Unless the entity that pushes the updates become malicious, then they're a security hole.

How do you audit Firefox updates? Because if the answer is “I don’t”, Mozilla already controls the most important piece of userspace code on your computer. And if the answer is “I don’t install them”, then everyone with a few grand to spare already controls the most important piece of userspace code on your computer.

I rely on the Debian system to assist with that. Normandy bypasses that system, if it's enabled. (The jury is out whether it's actually enabled in Debian Firefox ESR.)

What do you think the median size of a Firefox release is, what do you think the resources (let’s call it US dollars FMV) are to audit that, and what do you think the resources Debian has to devote to it?

Clearly more eyes are good, but... In between “Wild West WebExtensions” and “Mozilla backdoors my Firefox and it gets used for nefarious purposes” and “delays in browser updates increase exploitation windows”, I know which threat models I’m buying.

I agree an unpatched vuneribility is probably more risky. However this feature can change settings the user explicitly sets. The bigger issue is it does not give me any indication the settings have been changed.

I audit software updates by looking at developers announcements and community discussions (in social media, forums etc) before installing updates.

Then, even if developers keys and computers are compromised, I would notice something is wrong.

* No, of course that I don't always do that. I even don't often do that. But I did do that in the past, and I'd like to have the option to do that.

exactly. Like here https://news.ycombinator.com/item?id=10624087 or here https://news.ycombinator.com/item?id=19482191 for example...