getting your information, as Apple has publicly stated to its investors that the first and last of those 3 were their actual purposes behind the restrictions on the app store.
That's an entirely separate decision from deciding to control what goes into the shop and by that not really part of the discussion, isn't it? And Apple asking for a fee to allow uploading apps is also a separate issue, after all, Mozilla is doing it without a fee by using volunteers to screen apps.
Both points are true and a problem but it's distracting from what this is about, no?
They don't exist in a bubble, correct, they are however separate, but again, this is not what this is about.
It still means you can separate the good ideas that apple has from the bad ideas. Not everything Apple does is inherently bad or evil because they do some evil or bad things, no?
And this is simply extracting the good part of apple's store policy; patrolling and checking apps so that users can trust what is in the store.
I develop for iOS on a secondhand Mac mini and commodity keyboard, mouse and monitor. Total cost well under £600, let alone “multi-thousands of dollars”.
You can use qemu to run macOS. It's probably agaist ToS, but it works. But it's best to just ignore Apple if you can. It's their problem anyway, if they want to discourage cross-platform developers that don't own or have interest in their HW.
> I understand that Apple does everything in its power to make the life of developers miserable
All XCode projects are automatically code signed on every build. If you have a developer membership with Apple, it uses a certificate issued by Apple. If not, it's just a locally-generated certificate.
If you use make or call Clang directly, obviously there is no signing process, but there is a command-line tool that you can use and integrate into your non-Xcode build process just fine.
How do I run XCode on Linux? Or do I have to spend $2k on a machine that will only be used to run a single build? Speaking of, how do I integrate that mess with my automated build systems? Also, how can I get it to sign stuff without forking over $100 every year?
> Please don't impute astroturfing or shillage. That degrades discussion and is usually mistaken. If you're worried about it, email us and we'll look at the data.
>usually the last option means compiling it yourself
The last time I did this it took so long I was able to write my own HTML parser while I was waiting (and I had never written a parser for a context free language before.)
Have you thought about just using Firefox containers? You can maintain containers that have completely separate login sessions with their own icons and colors. I use it to develop and test out 5 different user roles (or whatever) for different web applications, it's very useful.
Why must it be online? Can't you package it with the theme? (I have no experience creating themes, but I can package images with an extension. I only have to upload it for Mozilla to sign them, but after that I can download the signed package and load that locally.)
Cursory reminder that using Waterfox is very risky[1] because it takes a huge amount of labor (more than Waterfox has) to secure a browser and because forks tend to be behind the latest patches.
Text version: officers tell Hitler that he has to upgrade FF because of bugs but warn it breaks his extension again. He dismisses the importance until they break the news he can't install the recompiled extension even if he says it's okay in about::config. Hitler goes ballistic about how that defeats FF's mission to give control back to users.
Climax: "If every tweak must be personally approved by Mozilla employees, why not just shrink-wrap the browser and make me buy it from Microsoft at Best Buy?"
Epilogue (real-life): Mozilla has now broken extensions so badly that you can't recover some of Pentadactyl's functionality, like customizing key commands. (At least, they won't take effect while on a tab until that tab's JS has loaded. Seriously?)
But hey, at least I get Looking Glass forced on me with a cryptic message that makes me think I've been hacked. That's worth the tradeoff, right?
While this is extremely dubious behavior from Mozilla, and reminds me why I stopped donating to them (the moment Firefox started requiring _their_ signature in order to load addons), Mozilla still has the "automated signing API" in place. Supposedly, this API allows to get an XPI signed as long as it passes a series of automated checks. So it's worth a try.
This was the excuse they used anyway when trying to justify their signature requirements were "not a walled garden". I didn't believe it of course.
I've recently been experimenting with creating an extension, and the automated signing was literally one of the first things I did when I followed the Hello World tutorial. It's very easy to obtain an .xpi that you can distribute to your users yourself.
Out of curiosity, under what circumstances would you consider distributing an extension bundle to be leaking its code? Unless I'm misunderstanding, isn't this the same file you'll be distributing to your users? At first bluff it seems similar to worrying about leaking your website's frontend (I've got news for you...).
If it's for an entire company, then it's easy enough to compile your own copy of firefox that accepts extensions signed with the company signature rather than mozilla.
Respectfully disagree - having to rebuild each time patches come out, on multiple OSes and versions, which have a patch to allow unsigned extensions is a massively more time expensive than developing a browser extension, and requires extra knowledge on the behalf of the persons responsible
Luckily it's not necessary: you can still enable a flag in ESR releases that allow installation of unsigned add-ons, so that solves it for company-internal tools.
When you criticize someone this strongly, it pays to at least acknowledge the reasons they've given for making the decisions they made, even if you don't like those reasons. Here they are: https://blog.mozilla.org/addons/2015/04/15/the-case-for-exte...
A large part of corporate platform power is due to the ambiguity in decision making arising from the absence of clear and transparent processes or accountability regarding how the rules are applied.
It's unlikely that there's a corporate decision behind this. I wouldn't even call this a corporate platform. Let me copy-paste a comment from further below that deserves more attention:
> >One of the community reviewers removed it from the store claiming it violated the ToS, which is BS. The ToS never mentions the word paywall once. Please support me in appealing! https://wiki.mozilla.org/Add-ons#Getting_in_touch
> Which sounds more like a zealous community member than Mozilla taking a position.
I didn't want to imply a corporate decision behind this specific case.
Corporate power arises through the capability alone, not necessarily its frequent execution.
I think that Mozilla is actually a great company to demonstrate how responsible platforms could operate. Past examples might be Pockets non cloud based recommendation engine or their encrypted user account setup.
According to an issue for a different/similar addon[0] that got removed:
> "It appears that your Add-on violates the Firefox Add-on Distribution Agreement and the Conditions of Use. Both prohibit Add-ons that violate the law. Your Add-on appears to be designed and promoted to allow users to circumvent paywalls, which is illegal.
...
> We are responding to a specific complaint that named multiple paywall bypassing add-ons. It did not target only your add-on.
Aren't they? The only real info I'm finding here is the terse comment from the dev in this thread claiming it was removed for vague "violated the ToS" reasons, but they have not shared the actual wording from the reviewer. It also looks like they have not even initiated voicing this objection to the ruling on the add-on developer forum. Directing your Github issue readers to spam the add-on support channels without providing them any real context seems pretty over the top, to me.
This would not be an issue at all if Firefox had not jumped the shark in version 37 by implementing anti-user features like requiring Mozilla approval (signed) to run add-ons.
The idea is to protect users, not hurt them in any way. Anyone can sign and run their own add-ons, or offer those add-ons for others to use. The only thing being restricted now is who can distribute their addons via addons.mozilla.org, which seems more than fair.
The idea might be good. The execution is harmful to users, and they refuse to roll it back. That's all that matters. Mozilla has shown this pattern consistently - they have an idea they think will be good for people, and when it ends up being hurtful and damaging not only the core product but the userbase - driving more people to alternate browsers - they steadfastly refuse to see what's going on around them.
Frankly, those of us who went to Pale Moon may as well have been the last rats off a sinking ship.
Firefox is still a terrific browser. Compared to forks like PaleMoon I would even say that it is now much better given the continuous improvements we've seen with quantum and others.
I definitely do not agree with Mozilla on everything, but stating that they are harming their userbase based on your single point of view is moot, to say the least.
And Firefox, a sinking ship with not even rats on board anymore? Come on now.
I'm glad that all of the addons you use are the ones they've approved of and which haven't been made incompatible by any of the major breaking changes they've introduced in the last few years.
Do you have a source for that? Moz has a ton of data about how harmful to users it was to have an ecosystem full of trashy spam extensions. The leap from "this solution has some downsides" to "this solution's downsides outweigh its upsides" is skipping the most important part of the question.
> Moz has a ton of data about how harmful to users it was to have an ecosystem full of trashy spam extensions.
I wish that this data were available somewhere—not this specific data, but in general. Mozilla's response to community push-back is always "trust us, the data show that this is what's best". If you trust them already, then that might be good enough; but, when this is always their first, and often their only, response to push-back, it's hard to distinguish it from the empty response of someone with no data who wants to avoid questions.
That's fair, but I want to highlight the world of difference between "dubious behavior" and "it would be nice if we had your data to check your conclusions." I'm not with Mozilla, but when I've been in a similar position, it's deeply frustrating to read stuff like this on the internet. (So the healthy thing is really to just stop reading it, which is a shame.)
I consider the fact that they're hiding the data and using it as a smoke-screen to do whatever the corporate side would like to do at the time or an excuse to play with whatever side project the head dev en vogue was playing with, regardless of what the userbase wants and needs to be 'dubious' from the start. So the world of difference is a non-starter in my book.
Frankly, there needs to be more community input, more opportunity to speak & act against wrongheadedness. It's part of why I prefer Pale Moon. If something is asinine, I can talk to the head dev and the team. They'll either show the community their sources for making a change or put it to a vote of the active users.
I can download an arbitrary exe file and run it with a few clicks. It can do anything, install rootkit in my BIOS and of course completely replace Firefox.exe or anything else. What's the reasoning to forbid me to download and run addon? I can already shot myself, very easily. Additional protection does not do any good, only harms users.
People don't seem to understand how dangerous browser add-ons are. Protecting people from eg. malicious add-ons emptying their bank accounts is probably one of the reasons for restricting add-ons.
However, restricting add-on installations to a community-moderated app store model is not a secure enough way to do it. It's hard to prove that it helps at all, but it sure is annoying.
What prevents malware from injecting itself into Firefox process, hook few functions and empty bank accounts? Browser addons are dangerous, sure. But everything is dangerous. I'd say that malware is more dangerous than browser addons. Yet I'm living in a world where it's ridiculously easy to run an arbitrary exe file. Why Firefox wants to make it different for addons? I could understand those measures for iOS Firefox version. May be Firefox could mimic macOS behaviour (need right click to run unsigned app). But making walled garden in the world where everyone can just jump over that fence does not make any sense for me.
If it was just distribution through the add-on app store, that would be one thing. As of Firefox 48 however, in stable builds of Firefox, unsigned addons (which haven't gone through Mozilla's review process) cannot be installed. Period. The about:config setting meant to override signature checks (and allow third-party extensions), `xpinstall.signatures.required`, is plainly ignored in stable versions from this point forward, so it's AMO or bust.
The only way to install an unsigned extension is to install the Beta or Developer builds of Firefox, which still honor the above setting. Or, I suppose, to use one of the many forks of the Firefox codebase that restore user choice.
Let's dial back on the unwarranted outrage. Mozilla expects that people who develop their own extensions will be using the Developer edition. It also expects that people who aren't especially computer-savvy will be using the stable edition. The people crying foul about requiring signing for add-ons on the stable edition are living in a bubble where they don't realize that most people will completely fail to understand the importance of vetting browser extensions, while also failing to appreciate the potentially disastrous ramifications of installing a malicious extension.
Browser extension malware is a big, big problem in a way that some otherwise tech-savvy people in here apparently don't understand. Why are people so quick to ascribe malice when nobody can come up with even a single potential malicious motive for Mozilla requiring signing of add-ons? There's no profit motive or perverse incentive here. Mozilla doesn't make money from this process. Frankly, they'd make a lot more money if they didn't run AMO at all and didn't bother hiring any stuff to run it and vet extensions.
The specific pain point we ran into was a security consideration: my company needed to sign and distribute a private internal extension whose code betrayed the layout of an internal API. The signing process for stable Firefox requires uploading the extension to AMO, which our management was not crazy about. Sure, anyone can technically do it, but the dependence on a third party service is still there. Ultimately we decided to do it anyway, figuring that the cost of having our support floor run a non-stable browser outweighed the risk of a code leak at Mozilla. But the whole process left a bad taste.
I get where they're coming from, really I do. Malware is a huge problem and the average user has zero clue how to vet extension code. I dunno, I have mixed feelings about the solution. I'm not sure if there's a middle ground to be had.
If you mean automatic micropayments when reading articles then you'll still be tracked, because the payment provider has to track what you read to make the payments and even has to be able to provide a log of it in case there is a payment dispute, so they will store what urls you visit and when.
Without a proper log payment disputes can't be resolved legally.
if there was something like anonymous payments (cryptocoin-based maybe?) then it would be possible without any tracking. In the few cases where you ask your penny cash back because something happened, most companies would just give it back without questions asked assuming they dont get tons of cashback requests from your IP.
That's why they need a log, because there will be cashback requests which people could abuse. And this will not necessarily be only pennies. A penny for a single page, for example, but if you visit many pages of the same site then the amount will be much higher and a user could claim then he has never visited that site and wants his money back.
something similar is happening with ads nowadays. There is tons of fraud in ads and all earnings / payouts are approximate. yet the system works, even approximately. My guess is fraud will be a small percent, certainly tolerable
Seems like there has to be some method to solve this? Maybe the transaction is part of the page load? You don't get the page until you pay via anonymous cryptocurrency. No need for any post-transaction verification and reconciliation? The problem there will be if the page fails to load, how can I safely get a second attempt without creating some kind of "double-spending" problem.
You can do tracking in such a way only the person browsing has a log. In the case of a dispute, the log file can be revealed to the website so they can determine how to resolve the dispute.
In the undisputed case, the website wouldn't see the log.
> if there was something like anonymous payments (cryptocoin-based maybe?) then it would be possible without any tracking
Taxes mess that up. A large number of jurisdictions charge a sales tax or VAT on sales to people in their jurisdiction and require the seller to collect. Some tracking is necessary in order to figure out what the tax is and where to send it.
That tracking doesn't necessarily have to be at the content provider. The service handling the micro-payments could also incorporate tax handling. The buyer would have to give up personal information to the payment service, but they probably already did when funding their micro-payment account.
It could also be handled by having content providers sell through aggregator sites, with the aggregator sites being the seller to the end user as far as taxes are concerned. Then the buyer only has to give up personal information to the aggregator site, instead of every content provider site that they buy an article from.
Aggregator sites would also help with the costs of dealing with taxes. An aggregator would have enough sales in each jurisdiction for the costs of filing to not be excessive. That's not necessarily true when individual content providers sell on their own sites. Some jurisdictions, for example, require tax collection and payment if you have more than 200 transactions in the past year in that jurisdiction, regardless of how low the total dollar amount is. Sell 200 articles for $0.05 and you've earned $10...and will be paying way more than that in quarterly filing fees.
My prediction is that if we move away from the ad model for funding content providers, we will see a big move toward aggregators for all but the major newspapers and magazines. The websites of smaller newspapers and magazines will just be summaries, and when you click to get the full text it will take you to some third-party publisher that the paper has licensed the full article to, and it is from that publisher that you will buy full access.
I think the aggregator market will end up concentrated in a very small number of aggregators that together have pretty much all of the "professional" content on the web, except for a few major newspapers and magazines that are big enough to justify consumers maintaining separate subscriptions just for them.
> When you pay with Taler, your identity does not have to be revealed. Just like payments in cash, nobody else can track how you spent your electronic money. However, you obtain a legally valid proof of payment.
If you don't want to see ads then fine it's your computer.
But Brave is hijacking ads by force then strong-arming websites to sign up to their own shitty crypto currency if they want to be paid. It's basically an extortion scheme, or a mafia stye "protection scheme"
I wonder who's more unethical: The guy who comes in, smashes your stuff and leaves or the guy who comes in, smashes your stuff and leaves a check for you at his place.
I bet that's a common battle ground between consequentialists and idealists.
Fun aside, I don't think the comparison holds up very well. I don't think that anyone has a right to execute code on my devices just because I'm browsing a website. In this concept, "hijacking" ads is completely void of any ethical meaning.
Braves platform attempt is still not very good. A good solution for paying content creators would need to be open, decentralized and accepted by the stakeholders involved.
Requesting the code doesn't mean I'm obliged to run all of it. If you serve data to my computer I am free to do whatever the hell I want with it, if you don't like that, don't serve me the data.
I've read a few threads on this and while I don't want to be absolutist and say you are wrong, I believe it's a lot more nuanced than what you described. My understanding is that the Brave injected ads are strictly opt-in at this point for the user, not the default, which makes it a lot less of a racket imho, but I dislike Brave simply because I don't need it, which seems like a good enough reason to grumble about it.
The economics and game theory of this suggests that newspapers should be forced to cooperate with each other.
Cartelize on-line journalism. Make the 4th estate official. Create a pseudo-governmental entity like the US post office, Fannie Mae, or the Fed. If you have an Internet connection, you have the option, through your ISP, to pay $X towards journalism on the web. Your ISP will then cryptographically vouch for any request that goes from a paying subscriber to a cartel member site, such that the member doesn't know exactly who the subscriber is. If you're on a foreign network provider that doesn't participate, you'd have to get crypto keys and a standalone program (or browser add-on) directly from the cartel (that could make you identifiable), or go through a VPN that participates.
If a request comes in with valid crypto, the response is the requested article, with no tracking, and a cartel-fixed standard for ad content. If it does not, it is up to the publisher as to what to do with the response. Deny. Inject intrusive ads. Infect with tracking malware. If you didn't pay, you get what you get. Cartel members are paid from the common fund via analysis of the server logs, targeting X% of the total amount paid out as potentially lost to fraud (so as to not overspend on analysis and fraud detection). Baseline income is determined by quantity of eyeballs. The cartel can then dole out bonuses for quality--if one of your writers wins the Pulitzer, your paper gets extra money. And it's no big deal if bots are visiting sites, because each bot has to pay in order for its requests to count towards the circulation-based distributions.
I'm sure there are a lot of people out there willing to pay $10 a month or more for online journalism, but they don't want that whole budget to get sucked up by one newspaper, only to get locked out by all the others. And there are plenty of sites out there that can't seem to manage online subscriptions or micro-transactions very well.
It so happens I designed a scheme a lot like this: clients send an opaque payload which the service provider wraps and forwards to an authenticator. The authenticator simply replies with a yes/no statement of whether the user is a legitimate participant in the scheme. The payloads are compared offline to validate that the versions of events given by the user and service provider are the same. There's a lot more needed to make it trustworthy, though.
To me the primary advantage would be to open up an untapped segment. There are readers who will never pay, they see ads. There are readers who love a source so much they will pull out their credit card and deal with the hassle of having yet another subscription. In the middle is a large, untapped group who would pay if the transaction costs (pulling out the card, hassle of multiple subscriptions, worrying about how much they're spending etc) were approximately nil.
We need something integrated directly into the browser with microtransactions for each page load (or X amount of pages) paid for anonymously via cryptocurrency.
i dont agree with the tracking that goes along with all of them. i shouldnt be recording my action to a bunch of unrelated companies just so i can give a few cents to a website.
Brave records that data locally, none of it is actually sent to any servers. The only thing they know is an amount of money must go to the websites that your browser viewed. They don't record IP addresses or any personal data.
AFAIK, all tracking (in both Brave and Flattr) happens locally on your device.
Some level of tracking _is_ strictly necessary for a system like this, because otherwise there's no way for the system to know which sites to give your money to.
Google has the ability to get us halfway there, if not more.
The previous version of google contributor was almost a solution.
But it used a bad payment allocation algorithm, it never guaranteed adsense ads would be blocked, and the new version is just a way to subscribe to a handful of sites.
But they also run youtube red, which has the model they need. They just need to copy their own idea.
One way to make this happen is to vote with your eyeballs and attention. If you and other internet users that feel the same way don’t consume from sites without micropayments, they will be encouraged / forced to offer a new way of monetization.
Sometimes I wonder if people actually believe this, because it sounds more like nobody should read anything on the web that is monetized with a subscriber or ad-based business model.
Not even sure how newspapers would be able to figure out that all those readers they are not seeing is because they don’t take micropayments.
> Not even sure how newspapers would be able to figure out that all those readers they are not seeing is because they don’t take micropayments.
By interacting with their users. I’ve written to newspapers in the past asking about their subscription. I remember one ocassion I did it with 2 newspapers. One replied they’d look and I never heard back. The other didn’t reply.
If I write asking if there’s a way to use micro donations and there isn’t or they haven’t heard about that, it might be a good idea to research it.
Another is following news about competitors. ‘We’ve increased readership by x% since we added micro donations’. Or following industry conferences where it might be discussed.
How does that square with not even spending your time or eyeballs or money on a particular site till they support micropayments? That was half of my point.
Do the contents of your letters read “I like your website but I cannot in good conscience support you till you support this specific business model in which I might give you a penny, or perhaps as much as a nickel every time I read an article to support your operations and salaries?”
This particular idea has been kicking around for at least a decade that I know of, and since I don’t tend to hear about most ideas when they’re new, most likely much much longer than that. At this point I’ve been forced to conclude the industry as a whole has probably looked into it and come to the conclusion it just isn’t worthwhile. Understandably, they would need some critical mass of readers and enough papers that matter supporting it and a particularly friendly credit card processing agreement in which the processor would need to be happy with a micropayment of a micropayment. Services like Spotify have somewhat paved the way as well and are demonstrating what the long tail of micropayments actually looks like.
I have found that lowering my threshold for bullshit* has also increased the signal ratio of the content I read by a huge margin. I believe there is correlation.
* includes crippled without JS, ads, paywalls, poor accessibility, etc.
publishers don’t like micropayments because (a) they don’t work, and (b) what people read doesn’t correlate with what’s important.
It becomes a lot harder for journalists to justify spending months on a subject when the business side has hard data showing it brings in barely more than reprinting the soccer scores.
What’s potentially workable is a Spotify-style subscription model.
> (b) what people read doesn’t correlate with what’s important
> It becomes a lot harder for journalists to justify spending months on a subject when the business side has hard data showing it brings in barely more than reprinting the soccer scores.
This is already true with the current advertising model.
It doesn't work, since people faced with paywall moe to competition that only has ads. If adblocking is common enough will try harder to make micropayments just work.
And that's why we have clickbait. Letting people cherry pick exactly what they want is seriously going to hurt quality content. Subscriptions to a wide range of stuff like Netflix and Spotify are perfect. There's something in there for everyone's taste.
You don't understand the problem of clickbait. What people say and what they do are two different things, and you need to choose which to listen to.
This is one of the reasons clickbait was so prevalent on facebook a few years ago - people clicked on these so much that they were ranked very highly. But in user surveys, the same users claimed they hated clickbait and wished it wasn't there. So what do you do?
Is it moral to allow people to only consume the things they believe they need, even if the things they believe they need are only that because they are addictive and potentially harmful?
If allowing cherry picking exactly what they want is the only moral way to provide the news, does that mean all prior forms of broadcast news publication were immoral (e.g. television & radio news broadcasts)?
You are reading this comment. The are billions of lines of text on the internet you will never read. Is this comment strictly more important to you than every single other text on the internet? A comment that includes a nonsense paragraph of just “banana”, repeated over and over?
If the endorphins you get reading the content from your list is more important for you, so be it. You decide what's important for you, and that's the definition.
So your definition would be "Everything someone does is good for them"?
That reminds me of Austrian praxeology.
Behavioral patterns that lead individuals away from their goals do exist. Such irrationality is what most of behavioral economics policy advice is all about.
It's easiest to explain with the difference in long term goals and short term decision making. There it gets obvious very fast that peoples immediate preferences do rarely reflect their stated and consistent long term preferences.
>One of the community reviewers removed it from the store claiming it violated the ToS, which is BS. The ToS never mentions the word paywall once. Please support me in appealing! https://wiki.mozilla.org/Add-ons#Getting_in_touch
Which sounds more like a zealous community member than Mozilla taking a position.
yes!!! people don't realize that volunteers review the addons and that sometimes they make mistakes. They start acting as if Mozilla sent an internal memo to kill something when it is usually not the case.
I don't think that makes it better. In fact, it's worse.
Why is Mozilla Corporation, a company with gross revenue of $562 million, delegating an important security role to unpaid and apparently unaccountable volunteers?
Thats not how it works. To become an addon reviewer there is a process and it is not like all the reviewers are the same. Again please, don't treat volunteers who are donating their time and effort as unaccountable or as if they don't know security, they are accountable and there is also a staff team working on there. There are a ton of volunteers who are very good with security. Whatever happened between this addon author and the review this is kinda private to them.
I really dislike when people assume that because you're a volunteer that you're unaccountable or less capable technically or security wise than an employee. That is simply not true.
There are volunteers in all places at Mozilla and personally, I think this is great. Also treating Mozilla as a company is not really the ideal mindset. Mozilla is at best a NGO, a foundation, who owns a company for legal reasons, who is also a community, who builds a ton of stuff. It is quite a complex entity to be summarized as "a company should handle this different".
I don't understand what point you are trying to make. First you agree with the OP that the reviews being done by volunteers who can makes mistakes somehow makes Mozilla less culpable, then you jump in to say that these volunteers are just as accountable, technically capable and security wise as an employee would be.
You only seem interested in letting Mozilla off the hook rather than acknowledging the systemic issues that gave rise to this situation.
> Also treating Mozilla as a company is not really the ideal mindset. Mozilla is at best a NGO, a foundation, who owns a company for legal reasons, who is also a community, who builds a ton of stuff.
Except the Mozilla Corporation is the entity that develops Firefox and is a company. That company may be wholey owned by a non-profit, but it is still a company.
Why is Google, a company with gross revenue of much more than that, not doing it at all?
Obviously, the Mozilla Corporation's only stake holder is the non-profit Mozilla Foundation, so they can't pay out much of their revenue to anyone other than their employees (and to those in wages that are comparable with the rest of the industry; they have to publish their finances for that), so they certainly can afford to spend more money on things like that, but they're still trying to avoid spending huge amounts of money on something that can be done just as well in 99% of cases at a fifth of the cost.
As far as I know, they have a system where at least two independent volunteers have to approve an extension and some employees will occasionally check up on things, too, and can revoke volunteers that make mistakes too often or are plain malicious.
So, most of the time, this system will fail on the side of things being disapproved that should have been approved. It will much less often be the case that for example malware will get approved (especially since they also have automated malware scans, which is something that Google has, too).
The project creator doesn't appear to have been active for twelve days, and it took fifteen days for a press outlet to notice and report on it. Many things could be causing a delay, it's a busy season and I doubt this is anyone's priority.
Thats not the process, that is just a way to reach out for a team as apparently they've been unable to communicate with them. If you think about it it is great that you can actually use some channel to talk to people involved in a product you use. That is not that common.
There is a process, it is through the AMO developer hub page for their addon. What I've been saying here is about ways to contact the team if they want to talk to them directly. From the Addon admin page, from the "review history" page, they have a form to message their review team. Usually, if something happen and by any reason your addon is rejects, you can use that form to escalate and find out why it happened. There is also an email address for escalating this stuff which I am assuming they've emailed already.
After reading all these comments, perhaps its time to branch Firefox to something else?
This situation feels like the old Mozilla vs Firefox issue that happened a decade and a half ago. Perhaps the fact that the Mozilla Foundation is treating their browser like an Apple device is the final impetus to move elsewhere?
Unfortunately, with the size and scope of a browser and the sheer numbers of features constantly being added, this is a difficult task. What would be ideal is a company (preferably with financial incentive to do so) maintaining an embeddable, highly configurable form of FF (ala CEF[0]) and then the rest of us can build UI around it.
We need easy to use, non subscription micro payments. I was hopeful Bitcoin would do this but sadly it was never adopted as a mainstream payment platform.
Bitcoin does not scale to micropayments. Lightning could probably help, but the next problem is that Bitcoin's value is way too volatile for broader acceptance (which, I realize, is to a certain extent a chicken-and-egg problem).
Unfortunately, the very design of Bitcoin doesn't lend itself towards micropayments, due to the limited block size requirements. Variations (BCH) and addons (Lightning) attempt to address this, but BTC itself suffers from design flaws that restrict this.
Boy, ungoogled chrome and brave are looking mighty appeasing at the moment. Im not sure how long I can continue to support mozilla.. Why do they keep doing these things? They can't just be satisfied with what they were?
HN mods: title is incorrect and misleading, should at least read "Bypass Paywalls add-on removed from Firefox add-ons store". The use of "Mozilla" in the title has caused a lot of confusion in this thread from people who haven't clicked through the link.
Distinction without a difference, IMO. Mozilla has chosen to require this level of curation on Firefox against all complaints in the name of "safety", so they can also take the heat when their process results in an outcome like this. Their browser, their addon site, their decision, their fault.
The idea that AMO shouldn't be curated is baffling. Browser extensions are the biggest malware vector since email attachments named `importantstuff.txt.exe`. The title saying that Mozilla "pulled" this extension is not merely incorrect, it is blatant misinformation.
>The idea that AMO shouldn't be curated is baffling. Browser extensions are the biggest malware vector since email attachments named `importantstuff.txt.exe`.
This is a strawman, the GP did not say AMO shouldn't be curated. [Edit: added missing "n't"]
> The title saying that Mozilla "pulled" this extension is not merely incorrect, it is blatant misinformation.
Mozilla selected, manages and empowers the reviewer who made this decisions. Since organizations are not people, delegating authority like this is the only way that organizations can ever do anything. Therefor to claim that Mozilla did not do this is spurious at best.
Now, Mozilla can disown the decision by saying the reviewer did not follow the appropriate process in making the decision. If that claim is shown to be true, only then would the title possibly be incorrect or misleading. Until then, Mozilla is as culpable for the authorized actions of its agents.
Publishers should take some basic control of the ads on their site, just like it used to be with newspapers and broadcast. Serve them from their own domain, restrict their format (no moving parts or sound, no Javascript at all), vet them for basic decency before publishing. My uBlock Origin setup wouldn't block that.
Good idea, but they are not tech companies, so they likely lack the ability to do so.
I guess they could upscale in tech, but how would they pay for it when they can barely earn enough money to fulfill their primary function?
I don’t think publishers have a problem. I think users do. I hate online news as much as everyone, but I still want deep, intelligent and critical journalism, so I subscribed to a paper which sells it.
It’s one of the most successful news papers of my country, financially, and up until April this year they didn’t have a website. They do now, but it’s basically just a digital version (also available in audio from apps) that you can still only access if you subscribe.
I couldn’t be happier, and they earn money. So maybe the whole free content thing isn’t really a good way to go for either the user or the publisher?
The question arises, what images to serve. Someone has to sell advertisement, find clients, persuade them to advertise with the given site, etc. That's something they are getting with ad networks for free.
Yes, but you can implement all the parent's suggestions without giving that up. Route all the ad requests through trusted intermediate provider on the same .xyz.com domain, where you have all the what-to-serve logic and analytics. Advertisers can then be sure that the numbers of views are legit.
Who owns a server today? Even publishing platforms are outsourced or behind nicely packaged SaaS today, not to mention infrastructure services. There is no more "FTP your site to XYZ".
The problem is there are many smaller publishers on the net where a handful or only one or two people maintain a site. They don't have the capacity to look for advertisers or vet individual ads. That's why they use an ad provider which does this for them.
What you say may work for big news portals and stuff, but if this becomes the norm then it will kill the small publishers resulting in further concentration of net content in the hands of the big guys.
So this direction would hurt the little guys and help the big guys, because they have the resources to adapt.
actually, google should do that. Review all their ads and give them a rating, then allow publishers to pick only high quality ones. But i guess they don't have the money to do that (/s)
Google will continue to try to track me across unrelated websites, so I'll keep blocking them. I crucially specified "serve the ads from the website's own domain".
I don't disagree, but that's a normative argument about what addons we should choose to use.
My concern, however, is Mozilla putting themselves in the position of making that judgement for their users. Even if we agree that this isn't a good addon, does that mean it's fine for it to be censored by Mozilla?
The guidelines outright state that "Any add-ons, or add-on content, hosted on Mozilla site(s) must conform to the laws of the United States." The issue is that this addon falls in the murky category of neither being clearly legal nor clearly illegal. I suspect that the addon reviewer (who most likely does not work for Mozilla and is only a community volunteer!) felt that an addon advertising its purpose to get around copyright controls would have pushed it over the edge to illegal, even if it's only taking actions that are themselves legal.
You're kind overreacting here. Addons are reviewed by volunteers. Someone thought this violates the policies and acted. There are many ways to verify what is happening, including talking to the AMO team on IRC or other communication channel. It is not like you can't ask for clarification, it might all just be a honest mistake.
I've never understood how paywall bypass addons can be considered ethical. Even if you hate paywalls, it's the publisher's decision to use them. If I were to take a newspaper from a news stand without paying because there's an article I want to read but I don't want to pay, is that much different?
I'm honestly asking what the justification is for people who use these addons. Do you not consider it unethical or do you not care?
To clarify the tone of this post, I'm not trying to judge the value of someone's character based on if they bypass paywalls, I'm really just interested in other perspectives on this.
Well, considering we're talking about physical vs digital, it's inherently different. But let's ignore that; it's still not even close. You send content to my browser, my agent acting on my behalf, and it is up to me how I render that content. If that bothers you, don't send me the content.
You as a publisher have no inherent right, be it moral, ethical, or legal, to have content displayed a certain way on my screen.
Remember when there were scandals in the early days of digitization where redacted government documents were easily revealed because the redaction was performed by layering a black rectangle on top of the PDF text? The text was there to read for anyone savvy enough to remove the rectangles.
The solution, of course, was to remove the text from the PDF altogether.
Paywalls are a similar sort of measure: if publishers don't want their content to be available without payment then they ought not serve it publicly. Similarly, if they don't want users using adblock then they ought not serve the content to those who fail to load the ads.
Is it ethical to bypass flimsy DRM? The bits are on the user's computer and are processed by the user's software at the user's discretion. Publishers _may_ have no right to exert control upon the user's property; and I suppose whether they do is the crux of concern.
Just to give one example where I consider it ethical: the WSJ doesn't paywall articles if they originate from FB and it's simple to simulate this link.
These bypasses aren't "hacking" the sites in any normal sense. They are using publisher-created methods of accessing articles that any person could do if they had enough time and knowledge of the particular side channel.
In short, unless the bypass is truly hacking the site (using compromised credentials, e.g.), the argument is altruistic more than moral: "giving as much money as possible to good journalism."
I use it because I am not a regular reader of any paywalled site. If I end up at one it is because I saw a post about it or it showed up in a search result. At that point I don't even know if the article is any good so I'm not going to jump through hoops to view the article. Is it ethical? Probably not but since it is at most something like 1 article a month that I read from any of these sites then I can justify it to myself.
Many of the sites allow you to read a number of articles for free. If you exceed that number, it means that you find the content interesting. I think you should probably pay for it in that case.
Bypassing paywalls is easily in top ten most evil things you can do as a consumer in a modern information society. We should pay for the things we consume, with money. But only with money.
Then again, if the thing behind the paywall expects money and tracks/mines you, then fuck'em.
It’s good for Mozilla to take a stance, and drop the pretense that you can have the cake, eat it, and have all your other cookies left over.
Circumventing paywalls is not a crime, but it is also not victimless. The crisis for journalism is already eating at the foundations of democracy on the local level. To blithely ignore this is the triump of short-sighted egoism. And the inability of publishers to prevent you from doing it is no more justification as the old shopkeeper’s failing eyes are a license for you to steal from the produce displayed outside.
It's bad for Mozilla to take a stance that's obviously against the preferences of their users. They can't play both sides of the field - either you're for the User, or you're for the Corps. I once sincerely believed that Firefox was part of a statement that they would fight for the User. That disappeared somewhere between 4.0 and 27.0. I believed there was still some hope in Mozilla - all of it has been eroded over the years.
So now, they've taken their stance. They don't want free users. They want corporate servants, the same as Microsoft, Apple, and Google.
Thanks, Mozilla. I never knew about this useful extension. But now I do and I'm going to install and use it. Use it in Chrome, of course. I stopped caring about Firefox a long time ago.
I 'm going to have to defend Mozilla here. There is this very perverse idea here that everything should be free, but that's only because you are used to using VC-funded services with an expiration (acquisition) date. This seems to be endemic thinking in SV but the rest of the world has to make their own paycheck.
Maybe mozilla should think of experimenting with some micropayment service though. They are ideally positioned for that.
I would argue that this position is contrary to Mozilla's stated values about freedom on the web. If they truly support freedom, that should include my freedom to decide which add-ons I want to run on my browser.
Sure, they can have an opinion about where should the web go, and in fact it would probably be a very well-informed one. But they can't both claim to support freedom for their users while, at the same time, imposing their ideas on their users.
Which "position"? No one has even shared the stated reasoning for removing this extension yet. Just a bunch of people jumping at an opportunity to disparage Evil Mozilla in here with no details on the real situation. This whole thread should be deleted if you ask me.
Isn't this exactly the kind of user-hostile behavior open source is
supposed to prevent? Apologies if this is a naive question, but how
hard would it be to delete the parts of the release version of the
Firefox source code that pertain to checking signatures for add-ons and
recompile it?
You don't need to delete anything, simply use the developer version, nightly or an unbranded version. Unbranded is a compile option.
It's not really user hostile either, from what I gather one of the volunteers who check addons has flagged the addon for violating the ToS. They may have had that impression and the author can bring it up elsewhere (there is plenty of contact points for addon authors) or resubmit the addon and see if another volunteer waves it through.
It is not only for starter but for the whole platform ecosystem. It is not even user-hostile. It is just to prevent "Nah forget Firefox add-on market, just install this file" fragmentation. Firefox add-on platform is already much smaller than Google chrome (of course). I wouldn't be happy if the market got even smaller because of the fragmentation.
And Firefox already allows us to install whatever we want in dev/nightly version, for hackers. So I don't see any problems here.
No, just a requirement that you submit your addon for signing, submit to a separate agreement[1], and their policies[2] (which has separate sub-politics about data usage), regardless of whether you offer it on AMO or not.
So, Addons are mostly reviewed by volunteers. Sometimes people make mistakes. The best course of action is to try to reach out for the AMO team on IRC or their mailing list.
- Addons forum is at https://discourse.mozilla.org/c/add-ons
- All contact info for AMO dev stuff is at: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons#Con...
- Developer Hub for addons is at: https://addons.mozilla.org/en-US/developers/
There is no need for FUD or conspiracy theories. We can just talk to people and find out what happened and maybe revert it if possible.