> If you self-distribute your extension via sideloading, please update your install flows and direct your users to download your extension through a web property that you own, or through addons.mozilla.org (AMO).
And what if I don't want to use a "web property" to distribute an extension? What if I want to give my users a honest-to-God file, whether via e-mail or IM message or USB drive?
> Please note that all extensions must meet the requirements outlined in our Add-on Policies and Developer Agreement.
Or what? I can't make an extension and give it to friends unless it meets your policy? That's pushing it a bit.
If you're making extensions and distributing them by hand to your friends you're so far outside the mainstream of Firefox users that you might as well not exist and they shouldn't be making decisions based on your usage patterns.
This is aimed at Joe Average User who maybe downloaded a program from sourceforge and suddenly every user on the computer has Myway Search installed, or something with serious privacy problems that's injecting itself into every web page they visit.
Incorrect. As has been made clear previously, you can still install unsigned extensions if you're using Beta, Nightly, or Developer Edition, which are intended for power users. The discussion here is around the vanilla, mainstream version of Firefox. They still support power users.
What are my options if I want don't want to be a guinea pig running bugging prerelease software, and I want automatic updates because I don't want to accidentally be a chump running outdated software?
As far as I know, unbranded doesn't autoupdate while beta, nightly, and developer are all buggy software for guinea pigs.
Edit: Why are both the responses I've received worded rudely? Did I say something wrong?
You could probably compile the release version and change anything you want to, but that won't get you automatic updates.
As a fully open source product, with a demand and will large enough, someone could make a fork, even a minimal one, where they take upstream and keep this feature enabled. I personally don't think sufficient demand and will exists for that to happen.
I suppose they could make an about:config option out of allowing it, but really, so few users will probably find it so much of a problem that even a bug report/feature request for that probably wouldn't get traction.
They can't please everyone. Overall, it seems like a reasonable move to me.
They're entitled to complain, though; that's a proper, by-the-rules way to signal preferences to the market.
FWIW, I agree. Having the choice only between casual user version and unstable dev version is missing a power user option in the middle. I'm personally not going to abandon Firefox over this, but I'm that less interested in embracing web as a platform for productive work.
Then you educate yourself on those versions, and discover that the "dev" edition is not a prerelease version at all, unlike beta and nightly, which are. The Dev edition is a version of the main release channel with flags turned on/off to enable all the "only powerusers need these things" functionality out of the box.
Like installing whatever extension you want directly from file.
I think you're wrong about that. My Firefox Developer Edition install has upgraded itself to 71.0b6. My Firefox install is at 70.0.1. Both claim to be up to date...
Real Firefox power users should know that if they want to hack a website, they can
1) write an user script and load it into Violentmonkey, or CSS and load into Stylus. You can easily distribute some Javascript/CSS text via email or IM.
2) If user script or CSS not enough, you can write an addon, create a free Firefox account, submit the addon to your own account at https://addons.mozilla.org/en-US/developers/addon/submit/agr... and download the signed addon XPI file. Then you can distribute the file in whatever way you want, provided you are not violating any license agreement.
That's a strange thing to ask. IF you're a real poweruser, you're not using the standard release version of firefox, you're using the dev, beta, or nightly version. In which case you have all the power you want and you can install literally anything --no matter how insecure or horrible it is-- by opening the add-ons settings, clicking the gear, and selecting "Install Add-on from File".
What about Joe Average User who downloaded an extension from me? I can understand wanting to prevent third-party software from injecting extensions behind users' backs, but can these users still install extensions directly, from a file, regardless of how that file found its way to their hard drives?
They can drag and drop it on the firefox window and it will install it just fine still. The only change that is happening is auto-installation of extensions found in a specific folder, which is how a lot of crapware extensions find their way into people's firefox installation, but almost no legit extensions get installed this way.
That doesn't appear to be correct. All unsigned extensions will be blocked in all release versions. Without a developer/unbranded/nightly version, you're not allowed to install anything that didn't come from Mozilla's add-ons site. https://news.ycombinator.com/item?id=21418604
Yes, but you can sign your xpi via a command line tool (which calls the AMO API) and then distribute that however you want. It can be installed by dragging into about:addons.
While what you want can still be achieved (as Mozilla has gone to great lengths to explain), what makes you think that "Joe Average User" would be best off downloading extensions from every you that tells them they can get a browser toolbar with whatever software install they're using?
> If you're making extensions and distributing them by hand to your friends you're so far outside the mainstream of Firefox users that you might as well not exist and they shouldn't be making decisions based on your usage patterns.
They should just release a Firefox preskool edition for Joe Average User.
But this is a great example of the rot in Mozilla. When Apple or Google sacrifice functionality to appeal to users that don't like computers, it is because they make more money by expanding their platform.
When Mozilla sacrifices functionality to try to attract new users, then what? They aren't really making any money off of it. They are just getting new users for the sake of it.
If Firefox has to remove so much functionality to become more popular, than why bother at all?
It is like if everyone is eating McDonalds, and you are selling healthy produce, but only 20% of the population ever wants your healthy food. So you start coating your healthy food in sugar and deep frying it. Even if you win, you lose.
> This is aimed at Joe Average User who maybe downloaded a program from sourceforge and suddenly every user on the computer has Myway Search installed, or something with serious privacy problems that's injecting itself into every web page they visit.
I think this is a lie. I mean, yes it does mitigate a specific kind of malware injection, sure. But if someone already can write to your filesystem, then it is game over. If Firefox actually had any marketshare and was a big enough target to care about, malware could simply inject malicious extensions some other way. Having the web browser trying to secure itself on a compromised system is a fool's errand. And it is not a justification for such a massive regression in functionality. It is not a rational decision.
I strongly suspect that it was a rational decision for Google to do this with Chrome; to put up roadblocks for users trying to have too much control of their browser, and justify it in the name of security. And then Mozilla irrationally copied them. Because they are a Google cargo cult.
Healthy food doesn't nearly as much rely no network effect to not be pushed out of the market. "Only works on Chrome" is real problem and won't get better if they don't also pander to those longing for sugar.
> They should just release a Firefox preskool edition for Joe Average User.
Seems like that's Developer Edition. The Joe Average won't know the difference, so obviously the default has to be for him.
And yeah, I also don't like were this is leading and wish they would have found a better way.
> Healthy food doesn't nearly as much rely no network effect to not be pushed out of the market. "Only works on Chrome" is real problem and won't get better if they don't also pander to those longing for sugar.
Users who are sick of the effects of unhealthy food will actively seek out Firefox. I and many others were willing to put up with the bugs and slowness of Firefox to leave Internet Explorer.
And when websites were IE6-only, the attitude was not that Firefox needed to win them over, but instead it was too bad for that site they would not get traffic from Firefox users.
And Firefox could afford to not be the best browser for all users, because they are a non-profit, and are not constrained by the same market dynamics as their competitors.
Firefox does not and should not pander to users wanting the sugar, because it will likely drive away loyal users more than it will win anyone over. And again, they can certainly afford to not win those users over. Their browser is not a cog in a content distribution platform like it is for Apple and Google. They can afford to not grow their user base at all, and focus instead on improvement. I would actually like to see Mozilla discard their user metrics and just blindly focus on making something good, instead of something popular.
> And what if I don't want to use a "web property" to distribute an extension? What if I want to give my users a honest-to-God file, whether via e-mail or IM message or USB drive?
You still can give your users a file, as long as it's signed my Mozilla.
> Or what? I can't make an extension and give it to friends unless it meets your policy? That's pushing it a bit.
You can still install unsigned extensions if you're using Beta, Nightly, or Developer Edition, which are intended for power users.
That's not what mozilla is changing with this policy change. You've had to either sign or temporarily load an unsigned packed/unpacked extension for a while now.
Pretty much. There's a preference you can change to allow unsigned extensions, but it only works in dev/nightly firefox and "unbranded editions" of release/beta firefox.
Maybe the file you distribute on a USB stick should contain a self-contained webserver on localhost that your users can run, then install the extension through Firefox?
This raises some security concerns in theory (your user now has to run an executable that is not sandboxed by the browser), but they were already trusting you enough to plug in a USB stick.
As you say, this wouldn't impact security any more than inserting the USB stick itself would - but having to run a HTTP server on loopback just to circumvent some security mechanism on the browser you own[0] would only say that some engineering mistakes have been made.
--
[0] - Do you still own a copy of Firefox? That's probably the hidden crux of the issue.
Note the "users" part in that sentence. If you self-distribute extensions _to other people on the internet_ then yeah, you probably want some web property for those files to live. Like a github repo, or a personal homepage, or AMO.
And if you don't want to be subject to AMO's security review process, then out of those options, don't pick AMO.
> If you self-distribute your extension via sideloading, please update your install flows and direct your users to download your extension through a web property that you own, or through addons.mozilla.org (AMO).
And what if I don't want to use a "web property" to distribute an extension? What if I want to give my users a honest-to-God file, whether via e-mail or IM message or USB drive?
> Please note that all extensions must meet the requirements outlined in our Add-on Policies and Developer Agreement.
Or what? I can't make an extension and give it to friends unless it meets your policy? That's pushing it a bit.