As it turns out, Firefox-ESR is, per Mozilla documentation, _also_ not going to absolutely enforce Mozilla, Inc. signing of extensions. This matter was raised by the estimable Akkana Peck, who was a frequent speaker at our local Silicon Valley Linux User Group meetings before moving to New Mexico. Her site: http://www.shallowsky.com/
----- Forwarded message from Rick Moen <r...@linuxmafia.com> ----- Date: Thu, 23 Feb 2017 18:24:56 -0800 From: Rick Moen <r...@linuxmafia.com> To: sv...@lists.svlug.org Subject: Re: [svlug] (forw) [DNG] Life After Firefox 56 Quoting Akkana Peck (akk...@shallowsky.com): > Rick Moen writes: > [about Firefox's upcoming lockdown of extensions] > > Yikes! Thanks for the alert, Rick. > > I have to wonder: in a world where extensions can't run unless > they're signed by Mozilla.org, how can anyone develop extensions? > How do you test your changes on your own browser so you know it > works before you publish it on Mozilla.org? On Nightly and Developer Edition builds, as well as unbranded builds. _And_, turns out, ESR releases (see below, and thank you for raising that). In fairness, there may be substantial changes as this gets rolled out. > Running firefox by itself with no extensions sounds like a disaster. > No control over scripts, cookies, flash or other security risks? > It sounds like a red carpet for malware, not protection against it. What I hear is that there will be WebExtensions reimplementations of the most key XUL extensions by the time this becomes an issue. This is so new to me (though it's been in the offing for a long time without my being aware) that I cannot be more specific than that. In particular, on https://wiki.mozilla.org/Addons/Extension_Signing, it says: 'All Firefox extensions - for Desktop and Android - on AMO [addons.mozilla.org] that have passed review are now signed. For unlisted (non-AMO) add-ons, submission and signing is active through AMO, and there is a Signing API available [link] for automated submission and retrieval of unlisted addons.' > I wish there were more open-source browser engines. Webkit used to > be great, but it seems to be bitrotting lately. Konqueror on a non-KDE > system wants to pull in 66 other packages including a lot of desktop > cruft. I'm not convinced any of the other mozilla-based browsers is > all that well supported (galeon was pretty good for a while, but > it's orphaned now), but Pale Moon looks pretty interesting: anybody > here use it? Do you trust them to keep up with security updates? > Chromium might be the best bet, but how is it on privacy and control > over scripts and cookies and such? FWIW, I maintain a list of all Linux-supporting graphical Web browsers I'm aware of at http://linuxmafia.com/~rick/faq/kicking.html#linuxbrowser . It in no way evaluates any of the browsers mentioned, but could serve as a starting point for anyone wishing to do a survey. Steve Litt (/me waves) has been doing browser testing for quite a long while, now. Hey, Steve! Feel like dredging up some links for us? > There's also firefox-esr, the Extended Support Release (which is the > firefox that Debian packages): with any luck, Mozilla may not lock > it down for quite a while, giving users more time before they have > to switch. Good point! I completely failed to check that. I've just found the FAQ entry: Q: What about private add-ons used in enterprise environments? A: The ESR release will support signing starting with version 45-based releases. Signing enforcement will be enabled by default in these releases, and enforcement can be disabled using the xpinstall.signatures.required preference. https://wiki.mozilla.org/Addons/Extension_Signing The 'Timeline' section of that page includes: The first ESR version to include signing support will be the Firefox ESR 52 release. So, Firefox-ESR releases get added to Nightly and Developer Edition as releases that do not absolutely, uncorrectably require corporate signing. Further details can be found in this page by Martin Brinkmann: http://www.ghacks.net/2015/06/19/how-to-disable-the-firefox-40-add-on-signing-requirement/ _______________________________________________ svlug mailing list sv...@lists.svlug.org http://lists.svlug.org/lists/listinfo/svlug ----- End forwarded message ----- _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng