On Thu, Nov 26, 2015 at 10:02 AM, Thomas Zimmermann <[email protected] > wrote:
> Am 25.11.2015 um 20:16 schrieb Jeff Gilbert: > > On Wed, Nov 25, 2015 at 3:16 AM, Till Schneidereit > > <[email protected]> wrote: > >> FWIW, I received questions about this via private email and phone calls > >> from two people working on extensions that support their products. Their > >> extensions sit in the review queue with not chance of getting through it > >> before the signing requirement kicks in. This puts them into a situation > >> where their only reasonable course of action is to advise their users to > >> switch browsers. > >> > > Is it just me, or does this sounds completely unacceptable. Sloughing > > more users? Things like this are why it's hard not to be cynical. > > It's not just you. Reading the blog post made me think that extension > signing is complete nonsense and we should stop it now. This will only > break one of Firefox' best features for nothing. And especially bad was > it to blacklist the proof-of-concept exploit, instead of addressing the > actual problem. > I read the blog post, too, and if that were the final, uncontested word on the matter, I think I would agree. As it is, this assessment strikes me as awfully harsh: many people have put a lot of thought and effort into this, so calling for it to simply be canned should require a substantial amount of background knowledge. I should also give a bit more information about the feedback I received: in both cases, versions of the extensions exist for at least Chrome and Safari. In at least one case, the extension uses a large framework that needs to be reviewed in full for the extension to be approved. Apparently this'd only need to happen once per framework, but it hasn't, yet. That means that the review is bound to take much longer than if just the extension's code was affected. While I think this makes sense, two things strike me as very likely that make it a substantial problem: many authors of extensions affected in similar ways will come out of the woodwork very shortly before 43 is released or even after that, in reaction to users' complaints. And many of these extensions will use large frameworks not encountered before, or simply be too complex to review within a day or two. I *do* think that we shouldn't ship enforced signing without having a solid way of dealing with this problem. Or without having deliberately decided that we're willing to live with these extensions' authors recommending (or forcing, as the case may be) their users to switch browsers. till _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
