[HN Gopher] Gorhill pulls uBlock Origin Lite from Firefox store
___________________________________________________________________
Gorhill pulls uBlock Origin Lite from Firefox store
Author : croes
Score : 424 points
Date : 2024-10-01 12:18 UTC (1 days ago)
(HTM) web link (www.neowin.net)
(TXT) w3m dump (www.neowin.net)
| petabit wrote:
| Apparently, as the article says, the lite version is the
| recommended one by the author to be used
| ziml77 wrote:
| Recommended for Chrome. I'm not sure why anyone would want this
| for Firefox.
| trustno2 wrote:
| It's lighter on resources and requires less permissions (so
| it's more private).
|
| manifest v3 is not as bad idea as some people are saying
| prmoustache wrote:
| The article is misleading. The lite version is recommended on
| chrome because very soon the non lite version will stop
| working.
|
| It doesn't apply to firefox.
| Freak_NL wrote:
| I really hope Raymond Hill won't do the same for uBlock Origin
| (the manifest v2 version). I'm not too comfortable recommending
| others to install a self-hosted extension.
|
| It's a shame Mozilla and Raymond Hill can't/won't solve this
| together. I get that the review he got simply should not have
| happened for an extension like this (see the Github thread1) and
| that he is simply done with bothering, but I worry about how that
| will affect uBlock Origin's long-term stability as a project. The
| whole situation sounds decidedly unhealthy.
|
| 1: https://github.com/uBlockOrigin/uBOL-
| home/issues/197#issueco...
| free_bip wrote:
| Latest update from the link you provided: The Mozilla review
| team acknowledged their error and rectified it. Hopefully that
| allows it to continue existing.
| cholantesh wrote:
| Hill seems intent on self-hosting, so I mean it will exist,
| but will be a lot harder to discover and as GP mentions,
| probably harder to convince people to install.
| superkuh wrote:
| uBlock Origin 1.60 is still held back for review by Mozilla.
| Despite it being out for about a week 1.59 is the latest
| available on the Firefox add-on site.
| thoroughburro wrote:
| > I worry about how that will affect uBlock Origin's long-term
| stability as a project.
|
| I wouldn't be surprised if UBO has more users across all
| browsers than Firefox has users at all, and expect it's at
| least within an order of magnitude.
|
| To imply it's in any danger at all because a minor platform is
| recalcitrant is ridiculous.
| tandr wrote:
| Easy. I have 3 browsers installed. All of them have uBO as a
| first thing installed.
| actinium226 wrote:
| But... ublock is like the main reason I use FF
| pbronez wrote:
| You can continue to use Ublock Origin, which uses the v2
| manifest.
|
| The delisted extension, Ublock Origin lite, is a v3 manifest
| plugin. Apparently it was created to address chrome blocking
| the v2 extension, but you can continue to use the v2 extension
| on Firefox
| anonymous_sorry wrote:
| ublock origin is still available in the Firefox add-on store.
|
| The developer has pulled the 'lite' version, which is developed
| mainly for Chrome because Google killed some APIs the full
| version was using.
| VoxPelli wrote:
| Because no one ever have taken over and compromised high profile
| extensions?
|
| Chrome battles with it a lot, see eg.
| https://news.ycombinator.com/item?id=36146278
|
| I find Mozilla's process to be quite reassuring, but would be
| good to have alternative "addon stores" that also have a review
| process
| sdflhasjd wrote:
| Mozilla is definitely doing the right thing by reviewing the
| extensions, but the issue here is that were wrong, they found
| issues that didn't exist (such as claiming it contained
| obfuscated code and collected private data).
|
| It appears the issues were found using simple heuristics (e.g
| they detected string pagead2.googlesyndication.com in a
| comment) and these detections weren't then manually reviewed as
| claimed, which is wasting everybody's time.
| protoster wrote:
| Why does lying about manual review seem so commonplace?
|
| For example, during basically any YouTube copyright or
| moderation controversy, there is always "manual review" of
| videos that have obviously been caught in automated systems
| that in case of actual manual review, would be cleared of
| problems by any reasonable human.
| nicce wrote:
| Maybe "manual review" here is that someone "manually" runs
| the automation tool for that specific entity.
| JohnBooty wrote:
| Absolutely. But: I don't think anybody is saying that high
| profile extensions should receive _less_ scrutiny?
|
| For high-profile extensions, the impact is higher for both
| false negatives _and_ false positives. So they should receive
| more attention.
|
| I do not know anything about Mozilla's internal procedures
| regarding add-on approvals. However, for a high profile
| extension like uBO/uBO Lite... it should either require
| multiple reviewers, or maybe just an escalation to a senior
| reviewer or something. You should never be a single human error
| away from a high impact mistake.
|
| Maybe they do that already, I dunno. But it seems hard for me
| to believe that multiple people approved uBO Lite's yoinking.
|
| Extensions are SUCH a crucial part of FF's appeal. And uBO/uBO
| is arguably the most important of them all.
| finnthehuman wrote:
| There is a difference between questioning if a review process
| should exist for the official addon index and questioning if
| the implementation is any good.
|
| You address the former when it seems like the issue is the
| later.
| mossTechnician wrote:
| Mozilla has the capability to handle compromised addons; this
| whole mess happened because they wiped out every version of
| uBOL except for the earliest one.
|
| They just haven't used that capability responsibly... Yet.
| latexr wrote:
| > I find Mozilla's process to be quite reassuring
|
| The fact that a review process exists might be reassuring, but
| the way they went about it surely isn't.
|
| https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco...
| eviks wrote:
| What's reassuring about the lack of basic competence? Why would
| you think such people/processes will help catch the types of
| issues mentioned in the Chrome link?
| poincaredisk wrote:
| >The last message from the developer in a now-closed GitHub issue
| shows an email from Mozilla admitting its fault and apologizing
| for the mistake. However, Raymond still pulled the extension from
| the Mozilla Add-ons Store, which means you can no longer find it
| on addons.mozilla.org.
|
| This seems pretty harsh. Mozilla made a mistake, Mozilla
| apologized, Mozilla fixed the mistake (maybe even improved their
| processes), and the author still pulls their choose and
| criticizes Mozilla. On my opinion either author took this a bit
| up personally, or cares about improving the review process and
| wants to make a strong point (with some hurt done for their
| project visibility).
| VoxPelli wrote:
| Feels like they were just waiting for a reason to pull out -
| likely feels its a hassle to upload and have it review and just
| want everyone to trust them and keep it simple
|
| And I guess some people would claim that since its an open
| source addon no one can feel entitled to anything else
| latexr wrote:
| Remember why uBlock _Origin_ exists in the first place: Raymond
| Hill was fed up with the chore of all the administrative crap
| around uBlock1. They wanted it to be a hobby and it started
| feeling like a job.
|
| https://github.com/gorhill/uBlock/issues/38#issuecomment-918...
|
| So it's predictable they'd get fed up with that Mozilla review
| process and call it quits too.
|
| 1 Which led them to hand the project to an unscrupulous rando
| that immediately tried to monetise it, leading Raymond to hate
| the outcome and having to decry his own previous project and
| ending up essentially where it all started but with a bunch of
| extra work in the middle.
| finnthehuman wrote:
| I can't fault gorhill for not wanting to play the "give large
| rich organization infinite second chances" game. Sometimes
| enough is enough even if you think you'd act differently in his
| shoes.
|
| > Mozilla apologized
|
| No they didn't. Now I'm not here to play apology police or
| anything. But that's just a perfunctory customer service voice
| statement which happened to include the word "apologize". And
| that's fine. Nobody expects more. We can acknowledge it for
| what it is tho.
| latexr wrote:
| What could the email have said that would have made you
| believe they had apologised? If the literal string "we
| apologize" isn't it, what is?
| nicce wrote:
| "Statistically your extensions are one of the most used on
| Firefox. We will handle all related matters with higher
| priority and care in the future, and are deeply sorry about
| this."
| amiga386 wrote:
| "Our review processes are not fit for purpose. We commit to
| replacing them with ones which acknowledge our entire
| ecosystem is built on the goodwill of unpaid volunteers,
| and we must not squander their time or resources. People
| like you are our lifeblood and we must not lose your
| trust."
|
| "We admit we used automated scanning here and tried to pass
| it off as human review. We got caught. Badly. All our
| future scans will have to pass our own internal reviews
| before we make demands of extension authors."
|
| these sorts of things
| latexr wrote:
| Come on, be realistic. They're not going to grovel and
| humiliate themselves over it, especially on a first
| apology contact. Expecting that kind of response would be
| ridiculous.
|
| The other comment was much more plausible.
|
| https://news.ycombinator.com/item?id=41711187
|
| I'm interested in what the original commenter thought,
| though.
| amiga386 wrote:
| The anodyne ass-covering apology they _did_ send out, is
| massively more humiliating for Mozilla than a sincere
| mea-culpa would have been.
|
| Hill made their initial emails public and the discussion
| of AMO's incompetence had already happened. Mozilla have
| been able to see this and formulate a response. Their
| response was not a full PR face-saving, it was a single
| further email from the AMO review system. That speaks
| volumes.
|
| _Dear Mr Hill_
|
| _sorry we are such idiots. Now please reply to us so you
| comply with the mandatory review process governed by
| idiots. Our policies require that we do not unilaterally
| fix any mistakes we unilaterally made. We must first
| waste more of your time to acertain that you agree our
| direction is the right one._
|
| _Yours Sincerely_
|
| _The Idiots_
|
| https://github.com/uBlockOrigin/uBOL-
| home/issues/197#issueco...
| latexr wrote:
| Look, I'm not taking Mozilla's side. As should be obvious
| by my other comments on this thread, I think Raymond Hill
| should do what they think is right for themselves and the
| project.
|
| But I'm trying to have a _productive_ conversation on
| what would be a _realistic_ response that Mozilla could
| have _plausibly_ sent that would show true remorse and
| constitute a proper apology.
|
| Insulting them and giving absurd examples that would
| never happen does not advance the discussion. I'm not
| interested in unabashed mocking. There are people on the
| other side too, it doesn't cost anything to have a little
| empathy. Yes, Mozilla is in the wrong here, no one
| disagrees. How about we discuss what they could've done
| right?
| amiga386 wrote:
| That's what my mooted better-apology email covered.
| Acknowledge the failings of their processes. Mozilla
| should stop thinking they're a big swinging dick of a
| "platform" like Google and Apple are, instead accept
| they're reliant on continuing donations of time and
| effort by volunteers _and it needs to keep them sweet_.
|
| Edit: and if they want to continue thinking they're a
| "platform", they need to invest in more and better staff
| for doing these reviews they insist on. They need to
| accept that false positives are just as bad, if not
| worse, than false negatives.
| latexr wrote:
| > That's what my mooted better-apology email covered.
| Acknowledge the failings of their processes.
|
| But you did it in a way that ridicules Mozilla. It was an
| unrealistic example of something they would never have
| sent. For what? There's no point to that. Surely you can
| come up with something that is apologetic, honest, real,
| and that a manager at a company could approve. I was
| looking for something sensical, not a caricature.
|
| > Mozilla should stop thinking (...)
|
| That, and most of your post, gets to the heart of it.
| You're displeased with Mozilla and want them to look bad.
| Look, I get it, I don't like Mozilla's direction either,
| I am plenty critical of them. But you can be critical and
| constructive. Your comments that made them look like
| absolute bozos are the kind of rhetoric any Mozilla
| employee would skip over as not being serious. I would
| like Mozilla to be better, not just burn them to the
| ground.
| amiga386 wrote:
| The problem with Mozilla may be unrecoverable; that's my
| concern. They're currently spending Daddy Google's money
| like it's endless, schmoozing with SV investor types,
| pissing about chasing the latest trends and bunging money
| to their friends. Because they can.
|
| I'm not sure that anything that anyone could say to them
| could change their minds.
|
| My worry is that there are _no_ organisations that
| campaign to keep the web open, fight against those who
| would lock it up and Balkanise it, and to offer a web
| browser that empowers its users and hasn 't been captured
| by surveillance-capitalist money.
|
| Mozilla don't need my help to look bad:
|
| * https://www.pcmag.com/news/mozilla-temporarily-
| suspends-cryp...
|
| * https://lunduke.locals.com/post/4387539/firefox-money-
| invest...
|
| * https://www.theregister.com/2024/01/02/mozilla_in_2024_
| ai_pr...
|
| * https://arstechnica.com/gadgets/2024/02/mozilla-lays-
| off-60-...
|
| * https://www.theregister.com/2024/06/24/mozilla_product_
| chief...
| dogleash wrote:
| > But I'm trying to have a productive conversation on
| what would be a realistic response that Mozilla could
| have plausibly sent that would show true remorse and
| constitute a proper apology.
|
| For a though experiment lets take those suggestions
| earlier in the thread that you already dismissed. Make
| them 10% less blunt. Have they become realistic? No? OK,
| another 10% less blunt. Keep going until it seems
| realistic. Does it still show true remorse? No? Quelle
| surprise! I don't think there is any overlap to be found
| in this Venn Diagram.
|
| The closest thing we might ever see is the mozilla dev
| elsewhere in this thread. They're opining that mozilla
| should probably just give Hill reviewer creds so he can
| rubber stamp his own addons and explaining why.
|
| I'm not saying that if Mozilla were to give him those
| permissions that it would constitute an apology. I'm
| saying that the case this Mozilla dev is making, that
| alone is already more remorse from Mozilla about how
| broken their internal process and priorities are, more
| than any "realistic" official communication from Mozilla
| will show.
| latexr wrote:
| > Make them 10% less blunt.
|
| That's... Not how communication works.
|
| > Have they become realistic? No? OK, another 10% less
| blunt. Keep going until it seems realistic. Does it still
| show true remorse? No? Quelle surprise!
|
| What a bizarre straw man. You invent an argument
| unrelated to what the other person said, then argue with
| yourself pretending to know what the other person would
| respond ultimately making the imaginary opponent agree
| with you. That's quite something.
|
| Your post is so far removed from the point of the thread
| I have no idea how to respond to it. Nor would I want to,
| I believe this has gone so far off the rails there's no
| salvaging it.
|
| Again, I'm not defending Mozilla. Anyone who cared to
| find my other comments on the thread can easily verify I
| defended Raymond Hill from the start. The one thing I was
| interested in with the original question were serious
| arguments of what Mozilla could have done better. Straw
| man arguments lacking in empathy that makes everyone on
| the other side look like clowns are unproductive.
| saurik wrote:
| That reply essentially sounds like "We realize you are in
| a position of power _over us_ and so we should have been
| more careful; we thereby explicitly note the power
| imbalance and pledge to respect you--specifically, just
| you--a bit more because of it (though let 's not get into
| the details of how)."... which is, I guess, an "apology"
| of sorts, but it isn't even close to an apology for the
| thing they actually did wrong.
|
| FWIW, the comment you were replying to had a bit of
| hyperbole in it, and I guess you seem to be expecting it
| to be an exact quote? I think that same sentiment can be
| done in a way that is more neutral in tone, which is what
| seems to be irking you? Which is awkward, I guess, as,
| frankly, the one you prefer comes off much more to me as
| "groveling": the issue at hand is procedural and
| technical and maybe a bit political, but that reply is
| intensely _personal_ and is directly "bending the knee"
| to Gorhill while not admitting any actual mistake.
|
| But like, maybe, sometimes, an apology inherently
| requires some humility, and if Mozilla isn't willing to
| actually state that they _did wrong_ -- not that Gorhill
| deserves respect, not that this situation went badly,
| certainly not merely that Gorhill felt bad about it --
| then what, pray tell, even is an apology?
| latexr wrote:
| > but it isn't even close to an apology for the thing
| they actually did wrong.
|
| I didn't say the one I linked was perfect, I said it was
| more plausible. I don't understand why everyone seems to
| have such a hard time understanding what that word means.
|
| > and I guess you seem to be expecting it to be an exact
| quote?
|
| That is exactly what I asked for. I asked what the email
| could have said. Words have meanings. Why oh why does
| that seem to be a novel concept?
|
| > But like, maybe, sometimes, an apology inherently
| requires some humility
|
| Yes, yes it does. I agree.
|
| > then what, pray tell, even is an apology?
|
| For crying out loud. HN, the community that is ridiculed
| everywhere else for being too literal, was today
| incapable of understanding a literal question.
| finnthehuman wrote:
| Why does it matter if they apologize? Are there brownie
| points that make a rote ineffectual interaction somehow
| better if that check box can be checked?
|
| > What could the email have said
|
| If the goal is finding the right magic incantation for
| apology, then answer to your question is "nothing". If it's
| not, then the answer is "almost anything".
| latexr wrote:
| An apology is an admission of wrongdoing and shows
| remorse for one's actions. It means the perpetrator is
| committing to improving themselves and not make the same
| mistake. You can't change a mistake in the past, but you
| can promise to do better in the feature.
|
| So yes, apologies matters. It is baffling, and honestly
| worrying, that this has to be explained.
|
| It is important to realise the people steering the
| apology are not the same ones that caused the offence.
| The organisation is the same, but you can't control what
| every single individual does.
| finnthehuman wrote:
| > It is baffling, and honestly worrying, that this has to
| be explained.
|
| Hey man, you're the one that seems to be of the
| impression that the person sending form letter extension
| review responses is in a position in Mozilla to be able
| to do any of the shit you just said apologizes represent.
|
| I asked what's it matter if they tick the apology box
| because they can't actually apologize.
|
| I just don't get why, in my previous post, I was supposed
| to pretend like the person who wrote that "we apologize"
| statement even intended to apologize.
|
| ---
|
| And in the odd chance the person who sent that email is
| in that position (or it's a personal apology limited to
| their own reviewing failures) they need to use their
| words and distinguish themselves from a prefunctory
| customer service script. Rote apologies are not
| apologies, they're simply someone saying what they
| believe are the right polite words for a situation.
| latexr wrote:
| > the impression that the person sending form letter
| extension review responses is in a position in Mozilla to
| be able to do any of the shit you just said apologizes
| represent.
|
| Yeah, that's fair.
|
| > Rote apologies are not apologies, they're simply
| someone saying what they believe are the right polite
| words for a situation.
|
| I agree. And rereading the email I also agree that their
| apology was lacklustre to say the least. Initially that
| seemed to be to have come from a position of authority,
| but I see I was wrong.
|
| My only disagreement is that I do think there _is_ some
| apology that would be valid. Something like a
| personalised email (not from a form) from someone with a
| modicum of power (e.g. the manager of the add-ons
| division).
|
| Note, however, I'm not saying a valid apology must be
| accepted.
| finnthehuman wrote:
| > Something like a personalised email (not from a form)
| from someone with a modicum of power (e.g. the manager of
| the add-ons division).
|
| Okay... but I still get the feeling you're talking about
| a non-apology here. No matter how hard they work to craft
| the right words, unless that manager does something
| differently they're just being manipulative in addition
| to the original wrong they're pretending to apologize
| for.
|
| I know I'm not being maximally charitable here, but look
| how far you've strayed from "If the literal string 'we
| apologize' isn't it, what is?"
| latexr wrote:
| > but look how far you've strayed from "If the literal
| string 'we apologize' isn't it, what is?"
|
| Wasn't it clear that I changed my mind through the
| conversation? That's the point for me, my goal isn't to
| pick a position and claim I'm right to the end, but to
| learn and improve my views. Like I said:
|
| > I agree. And rereading the email I also agree that
| their apology was lacklustre to say the least. Initially
| that seemed to be to have come from a position of
| authority, but I see I was wrong.
|
| If the literal strings "I agree" and "I was wrong" don't
| convey that I agree with your points and I think I was
| wrong, what does?
|
| To be absolutely clear, I'm being tongue-in-cheek. I have
| no desire to continue this.
|
| And to be even clearer, what I offered as a suggestion
| was a response to you saying there was "nothing" they
| could do. That's the one part I disagree with by the end.
| finnthehuman wrote:
| > what I offered as a suggestion was a response to you
| saying there was "nothing"
|
| There was an if clause separating different circumstances
| into "nothing" and "almost anything".
|
| And I stand by that. If an apology is actually meant it
| becomes trivial to come up with the words to apologize.
|
| Laboring over the process of apologizing is a good sign
| you're trying to avoid actually apologizing.
| marssaxman wrote:
| The author is a volunteer and the software is a labor of love:
| of course it's personal. Such projects thrive when the author
| feels like they are giving a valuable gift to a community which
| is receiving and appreciating it. Being required to submit your
| creation through an impersonal "review" process which rejects
| you in such a way that it's obvious nobody cared enough to even
| _look_ is not just a buzzkill: it 's an _insult_.
|
| I would walk away, too.
| freedomben wrote:
| > when the author feels like they are giving a valuable gift
| to a community which is receiving and appreciating it.
|
| Who is the "community" in this case? Mozilla? Or is it us
| users? If the former then fine, but if the latter, then who
| is being hurt by this, and how does Mozilla being annoying
| reflect ingratitude in the community?
| latexr wrote:
| > who is being hurt by this
|
| See Raymond's comment five days ago:
|
| https://github.com/uBlockOrigin/uBOL-home/issues/197
|
| Who is being hurt is Raymond Hill (their sanity / mental
| stability / desire to work on this popular extension);
| Firefox users who preferred the Lite version; Firefox users
| on Android; Everyone who would've been recommended this
| extension and now won't (see other comments in this
| thread); Mozilla (taking yet another hit to their
| reputation) and by extension the open web as more reasons
| to abandon Firefox lead to less browser diversity.
| trustno2 wrote:
| Judging from his replies, this is not the first time he had
| problems with the review system
| akira2501 wrote:
| > author took this a bit up personally
|
| Yea, those pesky unpaid developers, letting their emotions get
| mixed into their personal projects. Why can't they be cold and
| unfeeling, like the people who run the firefox "store?"
| healsdata wrote:
| Mozilla sent a template email and you're acting like they did
| anything beyond that. They didn't even assure the author that
| their add-on wouldn't be removed without prior two-way
| communication ever again.
|
| Mozilla has a press page -- they could issue a clear, open
| press release talking about what went wrong, how they're
| changing going forward, etc. They could even acknowledge that
| this extension is awesome and contribute capital to making it
| available to their users.
|
| But, instead, they did the minimum amount possible to save face
| after one of their reviewers royally messed up. The things the
| reviewer cited in the first review are plainly wrong and a
| junior JS developer could tell you that.
|
| Heck, an AI reviewer would have done better (ChatGPT 4o mini):
|
| "No, this file does not appear to contain minified code.
| Minified code is typically compressed to remove all unnecessary
| characters such as whitespace, line breaks, and comments to
| reduce the file size, making it harder to read.
|
| The code you provided contains readable formatting, including
| comments, indentation, and well-structured functions, which are
| not characteristics of minified code."
| latexr wrote:
| For anyone confused by the real title:
|
| > uBlock Origin Lite maker ends Firefox store support, slams
| Mozilla for hostile reviews
|
| "Review" here means the Mozilla review to allow the extension in
| the store, not user reviews of the extension.
| einpoklum wrote:
| Mozilla decided at some point to kill extensions - whether
| following Google Chrome or of its own volition. It took an axe to
| its ecosystem by disablign the loading of anything external other
| than WebExtensions - and note that it's just an artificial
| disabling, as internally, Firefox is still basically some bundled
| "extensions" over a C++ core.
|
| And now there's the "manifest v3" change, and making people jump
| through hoops to be on AMO.
|
| This is very sad, almost as much as the internal governance over
| there.
| kristjank wrote:
| Another Mozilla classic...
| timeon wrote:
| From the article:
|
| > uBlock Origin Lite is a Manifest V3-compatible version of the
| content blocker. It is less powerful, but since Google is
| disabling Manifest V2 support in Chrome, it is what will remain
| from uBlock Origin for Chromium-based browsers.
|
| > Does it affect uBlock Origin? The core extension remains
| available for Firefox. Unlike Google Chrome, Firefox will
| continue to support Manifest V2 extensions. Mozilla has not
| flagged this extensions or disabled it
|
| But somehow it is Mozilla who is the bad guy not Chromium-based
| browsers.
| yjftsjthsd-h wrote:
| > But somehow it is Mozilla who is the bad guy
|
| Sounds like it, yeah.
|
| > not Chromium-based browsers.
|
| Nobody said that.
| seszett wrote:
| This story is about Mozilla removing the Lite/Manifest v3
| version from Firefox's extensions, this has nothing to with
| Chromium.
|
| Now why does such a version even exist when the "normal"
| uBlock Origin is available on Firefox, I don't know. But
| there's no question it was a mistake by Mozilla. Mistakes do
| happen, I'm just explaining why it's only related to
| Mozilla's actions here.
| JadeNB wrote:
| To be clear, the complaint is not about Manifest V2 vs.
| Manifest V3 (which is of course its own can of nonsense), but
| about Mozilla's review:
|
| > Mozilla says that it has reviewed the extension and found
| violations. The following claims were made:
|
| > The extension is not asking for consent for data
| collecting.
|
| > The extension contains "minified, concatenated or otherwise
| machine-generated code".
|
| > There is no privacy policy.
|
| The article points out that all three points are false, and
| _this_ , or--I'll go ahead and trust the author of an
| extension I rely on heavily--what the author says:
|
| > In a follow-up, Hill criticized the "nonsensical and
| hostile review process" that put added burden on developers.
| Mozilla disabled all versions of the extension except for the
| very first one. It still flagged the extension for the very
| same reasons, but nevertheless decided to keep the outdated
| version up.
|
| is what makes Mozilla the bad guy here. (It also says Mozilla
| restored the extension a few days later, which is better than
| doubling down but, of course, worse than not making the
| ridiculous error in the first place.)
| roblabla wrote:
| I mean, those are _completely_ separate issues? People can be
| mad at Google/Chrome about Manifest V3, whilst also being mad
| at Mozilla/Firefox for randomly flagging UBOL with bullshit
| reasons.
| nicholasjarnold wrote:
| The article seemed to highlight the inconsistencies or errors
| in the plugin review process which puts undue burden on
| developers trying to add value to the ecosystem. It was not
| about the differences in Manifest v2/3 and the issues with
| Chrome, though this was mentioned and is the reason why the
| 'Lite' version of uBlock Origin exists in the first place.
|
| tl;dr - continue using Firefox and installing uBlock Origin.
| If you develop Firefox plugins for distribution through their
| official channel beware the review process I guess.
| 1GZ0 wrote:
| Mozilla just can't help themselves, can they? Seriously, once
| Google is broken up and their donations to Mozilla stop, I won't
| be sad when Mozilla is forced to shut down.
| jordanb wrote:
| These "lapses in judgement" are driven by Mozilla's brass
| representing the desires of their real masters. A post-Google
| Mozilla may be smaller, but I bet Firefox would be better and
| more popular.
| 1GZ0 wrote:
| I hope so, but I wouldn't count on it.
| noworriesnate wrote:
| I wish they'd get smaller first, build up a fund so they
| could literally just invest in the stock market and run
| indefinitely off the returns, and only then go Google-free.
| That would be a more permanent solution.
| yencabulator wrote:
| That sounds like it'd make less money for the CEO, why
| would they be interested in that?
|
| Mozilla no longer does what is good for Firefox.
| okanat wrote:
| Yeah, I think getting sold to a company like Proton AG
| would be the better outcome for Firefox.
| seba_dos1 wrote:
| It's a blog post about something that happened a month ago and
| boils down to "some (obvious) mistake happened during review".
| Not much to see here.
| bluGill wrote:
| That obvious mistakes can happen is itself a problem.
| flyingpenguin wrote:
| Have you never been at work being forced to do something
| because you need money but you just are not feeling it that
| day? Obvious mistakes will ALWAYS happen, regardless of
| rules, regulations, human involvement, process, etc. It's
| thoughts like this
|
| "How can we make sure this doesn't happen again"
|
| "Its unacceptable than an obvious mistake happened"
|
| that make corporations so full of random rules, because they
| think it's possible to prevent things like this. What matters
| is the frequency with which they happen, and how gracefully
| you handle yourself after it happened.
| hermannj314 wrote:
| "But the bias-variance tradeoff doesn't really apply to us"
| - every bureaucracy ever.
| somerandom2407 wrote:
| And problems like this could still have been avoided if
| their system required review by a second party before
| blocking an addon by a developer of good standing who has
| addons with a huge number of users.
|
| Sure, the individual doing the check might be incompetent,
| but that doesn't mean that Raymond needed to be bothered by
| Mozilla about it - they could have handled it internally
| instead.
| talldayo wrote:
| Obvious mistakes are an issue with most software stores. Less
| a matter of attention being paid, and more a consequence of
| scale: https://www.pcmag.com/news/beware-theres-a-fake-
| lastpass-app...
| bluGill wrote:
| Software management doesn't scale as much as google would
| like.
| talldayo wrote:
| Software management doesn't scale at all. It relies on an
| individual human element that is free to make the wrong
| choice apropos of nothing. They have no motivation to
| explain their reasoning and by-and-large are protected by
| the marketing of a multi-million dollar business.
|
| Kinda why it's a mistake to charge money for a process
| that is demonstrably incorrect.
| SSLy wrote:
| latest message from moz on the GH issue is from the day back
| InsomniacL wrote:
| > The organization issued an apology for the "mistake" and
| recommended to Hill to reach out whenever he has questions or
| concerns about a review.
|
| Before taking drastic action like pulling addons from the store,
| Mozilla should reach out if they have questions or concerns about
| a review.
| elAhmo wrote:
| It appears all of the companies that are gatekeepers to apps,
| extensions and similar user-generated stuff are really quick to
| overreact and unless you are a high-profile person, have a lot
| of followers or a really popular app or an extension, good luck
| resolving it in a timely manner.
| CaptainFever wrote:
| On first glance, it really does seem to be the case,
| regardless if one is "big tech" (e.g. Apple) or a non-profit
| organization (e.g. Mozilla).
| nar001 wrote:
| Gorhill is a pretty high profile person considering uBlock
| Origin and yet still got it taken down and overreacted
| though. So the issues seem to run deeper than that.
| suprjami wrote:
| This is literally the most high profile person Mozilla has.
| He's carrying the entire browser.
| AdmiralAsshat wrote:
| Oof. I get gorhill is pissed about the whole thing, but, this
| feels like cutting off your nose to spite your face. It's going
| to be much trickier for people to get uBO Lite onto their Firefox
| for Android installations now, or even if they can, they might
| just not bother.
|
| And, while I suppose gorhill could make the case that he's
| protesting this egregious process on behalf of the little guy,
| the fact is, he's _not_ the little guy as far as Firefox add-ons
| go. uBO was one of the first (if not _the_ first) 3rd-party addon
| to be offered as part of Firefox for Android after Mozilla 's
| reorg started rolling out. He clearly has Mozilla's attention.
| I'm not sure what he gains from continued intransigence offers
| after Mozilla admits their mistake and apologizes.
| Timshel wrote:
| He gains by not having to interact with them for UBOL.
|
| When you waste people's time sometimes an apology is not enough
| for them to want to continue to work with you ...
| 51Cards wrote:
| An outlook like that will really limit who you work with in
| the future. I don't know anyone, corp or otherwise, that
| doesn't mess up from time to time. What matters is the
| acknowledgement of the mistake and taking steps to rectify
| it.
|
| IMO, as much as I highly respect his products, the dev pulled
| a hissy fit over a mistake.
| yencabulator wrote:
| So, half of what you say matters seems to be missing.
| ForHackernews wrote:
| They restored his extension (until he removed it again),
| what more do the Mozilla-haters want?
| SSLy wrote:
| An apology, a post mortem, and lessons learned and
| implemented so it doesn't happen again.
| somerandom2407 wrote:
| The unpaid dev who produces something of value to users of
| Firefox. Removing the addon doesn't hurt him, and may hurt
| Firefox if people switch to Brave over this. Mozilla need
| to make changes to their review process or risk losing
| users.
| yjftsjthsd-h wrote:
| > It's going to be much trickier for people to get uBO Lite
| onto their Firefox for Android installations now, or even if
| they can, they might just not bother.
|
| Why would they bother? Firefox - Android or desktop - runs
| full/regular uBo just fine.
| AdmiralAsshat wrote:
| > Why would they bother? Firefox - Android or desktop - runs
| full/regular uBo just fine.
|
| gorhill himself stated[0]:
|
| > This is unfortunate because despite uBOL being more limited
| than uBO, there were people who preferred the Lite approach
| of uBOL, which was designed from the ground up to be an
| efficient suspendable extension, thus a good match for
| Firefox for Android.
|
| [0] https://github.com/uBlockOrigin/uBOL-
| home/issues/197#issueco...
| carlosjobim wrote:
| > I'm not sure what he gains from continued intransigence
| offers after Mozilla admits their mistake and apologizes.
|
| What would he gain from submission to Mozilla? Either way he
| gains $0 for all the work he's done to improve the Internet for
| millions of people.
| AdmiralAsshat wrote:
| He gains Mozilla's distribution model and audience, which
| allows users of Firefox to download add-ons from their
| browser's UI and updates automatically, rather than having to
| manually pull an extension file from a Github page for each
| new release and install it.
| phoronixrly wrote:
| That's a long-winded way to say $0
| Crespyl wrote:
| Time and effort are usually considered to be worth some
| amount of money.
| carlosjobim wrote:
| Time and effort is what he spends, $0 is what he gains.
| AdmiralAsshat wrote:
| You gain $0 for uploading your Linux package to
| yum/apt/dnf as well, but you recognize that there's value
| in being able to install such packages easily through a
| well-curated repository, no?
| okanat wrote:
| Well you, the programmer, usually don't upload it. Some
| package maintainer does it since they want your software
| and ideally they should handle the bug reports for their
| package as well.
| SSLy wrote:
| > _allows users of Firefox to download add-ons from their
| browser 's UI and updates automatically, rather than having
| to manually pull an extension file from a Github page for
| each new release and install it._
|
| only because mozilla is gatekeeping that away otherwise.
| abhinavk wrote:
| For extensions which have full access to all websites, I
| appreciate that. That is one of the main reasons for
| ManifestV3 because not all extensions can be reviewed.
| witrak wrote:
| I agree with one exception:
|
| > [...] and audience [...]
|
| If you take into account small market share of Firefox and
| even smaller percentage of Firefox user needing uBOL then
| "audience" isn't anything important in this case. Perhaps
| this whole story will increase popularity of uBOL more...
| wolpoli wrote:
| > The organization issued an apology for the "mistake" and
| recommended to Hill to reach out whenever he has questions or
| concerns about a review.
|
| It's unclear why the author of the article decided that the word
| 'mistake' deserved the scary quote treatment.
| greentxt wrote:
| Because there was a privacy policy it's hard to understand how
| that could be a mistake. The insinuation is the reviewer was
| not acting in hood faith.
| pdpi wrote:
| Which brings us to: It's unclear why the author of the
| article decided that the reviewer was not acting in good
| faith.
| jeroenhd wrote:
| The reviewer asserts that the addon transmits data. It does
| not.
|
| That may not be malice, of course. It could just be
| incompetence (someone running an automated scanner and not
| verifying that the results are correct), someone trusted
| with a job they're not capable of doing, or maybe it's just
| Mozilla pretending someone reviewed the addon while using
| shitty AI like ChatGPT to do all the work.
|
| The email even directly links to resources that are
| supposedly "minified, concatenated or otherwise machine-
| generated". That's simply not true.
| busterarm wrote:
| Maybe it's the fact that 80+% of Mozilla's revenue comes
| directly from payment by Google who are extremely hostile
| to ad blockers (and UBO in particular) at the moment.
|
| That should be obvious, honestly. The extension is a threat
| to the reviewer's paycheck...
| cholantesh wrote:
| UBO isn't even the extension that was scrutinized, and
| besides how do you even know that the reviewer (if they
| are a human which seems open to question) is a Mozilla
| employee rather than a volunteer, and that they were not
| acting out of sheer incompetence?
| breakingcups wrote:
| Lot of people in this thread not familiar with Hanlon's
| razor..
|
| Obviously this could all just be incompetence. It's just a
| convenient excuse to do some more Mozilla-bashing, (lack of)
| facts be damned.
|
| Not that any of this excuses the experience Gorhill had, of
| course.
| eviks wrote:
| Pretty clear: because it's a quote form the Mozilla's response
|
| "We apologize for the mistake and encourage"
| SuperNinKenDo wrote:
| Fair play. uBO is THE killer extension, and apparently it never
| occured to Mozilla that if they were going to insist on using
| some hideous, Google style, machine led review process for
| extensions, perhaps they should at least make a carve out for one
| of the single most important extensions that exists.
|
| I can totally understand gorhill becoming completely insensed by
| the whole thing and refusing to play ball when Mozilla "realises
| their mistake". Their mistake was assuming he would simply put up
| with being subjected to the drudgery that so many extension and
| open-source developers allow themselves to be subjected to in
| return for little thanks and ever increasing demands.
|
| The outcome is far from ideal, but the fault, sadly, lies
| squarely with Mozilla. Real shame.
| abhinavk wrote:
| This is about uBOL. I haven't seen much delays for the main
| extension. It is always more up to date on Firefox compared to
| Chrome/Edge.
| SuperNinKenDo wrote:
| OK? So you support Mozilla's actions or something? What is
| the purpose of your comment?
| jorams wrote:
| The purpose of their comment is to correct your statement
| that:
|
| > perhaps they should at least make a carve out for one of
| the single most important extensions that exists.
|
| uBOL is not an important extension on Firefox.
| witrak wrote:
| >uBOL is not an important extension on Firefox.
|
| Perhaps you should read some earlier comments then you
| wouldn't say such things?
|
| Hints: Firefox mobile; range of privileges required.
| jorams wrote:
| I did, it does not change what I said. uBO works
| perfectly fine on Firefox Mobile and doesn't use much
| battery. People can _prefer_ uBOL, but that doesn 't make
| it important to the ecosystem.
| mossTechnician wrote:
| Out of all the criticism Firefox fans make of the mobile
| version, excess CPU usage and excess RAM usage are at the
| top of the list. Maybe high-end phones run Firefox
| decently now, but not everybody has a high-end phone. If
| uBOL has a place on Firefox, mobile Firefox is where it's
| best.
| SuperNinKenDo wrote:
| It's the same author, essentially same project. Mozilla
| shouldn't be wasting the maintainer's time and resources
| with this stuff, and that is the point of my comment.
| Their comment was nothing but failed pedantry and added
| nothing if that was its purpose.
| ravenstine wrote:
| uBlock Origin is likely the primary reason Firefox has any
| amount of meaningful browser market share today. If Firefox
| didn't support it then I would be using another browser. Seeing
| as Mozilla has been struggling to get anything right, they
| should be kissing gorhill's behind.
| maest wrote:
| > uBO is THE killer extension
|
| Now that you say that, I wonder if that's Google's end game:
| keep Mozilla on the payroll, disincentivise them from
| innovating on their product and wait for Firefox to slowly
| bleed users until nobody is using them and solidify Chrome's
| position. And that's how they take care of adblockers. They
| already have wide control over Chromium so that would only
| leave Safari as the last viable browser alternative (a much
| harder product to attack).
|
| Now, Google can't stop Firefox from allowing ad blocker
| extensions, but they can encourage Mozilla to run Firefox in
| all but abandonware mode, until it dies out.
|
| It's embarrassing how hard the Mozilla Foundation has fumbled
| their position and I'm having a hard time attributing their
| actions simply to incompetence.
| ForHackernews wrote:
| So Mozilla goofed, apologised of their own accord and corrected
| the mistake? And in response this dev is throwing his toys out of
| the pram? Do I read this right?
| jampekka wrote:
| I can see how having to jump pointless bureaucratic hoops in a
| volunteer project can cause throwing out toys.
| ForHackernews wrote:
| What pointless hoops? The extension was restored.
| jampekka wrote:
| After pointless hoops. And the process seems to involve
| pointless hoops even when the review is not rejected.
|
| https://github.com/uBlockOrigin/uBOL-home/issues/197
| ForHackernews wrote:
| Again, what pointless hoops?
|
| > After re-reviewing your extension, we have determined
| that the previous decision was incorrect and based on
| that determination, we have restored your add-on.
| catapart wrote:
| Yeah, it's kind of wild to see the general reaction to this
| being "the developer is being unreasonable".
|
| It's like... I, too, find it burdensome for a review that
| claims to be "manual" to suddenly flag a file my code has
| been utilizing for years, and puts the onus on me to refute
| it's findings. Not only is it trying to prove a negative,
| it's ridiculous that an unchanged file needs re-review for
| things like "is it minified?".
|
| As far as I can see, there are errors here and they are _ALL_
| on Mozilla 's side. Better training, maybe, but probably just
| stop lying that a manual review has happened when it hasn't.
| And then, when you have whatever semi-automated review is
| being done flag a thing, then actually have a human review
| it. And, since that would be a firehose, implement simple
| standards to filter out spam and publish those standards -
| and what effect each infraction will have on the review
| process, including steps for remedy. Make them able to be
| completed as automatically as possible for the developers, so
| that you don't have to manually review, again. If it's a
| minification issue, require the devs to re-upload non-
| minified versions, check it automatically, and then allow the
| publish.
|
| I'm being simplistic and flip, but a reasonable
| generalization is just that bureaucracy should be imposed on
| the implementers of the bureaucracy, not the people who are
| trying to engage with it.
| x0x0 wrote:
| When Mozilla is being gifted enormous amounts of free labor,
| they should be more careful with the donor.
| aaronmdjones wrote:
| You do not read this right. Mozilla goofed, then goofed again,
| then again, then again, then again, then the developer got fed
| up of having every single version reviewed incorrectly and
| pulled it, then Mozilla apologised.
|
| I'd do exactly the same thing.
| lol768 wrote:
| Why does this extension even exist on AMO? The article says it's
| the "Lite/Manifest v3 version" - why would you _ever_ install the
| inferior edition meant for legacy browsers, instead of the one
| that blocks ads properly that 's meant for Firefox?
| SSLy wrote:
| Because it's lighter on power usage, and that matters for
| firefox on android.
| panarky wrote:
| And because it can block ads without infinite permission to
| read and change every site you visit.
| mmwelt wrote:
| But now it's not even possible to use the add-on in Firefox
| for Android, as only add-ons from AMO can be installed.
| mdaniel wrote:
| I was curious if trying to load it via
| file:///storage/emulated/0/Download/... would work (as my
| recollection is that .xpi installation is content-type:
| sensitive) but insult-to-injury is that FF Nightly for
| Android _searches_ for the string "file:///storage...", so
| they seemingly have nuked even the file: protocol handler
| for Android. Good times over there at Mozilla
| Elfener wrote:
| Pretty sure file:// is very broken in different ways on
| every android browser.
|
| For example, on kiwi browser typing in a file URL causes
| it to be searched, but using the "go to URL in clipboard"
| button (with the file url in your clipboard) works.
| Except when you randomly run into some weird android file
| permission issue and the browser just can't see certain
| files...
| pmontra wrote:
| file:/// is gone in Firefox Android since at least 2
| years ago. I discovered it a few days ago
| https://bugzilla.mozilla.org/show_bug.cgi?id=1806171
|
| It works in Chrome on my Android 11 phone.
| mod50ack wrote:
| That's not true anymore. You have to press the Firefox logo
| on the about screen a few times, which will make the menu
| option appear in settings to install an extension from the
| local filesystem
| spartanatreyu wrote:
| Fixing this explanation:
|
| You need to go Settings -> About Firefox -> Click the
| logo a bunch of times on this page specifically -> Press
| the back button
|
| You will now see the Install extension from file option.
| mmwelt wrote:
| Wow, that's good to know, thanks!
| lol768 wrote:
| You know what else uses power? Ads! Particularly the flashy
| animated ones that fingerprint the browser and hoover up data
| to prove you're a real human ad impression. I'd wager it
| doesn't take too many of those slipping through the net to
| completely undo your "power saving" of a slightly more
| efficient way of blocking resources.
|
| Has anyone actually done some quantitative research here?
| I've been using Firefox with uBO for years on Android and of
| all the apps on my phone, Firefox is not the one that's
| chewing through battery.
| Timshel wrote:
| It can run with way less permission as opposed to UBO.
| sureIy wrote:
| I don't think people care about giving permissions to one of
| the most popular extensions ever. The advantages of giving
| that extension full access are quite clear and the dangers
| minimal.
| pessimizer wrote:
| > I don't think people care about giving permissions to one
| of the most popular extensions ever.
|
| I'm going to fail to go out on a limb and say that those
| people shouldn't use this version in order to avoid that,
| then. I suspect this extension been made available for
| others, like those you're replying to here.
| kccqzy wrote:
| I do care. I trust Gorhill but that doesn't mean mistakes
| can't slip through. Maybe criminals attacked his system to
| steal his credentials, or maybe criminals just used old
| fashioned violence to force Gorhill to release a malicious
| extension update. Exactly because this is the most popular
| extension ever, criminals have so much higher incentive to
| take over his trusted extension to do criminal things.
|
| Of course all of us have our own assessment of trust and
| danger.
| somerandom2407 wrote:
| I care. I'll probably just switch to Brave instead of
| either installing this manually (risky) or using the full-
| blown addon (risky). The value proposition for Firefox has
| just diminished.
| jeroenhd wrote:
| For the few good reasons Google had for restricting addon
| manifests: performance and security. Declarative domain lists
| are easier to cache and lead to fewer (unnecessary) addon
| activations. Fewer permissions means the impact of a malware-
| infected version hitting the addon store in the future is a lot
| lower. uBlock's rule engine is incredibly powerful, to the
| point where a custom ruleset can inject code into any website.
| That applies to custom rulesets, but also to the built-in ones
| that may or may not get their accounts/hosting hacked, or
| bought out in the future.
|
| Not that I would use the lite version myself, or that I agree
| with Google's choice, of course; they killed ad blocker APIs
| without providing an alternative API, after all. With the code
| already out there anyway, for the people stuck in their ways
| still using Google Chrome, they may as well make this version
| available for Firefox.
| wvenable wrote:
| The other good reason that Google has is that it puts them
| entirely in control of the lists. If they don't want Chrome
| to block ads on Google properties they can opt them out of
| the block lists.
| trustno2 wrote:
| manifest v3 is actually not a bad idea at all. it's more
| efficient, more private.
| EasyMark wrote:
| It's bad though in that it reduces your power over your
| browsing experience. We should get a choice on that. uBO is a
| good actor and I trust them. Also good crippled storage for
| lists in v3 while Firefox did not. Clearly it's to limit size
| of Adblock lists on google's part to make the adblockers more
| irrelevant and in their interest to put as many ads in your
| face as possible.
| chii wrote:
| > We should get a choice on that.
|
| this is it exactly. They should not remove manifest v2,
| they should make it more explicit that an addon is v2 or
| v3, and let the end user choose (with the default being v3,
| and deny v2 addons).
|
| When an untrustworthy addon asks to be a v2 addon, the user
| can be made more suspicious, but allow addons like ublock
| to remain working at full power.
|
| Of course, the whole reason google did it is to remove
| effective adblocking.
| EasyMark wrote:
| It's faster and has less security implications. I accept that
| UBO is more powerful even if it has a slightly less secure
| footprint, but that's a decision, others may choose for more
| security per V3
| akira2501 wrote:
| > why would you ever install the inferior edition
|
| It's my computer. I paid for it and I maintain it. I'll do
| whatever I please with it.
|
| > instead of the one that blocks ads properly that's meant for
| Firefox?
|
| I have a better question. Why even use Firefox if it refuses to
| do what I want?
| 4bpp wrote:
| If I understand the timeline correctly here, it seems that
| gorhill overreacted, and I say that as someone who is usually
| harshly critical of everything Mozilla has done in the past 5+
| years. It's hardly practical for Mozilla to manually review every
| add-on revision for safety in a timely manner, so they had the
| choice between automation and delays that would make add-on
| development a slog; automation though inevitably will cause false
| positives.
|
| What's the alternative? No pre-release review at all? As a user I
| would hope that this will not be the case, especially now that we
| have confirmation that flashy supply chain attacks are being
| executed in the wild. In fact the review policy protects gorhill
| himself too, since it makes him a bit less attractive as a target
| for a rubberhose attack (no point in blackmailing him to put in
| spyware if the spyware would be caught before release).
| SSLy wrote:
| > No pre-release review at all?
|
| certainly not leaving only the _oldest_ version of the
| extension up.
| jeroenhd wrote:
| I'm not even surprised the addon got flagged. The linked files
| in the Github issue all had file names insinuating a direct
| connection to known trackers (which, of course, uBOL is
| blocking). Whatever automated scanning tool Mozilla uses
| probably latched on to "oh this is Google Tag Manager" and
| issued the warning that is normally handed out to addons that
| do include sketchy scripts like these.
|
| HOWEVER: the email clearly states:
|
| > Your Extension uBlock Origin Lite was manually reviewed by
| the Mozilla Add-ons team in an assessment performed on our own
| initiative of content that was submitted to Mozilla Add-ons
|
| Either that is a lie, or the manual reviewer that did the
| "review" doesn't understand that the automated tool they ran is
| capable of false positives.
|
| Nothing wrong with automated abuse assessments on a platform
| like Mozilla's, but don't lie in your communications about it
| (or hire people who know what they're doing when it comes to
| blocking addons).
| GrantMoyer wrote:
| I agree with what you say about the tradeoffs of a review
| process, but strongly disagree that Raymond Hill overreacted.
| He's a solo dev working on uBlock as a hobby who doesn't even
| take donations; he doesn't owe us anything. He gets to decide
| if the review process frictionless enough for him to contribute
| his time and energy, and even though he decided it's not in
| this case, he made his extension open source, so anyone else is
| free to publish uBlock Origin Lite in his stead.
| Timshel wrote:
| Don't remove stuff that are used for some time using only
| automatic tooling ...
|
| And from the start the review was supposedly: "Your Extension
| uBlock Origin Lite was manually reviewed by the Mozilla Add-ons
| team".
| yojo wrote:
| I think it's reasonable to expect that one of Firefox's most
| popular extension publishers gets a higher tier of review
| service. Gorhill (and other top extension devs) are providing
| real value to Firefox, and have demonstrated good behavior for
| years.
|
| This doesn't mean they should get to publish whatever they
| want, but if a reviewer is about to reject a high profile
| plugin, they should get a second set of eyes on it. Which would
| have obviously caught the mistake here.
|
| Feels like another "Firefox is underinvested in developer
| relations" story, which is surprising given how much they rely
| on them.
|
| Edit: honestly the idea that gorhill doesn't have a dedicated
| rep at Mozilla is baffling to me. According to their stats the
| extension has 8.4 million users. They should call him on the
| phone to let him know there's a problem with his extension.
| causi wrote:
| Yeah they've repeatedly used his name in advertising Firefox
| Mobile.
| munch117 wrote:
| But this is not about a high profile plugin. The high profile
| plugin is "uBlock Origin", and this is about "uBlock Origin
| Lite", which is a big thing for Chrome, but not for Firefox.
| Why would anyone want to use uBOL, when they have the option
| to use uBO?
|
| Perhaps Mozilla does have a higher tier of review, but it's
| for specific plugins, not for specific authors.
| umbra07 wrote:
| From what I remember, there are noticeable efficiency gains
| when using uBOL on mobile browsers.
| chimeracoder wrote:
| > But this is not about a high profile plugin. The high
| profile plugin is "uBlock Origin", and this is about
| "uBlock Origin Lite", which is a big thing for Chrome, but
| not for Firefox. Why would anyone want to use uBOL, when
| they have the option to use uBO?
|
| uBlock Origin requires giving the extension full read and
| write permissions on every site you visit, which is a huge
| liability, security-wise.
|
| uBlock Origin Lite uses Manifest V3, which doesn't require
| providing those permissions to the extension.
|
| Perhaps you trust gorhill with that power, but it's pretty
| understandable why others might not want to give that power
| to a third party.
| zdragnar wrote:
| This is exactly why Apple implemented the precursor to
| Chrome's v3 manifest in Safari (not to mention the
| performance implications).
|
| It's a lot easier to just accuse Google of acting in bad
| faith, and Mozilla of being their lapdogs, and ignore any
| possible evidence to the contrary.
| chimeracoder wrote:
| > It's a lot easier to just accuse Google of acting in
| bad faith, and Mozilla of being their lapdogs, and ignore
| any possible evidence to the contrary.
|
| There are two issues at play here.
|
| Manifest V3 is, undeniably, a security improvement over
| Manifest V2. Providing full read/write access to all
| websites is a _huge_ security risk, and the fact that we
| 're willing to do it is really a testament to how bad the
| state of the web is without adblockers.
|
| However, the final standardized version of Manifest V3
| limited the size of content filters - essentially,
| limiting the number of ad sources that you could filter.
| This severely limits the utility of adblocking
| extensions.
|
| Mozilla responded to this by promising not to implement
| the cap in their implemention of Manifest V3 - ie,
| ignoring that part of the spec and allowing extensions to
| filter an unlimited number of sources in Firefox. Chrome
| and other browsers are sticking to the spec, though,
| including the cap on sources.
|
| I believe UBlock Origin Lite is a downgrade feature-wise
| from UBlock Origin, but that's because it's targeting
| both Firefox and non-Firefox browsers. In theory, a
| Manifest V3 version of UBlock Origin Lite designed for
| Firefox could provide the same functionality as the
| Manifest V2 UBlock Origin.
|
| Honestly, I hope someone (whether gorhill or someone
| else) takes up the mantle and does that, because there's
| no reason that Firefox users should have to use an
| adblocker with a less secure design, just because other
| browsers don't support it.
| wtallis wrote:
| > Providing full read/write access to all websites is a
| huge security risk, and the fact that we're willing to do
| it is really a testament to how bad the state of the web
| is without adblockers.
|
| That seems to be completely ignoring that extensions
| aren't just independent self-contained programs. They're
| intended to extend and modify the capabilities of your
| user agent to better suit the needs of the user. Trusting
| the user agent with full read/write access to the data
| it's fetching is fundamental to the purpose of a user
| agent. Sure, it's nice when you can sandbox a helper, but
| it's irresponsible to suggest there's anything wrong or
| unusual about having the kind of powerful extensions that
| Google doesn't want you to have.
| chimeracoder wrote:
| > Sure, it's nice when you can sandbox a helper, but it's
| irresponsible to suggest there's anything wrong or
| unusual about having the kind of powerful extensions that
| Google doesn't want you to have.
|
| You're arguing against a straw man here.
| wtallis wrote:
| What's inaccurate? Do you really want to claim that
| Google _isn 't_ actively reducing the scope of what
| browser extensions can do on behalf of end users? Having
| security as a justification does nothing to erase the
| fact that they _are_ locking down the browser platform
| and making some useful categories of extensions
| impossible.
| jshier wrote:
| Safari allows extensions to offer multiple block lists,
| each at the maximum size allowed (65k entries I think).
| Does manifest v3 not do the same?
| sfink wrote:
| It's not just the size of content filters. V2 had the
| ability to run code to block a web request before it was
| downloaded. V3 only gives you a (size-limited) set of
| declarative filters. If you want to block anything else,
| you'll have to do it after it has been downloaded
| already.
|
| (all here is iiuc; I've never used any of these)
|
| https://developer.mozilla.org/en-US/docs/Mozilla/Add-
| ons/Web...
| Dylan16807 wrote:
| Last I checked google didn't remove the read-only access
| to network requests in v3, so an extension that wants to
| track everything can still do that. It just can't block
| anything with custom code.
| EasyMark wrote:
| To have a reviewer under your employ that doesn't know
| what UBO is or it's dev, makes me feel pretty confident
| in siding with gorilla on this, but I hope that he does
| calm down a bit and put the extension back up.
| chimeracoder wrote:
| > To have a reviewer under your employ that doesn't know
| what UBO is or it's dev, makes me feel pretty confident
| in siding with gorilla on this, but I hope that he does
| calm down a bit and put the extension back up.
|
| FYI, it's UBlock Origin _Lite_ that is affected here, not
| UBlock Origin. Same developer account, but a tiny
| fraction of the installation base. I think I still have
| an extension that has more users than UBlock Origin Lite
| did on Firefox (only 5000 installations at the time it
| was taken down).
|
| To be honest, neither party looks good here. It reflects
| poorly on Mozilla that they don't have guardrails in
| place to prevent adverse action on the developer account
| that publishes their most popular extension. Gorhill's
| reaction (particularly his most recent comment from an
| hour ago) comes off as petty and vindictive. Yes, it's
| his prerogative to spend his unpaid time how he wants,
| but expressing that sort of aggression and directing it
| at your _users_ doesn 't win over many allies in the long
| run.
| shadowgovt wrote:
| I must have missed that update; I haven't seen any
| aggression directed at users of the plugin.
| spacechild1 wrote:
| > in siding with gorilla on this
|
| Off topic, but this is such a funny autocomplete accident
| :)
| weare138 wrote:
| But it's the same dev who's been active for over a decade
| and has a solid reputation. Users rely on these extensions.
| Removing a popular, well established extension without
| warning or apparently even making sure it was in violation
| of said policies to begin with is irresponsible.
|
| And the specific extension in question being a popular
| ad/tracker blocker while Mozilla has been cozying up to the
| adtech industry lately and selling access to Firefox user
| data isn't a good look for Mozilla. Maybe Mozilla is just
| being grossly mismanaged but this is all getting noticeably
| suspicious.
| EasyMark wrote:
| It's more efficient which can pay dividends in battery life
| on android, especially for those who have older phones.
| munch117 wrote:
| Thanks for the info. Wikipedia describes uBOL solely as a
| reaction to Manifest V3, and that's what I was going by.
| shadowgovt wrote:
| If it is, indeed, the case that they don't bump the entire
| account to a higher tier of service if one of their
| products justifies it, they've fundamentally conflated the
| technology with the humanity of the system and this is a
| predictable consequence.
|
| They're the browser with 2% market share.
|
| They're lucky he didn't also pull uBlock Origin because he
| felt insulted and let users figure it out. He doesn't owe
| Mozilla their tent-pole of "We make it harder for third-
| parties to track you", the tent-pole he set up for them for
| free.
| munch117 wrote:
| We all agree that this case is a very bad outcome for
| Mozilla.
|
| What I don't agree with, is that a system that is based
| on higher tiers for entire accounts, is necessarily
| better. If such a tier exists, then all the big players
| will apply pressure to be put in that tier. Suppose
| Amazon tries for that - surely they'll get it. And then
| they'll use it, not just for "the Amazon app", but for
| every crappy outsourced app they make for any purpose.
| Placing a huge burden on Mozilla, who now will have to
| spend extra resources to hand-check a lot of crap that
| could have been auto-rejected, just in case, because
| effectively the burden of proof has been shifted.
|
| I'd like you all to try to abstract from this case for a
| second, and think about the strategic choice: Which is
| the better rule, evaluating apps, or evaluating accounts.
| Sure, now you're all thinking that you'll make a super-
| duper amalgam system that looks at both in some
| combination. That's the benefit of hindsight. But suppose
| you're making version 1, and you're keeping it simple.
| What would you start with?
| shadowgovt wrote:
| > Which is the better rule, evaluating apps, or
| evaluating accounts
|
| For now, evaluating apps.
|
| ... but only because gorhill decided not to go nuclear
| (and good on 'em for doing so). The unequal power dynamic
| you're painting of Amazon exists today, whether or not
| Amazon attempts to pressure Mozilla right now; they're at
| their discretion to decide that they'll only support a
| Firefox extension if Mozilla plays ball with a bunch of
| other crappy apps too (and then Mozilla can tell them to
| go pound sand, and then the users can't get to the Amazon
| app easily, and then someone writes a workaround... The
| human system is far, far squishier and more complicated
| than the technical system).
|
| > But suppose you're making version 1, and you're keeping
| it simple.
|
| Sadly, Mozilla does not have that luxury because they
| exist in an ecosystem of other corporations with web-
| store presences and it's incumbent upon them to be
| competitive if they want to survive in that
| configuration. If Google and Amazon can glad-hand high-
| value customers, Mozilla needs to learn how to do so also
| or risk those customers deciding the Mozilla ecosystem is
| more trouble than it's worth to participate in (because
| what do you get? 2% market share?).
| suprjami wrote:
| > What I don't agree with, is that a system that is based
| on higher tiers for entire accounts, is necessarily
| better.
|
| Almost every business looks after their biggest customer
| better than their smallest customer.
| munch117 wrote:
| Sure. But now you're talking about the policy you expect,
| not the policy you want.
| suprjami wrote:
| I also want Mozilla to roll out the red carpet for
| Gorhill. They should probably have him on payroll.
| yojo wrote:
| Generally, anything published by the guy who maintains your
| most-installed plugin is by definition high profile. That's
| why we're talking about this case on HN.
|
| If Mozilla is providing tiered support by plugin rather
| than publisher, this latest kerfuffle is evidence that they
| should reconsider the approach. But if I were betting, I'd
| guess there's no one at Mozilla whose job responsibilities
| include keeping their marquee plugin authors happy.
| shadowgovt wrote:
| And, in contrast, that job (or parallel jobs for
| different 'online stores') _definitely_ exist at Google
| and Microsoft. At Google, there 's a whole army of open-
| secret glad-handlers for liaising between high-profile or
| high-relevance Cloud customers and the development teams
| inside Google that work on Cloud (because sometimes a
| customer comes up with a novel way to use the tool that
| exposes the cracks in the abstraction and lets the
| underlying implementation leak out undesirably).
| Customers don't get to choose to be handled that way
| (though they can, of course, indirectly signal it by how
| much money they spend); it's Google's decision to
| maximize company value / security.
| guilhas wrote:
| Good point, they should be on the phone "Mr G how can our
| developers help you getting this extension approved"
|
| This developer one of the main reasons for many people to use
| Firefox, especially in this current chrome controversy
| manifestV2 vs V3
|
| And ironically this uBOL success should be of very interest
| to Mozilla because if it had gained more success than the
| main one uBO then it would be one less reason for the company
| to invest resources into maintaining manifestV2
| xnx wrote:
| Firefox is a thick wrapper around the core functionality of
| uBlock on Android. Without uBlock, the case for using Firefox
| is very weak.
| Jalad wrote:
| uBlock on Firefox pretty much is the only reason I haven't
| ditched Android yet
| xnx wrote:
| Same, though I've switched to uBlock in Kiwi Browser.
| hedora wrote:
| I switched to ublock in orion on iOS.
|
| The remaining problem is that iOS has subpar podcast and
| Bluetooth support.
| bravetraveler wrote:
| I'd go as far as to say it's my lifeline for a
| smartphone. Outside of sleep-or-shitposting like this, I
| don't use the thing.
|
| I live as if it were a couple decades ago, working on a
| desktop computer. I've bought several laptops and failed
| to modernize. My entire life depends on the Internet and
| all of that, I'd prefer more distance to be honest.
| medstrom wrote:
| This isn't about uBlock though. Just uBlock Origin Lite.
| fsckboy wrote:
| you mean, this isn't about _uBlock Origin_ though. Just
| _uBlock Origin Lite_.
|
| plain old _uBlock_ is another add-on which may no longer
| exist. (uBlock was the original original, but the same
| developer, gorhill, mistakenly let it slip into the wrong
| hands and it became a pay-to-play leaky ad blocker)
| SergeAx wrote:
| uBlock Origin is THE reason I am using Firefox Mobile. The
| moment it gone - there's no sense in keeping the browser.
| rightbyte wrote:
| Mozilla knows that. Which is why they excempted Ublock
| Origin from their user hostile all but that one extension
| ban on mobile. (In practice it was a ban. I think they
| called it something else.)
| bambax wrote:
| > _manually review every add-on revision for safety in a timely
| manner_
|
| Sure, but uBlock Origin, lite or not, is one of the most
| important browser add-on, if not the single most important one.
| This may not justify to give it a pass without looking, but it
| should certainly be reason enough to jump it in front of the
| queue and review it manually every time.
| asadotzler wrote:
| Lite is meaningless to 99% of Firefox users. The real deal is
| available and they aren't force to use the inferior Chrome
| version.
| jampekka wrote:
| Maybe a less crappy review system at least?
|
| "The burden is that even as a self-hosted extension, it fails
| to pass review at submission time, which leads to having to
| wait an arbitrary amount of time (time is an important factor
| when all the filtering rules are packaged into the extension),
| and once I finally receive a notification that the review
| cleared, I have to manually download the extension's file,
| rename it, then upload it to GitHub, then manually patch the
| update_url to point to the new version. It took 5 days after I
| submitted version 2024.9.12.1004 to finally be notified that
| the version was approved for self-hosting. As of writing,
| version 2024.9.22.986 has still not been approved."
|
| Doesn't sound like something I'd enjoy as a hobby.
|
| https://github.com/uBlockOrigin/uBOL-home/issues/197
| TiredOfLife wrote:
| Mozilla is not a single person in a basement with a 20 year old
| second hand computer. They spend hundreds of millions $ per
| year. uBlock origin has 8+ million installs. The second
| extension by install count has 4 (four) times less. If if
| anything to do with gorhill and their extensions is not
| priority one in their review system, then something is really
| wrong at Mozilla.
| seba_dos1 wrote:
| ...and the extension this article is about had about 5000
| (five thousand) installs before being taken down. That
| doesn't really scream "priority" to me.
| witrak wrote:
| It may be true, but your point of view isn't the sole
| possible. Many people have to use more than one browser and
| for them, the Google decision (effectively forcing the
| creation of uBOL) was really painful so Hill's new product
| is of big value. Also, there are people who don't know
| anything about uBO since they never used Firefox but they
| probably will start to use uBOL as other blockers for
| Chromium-based browsers are incomparable to it. Thus 5k
| downloads of uBOL are no measure of its importance.
| seba_dos1 wrote:
| How is that relevant to hosting on AMO?
| bitfilped wrote:
| This was for uBlock lite, a much lesser used plugin
| chimeracoder wrote:
| > This was for uBlock lite, a much lesser used plugin
|
| Sure, but it's published by the same developer and has
| existed for a while. It's not a brand new extension under
| his account, or published on a different developer account.
|
| I've built review systems before, and you typically have
| safeguards in place to prevent mistakes that impact your
| biggest users. No matter how you cut it, this isn't a good
| look for Mozilla.
| shadowgovt wrote:
| And behind the scenes is one human being maintaining both.
|
| If you make maintaining one of them more stressful than the
| other, the maintainer dropping one to focus on the other is
| a predictable consequence.
| pmontra wrote:
| If they piss off a dev they risk losing all the plugins of
| that dev. So they must not look at uBOL, the subject of the
| review, but at uBO, the most popular plugin of that dev.
| And it turns out that it's Firefox's most popular plugin
| among all its plugins. They should immediately escalate the
| review even if gorhill submitted a plugin to log Hello
| World in the console.
| squarefoot wrote:
| > They spend hundreds of millions $ per year
|
| Most of which coming from Google, whose web enshittification
| created the need for Ublock Origin and later Ublock Origin
| Lite. If Mozilla, which takes boatloads of money from Google,
| does something absurd that would please nobody else but
| Google, how could one not assume something fishy is going on?
|
| https://archive.ph/jQPTt
|
| ( https://www.bloomberg.com/news/newsletters/2023-05-05/why-
| go... )
| phendrenad2 wrote:
| Exactly. And this is why we need paid browsers. If the ad-
| supported/donation-supported browsers like Firefox need to
| apply low-quality automated solutions to approving/rejecting
| even their most popular addons, then clearly the business model
| isn't working.
| Semaphor wrote:
| > their most popular addons
|
| It's the lite version. It's not popular at all.
| EasyMark wrote:
| However gorhill is quite a high tier extension dev which
| should get him more attention and at least a second set of
| eyes on any drastic action like cutting his extensions.
| talldayo wrote:
| ...except there is no evidence that paid, manual review
| works. Closest thing we have is Apple's App Store, which
| infamously has manual review cycles worse than an automated
| malware checker: https://www.pcmag.com/news/beware-theres-a-
| fake-lastpass-app...
|
| This is why you should be happy that you _don 't_ pay for a
| browser.
| marcinzm wrote:
| Anecdotes are not data, and requiring perfection is a
| really odd bar for working or not working.
| talldayo wrote:
| > Anecdotes are not data
|
| When you blatantly violate the IP of a well-trusted dev,
| posing as a third-party and successfully tricking Apple,
| yeah, you are a pretty big data point. You can't call
| CloudStrike an anecdote.
|
| My bigger intention is to fight the idea that automated
| solutions are necessarily better than inept human-reliant
| ones. Firefox doesn't even have remotely Apple's scale or
| revenue to work with - who seriously expects Mozilla to
| do better than them?
| 6510 wrote:
| I'm not sure, if moz revenue is something like 600 m and
| the ceo makes 7 m while apples revenue is something like
| 400 b and the ceo made 63 m. You get something like 7/600
| vs 63/400000 ?
|
| Then Mozilla should do at least 1000 times better even if
| it is just a forgotten side project like Firefox?
|
| uhhh what were we talking about again... ah right
| extension reviews.
|
| Well, just let the developer pay for 50 different tiers
| of review with prices scaling with the size of the code
| base or upgrade. Display the level of scrutiny on the
| extension page, have a donate to the cause button so that
| funds contribute only to reviews.
|
| If you've installed any extensions you should regularly
| be made aware of the security risk and have a nice
| overview of the level of hazard and fund raising efforts.
|
| If you've reached a high level of security further
| upgrades will either be expensive or install should be
| discouraged.
|
| In the same place the developer can explain how urgent or
| useful the upgrade is and users can donate to bring the
| patch up to the desired level.
|
| Code changes can be displayed with public discussion.
| This will be useful for doing the different reviews as
| cheaply as possible. Let there be bidding wars.
|
| In addition there should be an extremely granular
| permission system that triggers dialogs in an amount
| sensible for the review level. Developers should be
| allowed to buy reviews for tiny functions that accurately
| define permission requests.
|
| For example: Rather than full access to all pages I want
| access to all links pointing at example.com and I want to
| fetch the title of the pages on example.com Or say: I
| don't want access to the entire internet but only to
| things in valid RSS or Atom format.
|
| Seems a sensible solution to me and I don't even know
| anything.
| sgc wrote:
| You jump immediately to money. But less crappy automation in
| this case is almost certainly a question of configuration and
| then thoughtfulness on the part of follow up reviewers, not
| just throwing money at the problem. It feels like you are
| shoehorning your own agenda in the conversation a bit.
| EasyMark wrote:
| I think not everyone thinks that money solves all things.
| Look at the $8 blue check "verified" accounts on Twitter that
| are easily identified as CCP/Russian spam bots. We've had
| free browsers for nearly 30 years, so I'd say we don't need
| paid browsers just yet. There are of course some out there
| for those who like the idea, but overall it's not a solution.
| n=1 failure doesn't mean flushing the whole enterprise down
| the toilet. There is an easy policy change for this. Fire one
| high level executive and get 10 more quality reviewers so
| that the more experienced reviewers can get high traffic
| items like those from gorhill
| bigiain wrote:
| > I think not everyone thinks that money solves all things.
|
| I'd go further and say money ruins most things.
| phendrenad2 wrote:
| Wow, stirred up a latent hornet's nest with this one. I
| should have known, people love "free" stuff (even if it's
| obvious to everyone, even themselves, that it is not at all
| "free"). Anyway, I think a paid browser would help solve this
| problem. If you don't agree, please, keep using Firefox or
| Chrome or whatever "free" browser you prefer.
| mcherm wrote:
| I think that the alternative is some form of "per review",
| where the effort of performing reviews is spread out among a
| volunteer f with reasonable "reputation" management and in
| which a party can accelerate their own review by contributing
| to the reviews for others.
| mort96 wrote:
| Meh, it's perfectly reasonable to decide that you don't want to
| deal with this kind of bullshit and pull the extension from
| problematic stores. There's probably a miniscule amount of
| people using uBO Lite on Firefox anyway.
| politelemon wrote:
| I don't think the author has overreacted, but your first
| paragraph doesn't seem to match the timeline, so maybe the
| article didn't portray it correctly. For a better understanding
| have a look at the Github issue:
| https://github.com/uBlockOrigin/uBOL-home/issues/197
|
| It was not an automated review, it was a manual review, poorly
| done. The author then explains that they don't want to deal
| with the stress (there are also some extra explanations of
| what's involved in the AMO review process), and also that they
| left a somewhat harmful version of the plugin up. Not wanting
| to deal with stress is a perfectly understandable reaction.
| shadowgovt wrote:
| Sometimes, people apparently forget how much of this
| ecosystem is built on volunteers: their time and their
| talent.
|
| You can lose a volunteer army fast if you don't provide them
| the warm fuzzies of the experience they don't get working
| with a faceless corporation.
| Ekaros wrote:
| No he did not. Mozilla is in situation where they should bend
| backwards with very popular extensions, which I believe both
| uBlock Origin versions must be. Ensure anything you do with
| them is absolutely correct.
|
| In general quite many extensions are done for passion. And any
| chance of destroying that passion will make your product less
| desirable to work with and thus in long run less popular.
| fragmede wrote:
| Can we build a better sandbox? exfiltrating data is the issue,
| but if the extensions just weren't able to reach out arbtrarily
| but could only download a specified url, then that would
| eliminate the problem for plugins that could adapt to only
| using a specific permission and then not need manual review.
| deepsun wrote:
| I'd pay for speedy reviews. I don't think it would resolve to
| paywall, but the reviewers are not free.
| seneca wrote:
| Mozilla is an absolute joke of an organization, and it's tragic
| that they are still the primary alternative to Google having a
| total monopoly on browsers. I suppose you shouldn't expect much
| from a company that is just there to maintain a facade to fend
| off regulators.
| busterarm wrote:
| We're at a really dangerous point with browsers at the moment
| where there's really no consumer-friendly option available.
|
| I'm scared to say that Safari comes closest but you're just in
| Apple's walled garden then instead of someone elses'.
|
| Our only hope seems to lie with Ladybird, if that even ends up
| being good and it seems extensions aren't on the agenda at
| least for a while.
| slig wrote:
| I'd say we're past that point. Less than 5% of global users
| (and going down) and NO mobile presence at all. The newer
| generation of devs and power users won't even care.
| busterarm wrote:
| You're absolutely right, but I'm trying to retain a shred
| of optimism, especially with a high amount of focus and
| interest on this area lately with projects like Ladybird
| and even new Gopher and Gemini clients.
|
| If the vast majority of endusers want to live in the moat,
| I can't stop them, but at least I'd like an alternative to
| explore interesting content even if my bank, etc will never
| support it.
|
| At least banks are regulated enough that I don't expect
| their websites to be running full-page video ads anytime
| soon.
| x0x0 wrote:
| It's past time to give up on Mozilla.
|
| I told our dev teams to not even bother testing because,
| on our b2b site, Firefox usage was under 0.01%. That is
| not a typo. I can't spend dev time on that.
|
| They're doing the same, and now playing VC, an industry
| at which they have no apparent expertise.
| JimDabell wrote:
| The issue is bigger than that. The web standards process
| relies on two independent implementations for something to
| become a web standard. This just about works when there are
| three big players, but if Mozilla drops out, then it's just
| Google and Apple arguing. It's bad enough that two out of the
| three rendering engines that participate in the web standards
| process are funded by Google. We really need another
| independent rendering engine to step up. Hopefully Ladybird
| will get some traction.
| somerandom2407 wrote:
| Have you heard of Brave? It's a great browser with a built-in
| ad blocker founded by Brendan Eich, one of the co-founders of
| Mozilla and the creator of Javascript. I'm not a shill, I
| swear - I just think it's a great initiative that should be
| more well known than it is.
| busterarm wrote:
| Brave is Chromium/Chrome.
|
| Every browser alternatives you can reasonably choose today
| is going to be either Blink (Chromium-based) or Gecko
| (Firefox-based). And then you have WebKit (Safari).
|
| Ladybird, Flow and Dillo are really the only true
| alternative browsers in active development other than a few
| others running on niche operating systems (to which I'm
| throwing in all of the DOS browsers...).
| sunaookami wrote:
| It's very annoying you have to submit your extension to
| gatekeepers to even distribute them to normal users. As gorhill
| said on GitHub it took days for a self-hosted version to be
| approved - that's unacceptable. Imagine you would need approval
| from Microsoft to distribute software. Not even Android is this
| closed. Enforcing signatures and removing XUL were the worst
| things Mozilla has ever done. And yes, Google does the same and
| it's even worse there but this it to be expected from them, but
| not from Mozilla.
| Zak wrote:
| On desktop Firefox, you can download an extension from anywhere
| and install it. All they're gatekeeping is their own
| repository, which I think most of us would like them to do.
|
| I think mobile requires using a nightly build to install
| extensions from outside Mozilla's repository, and that suggests
| their thinking is becoming contaminated by the rest of the
| mobile ecosystem.
| Semaphor wrote:
| No, the normal version blocks (at least permanent) installs.
| You need the developer version to install unsigned
| extensions.
| Zak wrote:
| I see. The extension I installed to test that actually _is_
| signed, though it 's not in AMO.
|
| I don't like this. I know there have been issues with
| malicious extensions, so it makes sense to me that
| installing unsigned extensions is turned off by default,
| but requiring developer builds is a step too far.
| pxc wrote:
| What release made this change effective?
| Semaphor wrote:
| That was many years ago, there was a bit of a public
| complaint.
| sunaookami wrote:
| Correct. It's incredibly how much misinformation there is
| about signing, even here where people should know better.
| It's very tiresome.
| adduc wrote:
| Are you certain extensions can be downloaded and installed
| from anywhere? Firefox's documentation[1] states "Extensions
| and themes need to be signed by Mozilla before they can be
| installed in release and beta versions of Firefox." If UBlock
| Lite was rejected through Mozilla's signing API, they'd have
| no ability to create an XPI that can be installed by
| release/beta version of Firefox.
|
| [1]: https://extensionworkshop.com/documentation/publish/sign
| ing-...
| bytebolt wrote:
| You can no longer package extensions yourself and if you try
| using "Load add on from file" you get that extension loaded
| but it's gone after a restart. All extensions have to be
| signed first to be permanent and Mozilla denied to fix that
| on their bug tracker.
| burnte wrote:
| Signing is such a low bar to pass I agree that not offering
| that as an option is reasonable. It takes seconds to do.
| Zak wrote:
| We're talking about signing by Mozilla to indicate the
| extension has passed some sort of review process, not
| signing by the author. It isn't a low bar because it
| gives Mozilla veto power over what extensions users can
| install.
| Arnavion wrote:
| To add on to the other replies, you *can* load unsigned
| extensions with desktop Firefox if the build you're using
| disabled the signing requirement at build time. A bunch of
| distros' FF packages do that, for example, and is why I use a
| bunch of extensions I wrote myself (and thus trust) for
| myself without having to deal with Mozilla. (Zip up the
| files, change the file extension to `.xpi`, drop it in
| `$libdir/firefox/browser/extensions/`)
| kevincox wrote:
| > removing XUL
|
| Nah, XUL had to go. The other stuff wasn't really related. It
| was a more "if we are going to break most extensions we may as
| well use this time to push everything else we want". If
| anything XUL is a scapegoat.
|
| I know because I maintained VimFx for a while after the XUL
| removal. It was difficult to keep up with internal APIs that
| are changing, but I can't blame them, they need to develop
| their product. The thing that really made me give up on
| maintaining VimFx was the signing enforcement. They just keep
| tightening the screws so that I couldn't even run "my own" code
| with any reasonable UX.
|
| What I would have like to have seen:
|
| 1. Provide WebExtensions as the recommended way to do things
| with some compatibility and deprecation guarantees.
|
| 2. Stop caring about compatibility of other APIs.
|
| 3. Still allow outside "full access" extensions that use those
| internal APIs. You can give warnings in the store "this
| extensions uses unsupported APIs and may break at any time and
| steal all of your personal data" and make the install button
| bright red but still allow it.
|
| 4. Keep supporting self-distributed extensions with developer
| managed signing keys and update URLs.
|
| Since there are no compatibility guarantees on these APIs it
| wouldn't have been much extra work. Just a bit of UX work to
| add scary warnings and maintenance of the non-store update
| code.
| irq-1 wrote:
| > 4. Keep supporting self-distributed extensions with
| developer managed signing keys and update URLs.
|
| Mozilla followed the big corps in the 'store' model, instead
| of keeping it open free-form. We might have a viable
| developer certification trust system by now, but with that
| too, only the corps have enforced signing systems (that are
| closed and fragmented.)
| tremon wrote:
| > We might have a viable developer certification trust
| system by now
|
| Don't we already have that system, in the form of
| distributions? More specifically, I'm thinking of something
| like Ubuntu's PPA system, where each developer publishes
| their packages with their own signing key.
| EasyMark wrote:
| What?You can install extensions in Firefox easily without going
| through the Firefox extension store. XUL had to go.
| mort96 wrote:
| No, you can't. Extensions must be signed by Mozilla for
| Firefox to let you install them.
| kevingadd wrote:
| This is simply not true. I've been using unsigned
| extensions for years. You drag-drop a zip file into the
| extensions window and it will let you install it.
| drdaeman wrote:
| You must be using either the Developer Edition, ESR,
| nightly or some unbranded version. Vanilla Firefox
| doesn't allow to install unsigned extensions permanently.
| 3np wrote:
| As of recentlyish, I noticed this is not an option on
| ESR, either. Only Nightly and Dev.
|
| https://wiki.mozilla.org/Add-ons/Extension_Signing#FAQ
|
| The FAQ says that in ESR, xpinstall.signatures.required
| should be respected but this is out of date IME (ESR
| 115).
| arp242 wrote:
| I looked at this just a few months as I have a few
| extensions with some very me-specific stuff that I don't
| really need/want to distribute - it's just not going to
| be useful for anyone except me. I couldn't find a good
| way to permanently install an unsigned or self-signed
| extension.
|
| You can temporarily add unsigned extensions in
| about:debugging, but those are lost on restarts, which is
| pretty annoying. I used this for a while until I got fed
| up and tried to find a better way.
|
| "Unbranded" Firefox builds allow adding unsigned
| extensions, but then I need to either 1) compile my own
| Firefox, or 2) Use "Firefox Developer Edition", which is
| mostly just the same as regular Firefox but based on beta
| versions (I'd rather just use release versions). Neither
| really appeals to me.
|
| So my solution now is to just create "unlisted"
| extensions and sign them with the web-ext CLI. It works
| and it's not entirely horrible, but it's a lot more
| hassle than I'd like.
|
| And the requirement for extensions to be signed is fine;
| I have no problem with that. But it should allow adding
| my own signing key. Or something.
|
| I kind of get why Mozilla is so restrictive about this;
| with banking and credit card stuff and whatnot all being
| browser-based, adding an extension is basically giving
| the keys to the castle. I can see some support scammer
| instructing someone to add some malicious signing key.
| But there does need to be some limit to how much we
| protect people from themselves, because at some point you
| just start making life hard for regular users.
| silverliver wrote:
| > So my solution now is to just create "unlisted"
| extensions and sign them with the web-ext CLI. It works
| and it's not entirely horrible, but it's a lot more
| hassle than I'd like.
|
| Wait. web-ext allows the signing of arbitrary extensions
| without review? Wouldn't that defeat the purpose Mozilla
| is sacrificing technical users for?
|
| While I didn't come across web-ext, I also tried my hand
| at working around firefox's limitations for my own
| extensions, but eventually decided it would be easier to
| give up and switch to a chrome-based browser instead. To
| this day, I still don't understand the "significant"
| threat that Mozilla sees (and other browser vendors
| apparently don't) that warrants such heavy-handed Apple-
| esque control over their users' ability to control their
| browser. Whatever it is, I no longer care.
| arp242 wrote:
| > web-ext allows the signing of arbitrary extensions
| without review? Wouldn't that defeat the purpose Mozilla
| is sacrificing technical users for?
|
| It takes about ten minutes to sign, and only seems like
| it uses automatic checks. I do get an email that "any
| extension may be reviewed by a human at any time".
|
| I don't know if it matters that it's unlisted, or that
| they're all very simple extensions with very limited
| permissions. I'm not an expert on any of this and I've
| never published a public extension; I just have a few for
| my own use. But it does seem that they apply some
| heuristic to determine what is worth reviewing and what
| isn't.
|
| > To this day, I still don't understand the "significant"
| threat that Mozilla sees (and other browser vendors
| apparently don't) that warrants such heavy-handed Apple-
| esque control over their users' ability to control their
| browser.
|
| There are support scammers and such that will phone you
| with "hi, we are from Microsoft support to help you. You
| need to go to h4xx0r.ru to install an extension to
| protect your computer".
|
| There are other ways of doing this of course, but an
| extension is a simple abd easy way.
|
| I don't really know how to best solve this. I agree with
| your dislike of the current heavy-handed approach without
| escape hatch. But I also think the concerns are real, and
| you're being a bit too dismissive about that.
| fastest963 wrote:
| > Imagine you would need approval from Microsoft to distribute
| software.
|
| You mean like how you need permission to distribute software on
| MacOS/iOS? More and more platforms are moving in this direction
| and I wouldn't be surprised if Windows goes the same way in the
| future.
| Aaron2222 wrote:
| You don't need permission from Apple to distribute macOS
| software. Your users will just see a warning dialog when they
| try and run it for the first time and have to go to System
| Settings to allow it to run[0]. If you want to avoid this,
| you have to pay the $99 USD per year to join the Apple
| Developer Program, codesign your software with the
| certificate they give you, and submit it for notarization
| (which for macOS is a fully-automated security and malware
| review, unlike iOS notarization which is basically App Store
| review). It's not ideal (many open-source projects don't want
| to spend $99 USD per year, and it does tie the software to
| your real name), but it's not like iOS.
|
| [0]: https://support.apple.com/en-nz/guide/mac-
| help/mh40616/mac
| shiroiushi wrote:
| >More and more platforms are moving in this direction and I
| wouldn't be surprised if Windows goes the same way in the
| future.
|
| I think MS has already tried this several times, such as with
| Windows RT and the Windows store. It never caught on, and
| they pissed off the independent software vendors who make the
| Windows ecosystem valuable in the first place. Maybe they
| just didn't push it hard enough; maybe they could have just
| forced everyone to use it anyway, and maybe it would have
| worked because what are Windows users going to do, switch to
| Linux or Mac? But maybe the real danger was that users simply
| wouldn't upgrade to the new locked-down Windows in the first
| place and just stick with older versions forever, which is
| something they've been doing all along (look how mad people
| were when they finally killed XP).
| solarkraft wrote:
| It's not only that, Firefox also forces you to use the Developer
| edition (which updates about daily, FORCING you to restart it) if
| you want to install extensions that aren't signed by Mozilla
| (e.g. your own).
|
| This behavior reminds of Apple. They say it's for security (where
| have I heard that before), yet Chrome doesn't seem to need such a
| restriction.
|
| To me it seems like another step in many of Mozilla's
| enshittification.
| rgreekguy wrote:
| I am pretty sure Chrome has also added the forced restart for a
| bit now. It might not show up right after the update, but it
| doesn't take long. I don't remember if it was straighforward,
| or just crashed new tabs.
| aaronmdjones wrote:
| You don't have to use the developer edition to run unsigned
| addons; you can use the ESR version or nightly as well.
| Dkuku wrote:
| This again shows the problem of automatic reviews. There should
| be a person name in every review that was responsible for it,
| currently it's blamed on our automated system. If the law would
| require someones name on it then I'm pretty sure the review
| process would be much better and the explanation would include
| more than an apology.
| system7rocks wrote:
| Curious why Firefox doesn't just start incorporating uBlock into
| the browser? Make it a standard feature that comes pre-
| installed... but maybe not automatically enabled? Thoughts?
| bogwog wrote:
| Mozilla has been trying to become an ad company for a while
| now. A built-in ad blocker would mess that up for them.
| jjice wrote:
| Have they? I haven't seen this. They have a lot of tracking
| protection built in, but no ad blocker. I'm not doubting you,
| I just haven't seen any action or posts on their part about
| this.
| BenjiWiebe wrote:
| You get sponsored content in the new tab page by default.
| mossTechnician wrote:
| They developed Privacy Preserving Attribution with Facebook
| to collect data from browsers. It's enabled by default in
| fresh Firefox installs. They also acquired an advertisement
| subsidiary, Anonym, earlier this year. So when Mozilla
| makes a statement about advertisements, it's worth a little
| extra scrutiny.
| joemi wrote:
| So many people in this comment thread commenting stuff like
| this, that it should be included, it's the only reason to use
| Firefox, etc. Meanwhile I use Firefox every day at work without
| uBlock Origin or any other ad blockers, and it's perfectly
| fine. Why do you think they should it?
| open-paren wrote:
| I manage a medium-sized browser extension at work. We also
| offer(ed) it on Firefox. But I have spent the past year
| struggling to get back into Mozilla store after a manual review.
| As far as I can tell, there are maybe two reviewers that are
| based in Europe (Romania?). The turn around time is long when I
| am in the US, and it has been rife with this same kind of "simple
| mistake" that takes 2 weeks to resolve. "You need a privacy
| policy"-we already have one. "You are using machine generated and
| minified code"-no you are looking at the built code, not the
| included source. "We cannot reproduce your source"-that's because
| you didn't follow instructions and are in the wrong directory.
| Very frustrating.
| sureIy wrote:
| I had these issues too a few years ago. Now the review time is
| shorter than Chrome's and hasn't been flagged in a few years.
| However my extension has about 10k users, if that makes any
| difference.
| jjice wrote:
| Also had these issues when working on my previous job's
| extension. The Firefox review process was a real nightmare to
| work with. Same heavy delays and misunderstandings your
| mentioned. Eventually the company just stopped updating the
| Firefox extension as often since usage was low and the review
| process was such a pain. Unfortunate for me, as the only
| engineer (maybe employee) at that company that used Firefox.
| whstl wrote:
| Same here. We even had a special "mini" Firefox version that
| didn't require any additional Javascript build step, to make
| the review easy. But there were so many issues with the
| review and so few users that we just decided to give up.
| rightbyte wrote:
| The whole extension change Mozilla forced on Firefox seems
| like some sort of sabotage.
|
| Mozilla sneaking in more and more spyware and ad friendly
| functionality seems in line with the same conspirators.
|
| And given how high profile all these changes are, it runs to
| the top of the company.
| Squeeeez wrote:
| So, which browser are you using?
| rightbyte wrote:
| Firefox... I wont give up on them just yet :)
| ilrwbwrkhv wrote:
| That's not just mozilla. Google's review team all are in India
| and they cannot write clear English. It's a mess.
| politelemon wrote:
| Also Apple and Meta. It's awful dealing with infallible
| gatekeepers.
| Rinzler89 wrote:
| _> Google's review team all are in India and they cannot
| write clear English._
|
| Which is ironic considering the reason they went to India and
| not other countries with cheap labor is that English is an
| official language there.
| lenerdenator wrote:
| The problem is that the set of "Indians who can speak
| fluent English" and the set of "Indians who will work for
| the absolute lowest bid" are exclusive. And I don't blame
| them, really.
|
| These execs mistake "English is an official language" for
| "English is a widespread first language". Only 0.02% of
| Indians speak English as their first language, while total
| speakers (of first, second, or third language) are 10.6% of
| the population.[0]
|
| [0] https://en.wikipedia.org/wiki/Languages_of_India#Multil
| ingua...
| hedora wrote:
| The last time I had realistic numbers, an outsourced
| engineer in India cost a bit more than a comparable one
| in the Midwestern US.
|
| I'd guess they're more expensive now, despite the obvious
| timezone problems.
| Izkata wrote:
| Also don't forget it's an Indian dialect of English, with
| words and usages of English words that don't exist
| elsewhere in the world.
| thisisit wrote:
| Indian dialect is derived from the colonial English. So,
| lot of words and usage can be found in British English.
| ciceryadam wrote:
| I don't think that most of Brits are "doing the needful".
| Indian English has plenty of expressions that are
| exclusive to India.
| Rinzler89 wrote:
| Pretty sure _" why did you redeem it?!"_ is a British
| English slang from the victorian era :)
| wkat4242 wrote:
| While English is not a first language for the vast
| majority, it is used a lot in daily life because the
| native languages vary wildly by area and nobody
| understands them all. English is the common denominator,
| not just for communicating with foreigners but also to
| other Indians from other areas.
|
| The focus on primary language makes it seem less used
| than it actually is.
| 8leggedFreak wrote:
| omg I work with some Indian people since 2000, and I
| canonly understand about 80% of what ONE OF THEM says,
| the others less than 60%. :(
| giancarlostoro wrote:
| > that's because you didn't follow instructions and are in the
| wrong directory.
|
| You just need to have a shell script in the root directory that
| assumes the person running it has 0 clue about your extension.
|
| Also some of this reminds me of Apple. They clear something up,
| then bring it up again the next time review is needed.
| adrian17 wrote:
| Even this we had issues with - we wrapped the entire build
| environment and script in a dockerfile, but depending on
| system configuration you may or may not have to run docker
| with sudo - it just so happened that reviewer's environment
| required it, while ours didn't, and the reviewer needed
| specific instructions on what to do in this case.
|
| Another time, they failed the review because the reviewer's
| VM _ran out of disk space_ (which we only learned after
| digging into the issue, as the first report just mentioned
| "build errors"; according to later inquiries the VM had ~9GB
| available) and we had to add some extra build logic to delete
| intermediate files, just for them. The build is quite large
| because it involves rust->wasm compilation, but I'd still
| expect the reviewer's machine to have a bit more space...
| cxr wrote:
| Everything described here sounds like your team, your
| extension, and your software development process are the
| problem. Demanding >9GB of disk space to build a browser
| extension is capital F, capital I Fucking Insane. Go yell
| at the Rust folks about their shitty toolchain and your
| engineering lead for buying into it instead of blaming
| people who have enough problems as it is just coming into
| contact with the quagmire you described.
| adrian17 wrote:
| The 9GB limit was not just the Rust stuff, that was for
| the entire docker environment with compiler, JRE, node,
| wasm toolkit, typescript, webpack etc. Yes, we need all
| of these to make a "true" reproducible build from
| scratch.
|
| > to build a browser extension
|
| It shares 99% of code with a desktop application; you can
| compile it to wasm while preserving most features. The
| extension wraps the wasm.
|
| For reference, when making a single clean build, the
| `target/` dir reaches 700MB.
| cxr wrote:
| > The 9GB limit was not just the Rust stuff, that was for
| the entire docker environment with compiler, JRE, node,
| wasm toolkit, typescript, webpack etc.
|
| None of this is surprising or exculpatory. Demanding >9GB
| of disk space to build a browser extension is insane.
|
| > we need all of these to make a "true" reproducible
| build from scratch
|
| You need and them to reproduce your build. You definitely
| don't _need_ all of them to build what you 're building.
| freedomben wrote:
| You certainly are confident that you know more about GP's
| situation than they do.
|
| When you took your desktop app and built a browser
| extension version, did you really rewrite the entire app
| in vanilla JavaScript just got the Mozilla review team as
| you seem to be expecting GP to have done? How long did it
| take you? What sort of opportunity cost was there from
| investing your time on that instead of adding value to
| your product?
| cxr wrote:
| For someone who opened their post with a first sentence
| like that, you're making a lot of (bad) assumptions on
| your end; most of your questions are unanswerable or have
| answers that you are clearly expecting to go the other
| way.
|
| Demanding >9GB of disk space to build a browser extension
| is insane.
| freedomben wrote:
| Thank you for setting such a good example. If I were you,
| I don't know that I could have given such a good and
| dispassionate reply to such an arrogant, overconfident,
| and rude comment as you did. Your comments are not only
| technically interesting, but also epitomize. What a
| healthy online community should be. Thank you for doing
| what you do!
| akira2501 wrote:
| > that assumes the person running it has 0 clue about your
| extension.
|
| I would tend to assume that a person given responsibility for
| reviewing this software, supposedly to protect end users,
| would not be this clueless.
|
| What value is the "Firefox Store" actually offering then?
| ethbr1 wrote:
| > _What value is the "Firefox Store" actually offering
| then?_
|
| That anyone dumber than such a reviewer cannot sneak
| malicious extensions in.
|
| Which, sadly, is probably a non-trivial number of
| submissions.
| akira2501 wrote:
| > That anyone dumber than such a reviewer cannot sneak
| malicious extensions in.
|
| Although people smarter than such a reviewer are free to?
| What kind of standard is that?
|
| > Which, sadly, is probably a non-trivial number of
| submissions.
|
| Then they're not, as an organization, actually capable of
| doing what they're promising here. There are more ways to
| get this wrong than to get it right, and borrowing the
| Google strategy of just not caring about your end users
| seems completely inappropriate for a non-profit like
| Mozilla.
| ethbr1 wrote:
| > _What kind of standard is that?_
|
| That's the standard of all currated stores.
|
| We can argue about whether Mozilla's reviewer skillset is
| too low, but there's always going to be someone smarter
| than a reviewer, when reviewing is a cost center that
| companies want to spend the minimum amount of money on.
| akira2501 wrote:
| > That's the standard of all currated stores.
|
| This seems to ignore how boutique stores and high end
| retail operates. This is the standard of rent seeking
| middlemen stores. You still haven't answered why this
| model is appropriate for Firefox.
|
| > We can argue about whether Mozilla's reviewer skillset
| is too low
|
| We're not. I'm pointing out how simply taking the
| opposing view reveals that your reasoning could not
| possibly be correct.
|
| > reviewing is a cost center that companies want to spend
| the minimum amount of money on.
|
| Which is weird because I assumed the cost of re-creating
| the plugin yourself would be much higher than that. It's
| almost like continual failure of these simplistic
| analyses reveal that a broader examination is required.
| ethbr1 wrote:
| You think the best analogy for the Firefox extension
| store is boutique brick and mortar retail?
|
| A minimal cost reviewer model isn't appropriate to
| Firefox.
|
| But, example counterargument as to why it might be:
| Firefox needs to ensure they don't open themselves up
| liability but doesn't want to fully fund/staff a review
| team.
| mozman wrote:
| It could be $0, volunteer labor. I doubt it's a paid
| position.
| wnevets wrote:
| > I would tend to assume that a person given responsibility
| for reviewing this software, supposedly to protect end
| users, would not be this clueless.
|
| would you do that job 8+ hours a day for little pay?
| akira2501 wrote:
| Would you run a foundation that forces it's users to be
| dependent on such a job?
|
| Ya'll are putting the cart before the horse. I'm not
| being critical of the reviewer but of the large non
| profit organization that is responsible for creating this
| failure. Which apparently only exists to pantomime what
| the for profit players have built and is unsurprisingly
| equally wasteful of open source developers time and skill
| set.
|
| Why does Firefox even need a curated "store?" They could
| have built anything better. I'm sure they were paid, er
| given "donations," that ensured they would never try. And
| from what everyone has been saying here those donations
| got exactly what they were intended to get.
|
| Even Hacker News seems to unquestioningly assume this is
| a rational way to manage an open source plugin ecosystem.
| That this is the fault of the plugin author somehow or
| the store reviewer somehow. It's really disappointing to
| see.
| adrian17 wrote:
| > We cannot reproduce your source
|
| This is the biggest issue we had, and we had to add a decent
| bit of complexity to our builds to support reproducible builds
| in the exact way they want. But the silly part is that our
| extension involves building a wasm file from Rust, and after
| some back and forth it turned out that they don't require it to
| be reproducible (despite being core of our extension and
| containing 99% of our logic), which honestly feels like it
| defeats the point - who cares if JS reproduces if you can hide
| any arbitrary possibly-malicious code in wasm.
|
| For a while we were seriously considering putting our prebuilt
| wasm in the source package or on npm, just to make the
| "reproducible build" on AMO side simpler, despite this making
| it even further from how it's actually built.
| Etherlord87 wrote:
| What kind of harmful code could you put in WASM? You could
| return a string that you eval on the javascript side, so the
| reviewers could possibly ask for the WASM source if they saw
| the eval, but other than that the purpose of WASM is to be a
| safe sandbox after all, right?
| xelamonster wrote:
| I'm not familiar with the security guarantees of WASM in
| the browser but I imagine they're more along the lines of
| preventing data exfiltration from the browser/OS, it would
| be difficult to prevent something like abusing your CPU
| resources to mine Bitcoin in the background for example.
| jeffchien wrote:
| The reproducible build requirement seems to be a major blocker
| for many addons, including one I use for Twitch:
| https://github.com/FrankerFaceZ/FrankerFaceZ/issues/1495#iss...
| stainablesteel wrote:
| this seems like the kind of place where user-based reviews
| would be more efficient, better, and more open
|
| having the makers of a browser do this is bound to create both
| efficiency and political problems for extensions. im
| remembering dissenter now
| saulrh wrote:
| Every time I hear about the review processes for browser
| extensions I'm shocked that the it involves humans having to
| read your README and manually plumb together the build process.
| Sometimes I hear that reviewers are even reusing VMs when doing
| reviews, or even not using VMs at all. I'd have expected the
| review form to have a textbox where you paste your git link and
| a well-documented automated pipeline that stands up a specified
| VM with a specified amount of RAM and disk, clones the git,
| descends into it, and executes `docker build -t
| ./docker/review/Dockerfile`. I'm surprised that the reviewers
| themselves haven't outright demanded such tooling from their
| larger organization, just as a matter of job satisfaction - I
| can't imagine all the abuse they get from angry app owners.
| 01HNNWZ0MV43FF wrote:
| Browser extensions really seem like they're slowly failing
| and just not supported. Kinda like PWAs.
|
| I want to write a chat program, but it has to work on phones,
| and the DevEx for native phone frameworks compared to desktop
| apps looks like hell, and PWAs seem to be barely supported.
|
| It's easier than ever to make a CLI or desktop app, but
| phones seem like the worst of all Microsoft dev history -
| Learn these arcane lifecycle vocab words that make no sense,
| like using Win32 directly, but also it changes every year or
| two like when MS invents a new GUI framework, but also if you
| can't get into The Store, nobody but your power user friends
| will be able to run your app anyway. What is this shit?
| heraldgeezer wrote:
| >Browser extensions really seem like they're slowly failing
| and just not supported. Kinda like PWAs.
|
| Ya, totally!
|
| lmao
|
| ublock origin has 8mil users on Firefox alone.
| manquer wrote:
| I don't think OP means for the lack of need or
| popularity, more so because vendors and platforms do not
| want them to be.
| wkat4242 wrote:
| Yeah especially with Mozilla's new focus on promoting
| less-tracked advertising wih their anonym acquisition.
| Ublock origin of course hampers those efforts. I wouldn't
| be surprised if they want it gone just like Google does.
| bornfreddy wrote:
| The problem is - I can switch the browser and not even
| notice. But give me one without uBO and I will switch
| immediately.
| raxxorraxor wrote:
| Someone will come up with a solution that is utterly
| ingenious. Like the ability to install a plugin without
| third party intervention with a single click.
| joshdavham wrote:
| That's interesting to hear. Do you also offer your extension on
| the chrome store? How did the review process differ? I ask
| because I've only published on the chrome store in the past.
| arp242 wrote:
| The problem with these types of things is that the people who
| are qualified to do good reviews are also the sort of people
| who can typically get a far more interesting job building
| stuff, rather than just reviewing code. It's work that does
| require a certain level of skill, but at the same time is also
| quite boring.
|
| And that more interesting job will probably pay better as well.
| ozim wrote:
| I think that is one way that "tragedy of commons".
| boopdewoop wrote:
| Id rather hire a senior dev as a reviewer and a mid dev as
| the coder at a company. pay the reviewer more since they will
| be dealing with shit practices and having to train the dev.
| I_AM_A_SMURF wrote:
| Not only that, but properly reviewing code would take
| forever. Heck I don't know how many senior engineers at my
| fancy tech company could do it and reliably spot problems.
| horsawlarway wrote:
| Similar boat. I release an extension with about 1 million
| installs across Chrome/Firefox/Edge for work.
|
| Firefox (despite being the smallest usage) is utterly insane
| with regards to process. They demand a reproducible build, but
| then can't do things like install the right version of yarn (no
| - npm install -g yarn is not correct, our readme says it in
| bold like 5 times and provides the exact correct command to
| install the right version), or follow basic setup steps like
| "Use this version of node (complete with exact steps to install
| it and a script to automate that for them)".
|
| God fucking help you if you try to do something _completely_
| crazy as a private company like - checks notes - use a private
| NPM module. Despite providing them with access on a pre-
| configured account, or offering to give a review account access
| according to Mozilla "It's too hard to use external accounts
| during review".
|
| Honestly - having to interact with the browser review team is a
| _BIG_ reason I no longer recommend Firefox. They 're
| incompetent at best, and I'm fairly convinced they're just
| milking the google search deal income for as a much as it's
| worth - I don't think they really want to provide an
| alternative and secure browser anymore.
| ranger_danger wrote:
| This is exactly what the review process for the Play Store is
| like, even worse for Google TV apps. Often times just re-
| submitting multiple times without changing anything at all
| will get it pushed through.
| Yeul wrote:
| Yeah but despite how much HN hates Google everyone here
| will do whatever it takes to get on their app store. Google
| has the power to make the entire industry their bitch.
|
| Mozilla not so much.
| horsawlarway wrote:
| So much this. Mozilla barely breaks 10k installs out of
| our total 1million installed base.
|
| We had a really frank internal discussion about just
| dropping support for Mozilla because their review process
| is also the most expensive out of every client we
| currently ship (And not "reasonable expensive"... Useless
| time sink expensive, back and forths with folks who I
| would frankly not hire as a junior because they can't
| read a readme file and follow basic and clear
| instructions.)
|
| They are acting like they have the position to demand
| these reviews... and they just don't.
|
| Good devs just leave because they're a waste of time and
| money, and they're _STILL_ rampant with malware on their
| store (Mozilla is literally the only one of the major
| vendors that will make a listing live with no vetting,
| and then 4 months later yank it because of
| "problems"...).
|
| It doesn't make me feel secure, it makes me feel like
| they're trying to market security. It makes me really
| dislike mozilla, and firefox was a formative part of the
| my tech career early.
| Yeul wrote:
| I totally understand if it isn't your hobby supporting
| Firefox doesn't make sense.
| creatonez wrote:
| On the flip side, having to interact with addon review has
| raised by confidence in the browser. The steps they take to
| review, while not perfect, seem like they could weed out a
| lot of potential garbage and malware. I was expecting a much
| more minimal review process, which would have raised my fear
| about the extensions I use and set to auto-update.
| Too wrote:
| Reproducible builds and open source sounds like a good thing.
|
| I wouldn't expect the reviewers to deal with every add-ons
| bespoke snowflake build. Even less so if it requires access
| to a private module. Mozilla should provide a baseline of how
| a build is intended to be done, then extensions just have to
| follow this template. Though yes, you would expect them to
| have some familiarity with basic stuff like yarn and that the
| baseline supports a few of the most popular builders.
| horsawlarway wrote:
| We use a relatively simple build. at the base of it, if you
| have node and npm, a complete build is as easy as
|
| yarn npm login
|
| yarn --immutable
|
| yarn build
|
| Personally - I don't really find it reasonable to place
| demands on build tooling for an external company.
|
| I'm assuming you would also find it reasonable for Google
| to suddenly ship chromium with a requirement that you use
| "google-pack" for all js builds or they don't run it?
|
| To be entirely blunt, what exactly do you think is going to
| change when we're already giving them bare JS? It's not
| like we're shipping a binary blob here, we're literally
| handing them a zip file with perfectly fine & inspectable
| javascript inside it.
|
| Further, do you realistically believe that a single low
| grade QA/Support engineer who can't even install the
| correct tooling is going to catch malware?
|
| Because I read their matrix chats and I can fucking promise
| they aren't catching the malware all that fast....
| xelamonster wrote:
| > I don't really find it reasonable to place demands on
| build tooling for an external company.
|
| I'm not sure I agree, plenty of OS distributions do this.
| If you want to distribute on Arch in the official AUR
| you're going to need a PKGBUILD file. The difference
| though is they make it very easy to integrate custom
| distribution channels where you can build the package
| however you want, and I would really love to see browsers
| move more in that direction. Requiring centrally managed
| signatures from a corporation to install extensions in a
| purportedly open and community-driven product is just
| absurd to me.
| oxym0ron wrote:
| Honestly I have to side with Mozilla team here. Kudos to them
| for trying to actually care about security and privacy. I can
| imagine the nightmare that people are submitting and trying
| to recheck everything and build those random extensions with
| private npm repos and whatnot.
| throwaway48476 wrote:
| They should switch to an fdroid like model that does public
| builds on cloud infra.
| suprjami wrote:
| > I'm fairly convinced they're just milking the google search
| deal income for as a much as it's worth
|
| That's exactly what the ex-McKinsey C-suite are doing.
| Regular employee talent suffers because of it, as you've
| found.
| phatfish wrote:
| It sounds like they are doing their job attempting to review
| random code from strangers to be honest.
| xelamonster wrote:
| This sounds super frustrating, as someone who has an idea or
| two for browser extensions I'm not looking forward to all the
| bureaucracy. I actually love the idea of requiring and
| validating reproducible builds but they really should invest
| in reviewers competent enough to manage that.
|
| I do have half an idea to deal with it that I plan to try,
| thought it might be helpful to suggest: implement a Fisher-
| Price build system that checks and automates every single
| step and cannot go wrong. Ideally if the reviewers can run
| Docker, do it all in a container. Wrap package.json scripts
| with functions to validate the build environment before
| proceeding and either fix it automatically or fail and print
| clear instructions to the console. A preinstall hook could
| verify they have proper NPM auth and prompt for it if needed.
|
| Annoying to have to do that at all though. I'm starting to
| come to similar conclusions on Firefox, using it currently
| but I've been thinking about jumping ship for a while. What
| browser would you recommend now? I wanted to get away from
| Google but I'm considering just Chromium since any remotely
| comparable options I've found are poorly thought out wrappers
| of it.
| bornfreddy wrote:
| > ... it might be helpful to suggest: implement a Fisher-
| Price build system that checks and automates every single
| step and cannot go wrong...
|
| Programming is a race between the programmers, trying to
| build better, idiot-proof software, and the Universe,
| trying to build better idiots. Do not underestimate the
| Universe.
| fcking_n1gg3rs wrote:
| I'm very sorry to hear that. I work at Mozilla, and I would be
| delighted to hear your story so we can make things right.
| amiga386 wrote:
| There's nothing more frustrating than being gatekept by
| incompetent, lying idiots. Sad day for users but the right choice
| by Hill.
|
| Mozilla wanted in on the $CURRENT_THING of being a "platform"
| where devs bow and scrape and they claim to be the great
| custodian of stuff, protector of users. Don't do this if you
| can't be competent at it. Devs _can_ leave, and they will if you
| fuck up often enough.
| internet2000 wrote:
| The sooner people realize Mozilla is not your friend, the better.
| They've been compromised by the Google money. Want an alternative
| to Chromium? Go support Servo or Ladybird, Firefox can't be
| saved.
| TZubiri wrote:
| Seems a bit extremist. I get being mad at microsoft for trying
| to charge for their software (gasp). I also get being mad at
| Chrome for trying to monetize their software (gasp) with ads.
| But now if you somehow get upset at Mozilla, it's more likely
| that you are the problem.
| lez wrote:
| According to your argument, if Gorhill gets upset at Mozilla,
| then Gorhill is the problem? Who is the extremist here?
| TZubiri wrote:
| That's obtuse, I'm talking about users.
| nosioptar wrote:
| Neither of those work with ublock. I'd sooner disconnect from
| the net than not use ublock. (Same reason i don't use
| qutebrowser.)
|
| I like SeaMonkey, it works with a legacy version of ublock.
| It's like using firefox back when it didnt suck.
| conor- wrote:
| Blink is to Servo what Chromium is to Firefox.
|
| Supporting Servo on its own doesn't really move the needle a
| whole lot if it's missing all of the rest of the bits that make
| a comprehensive browser.
|
| Firefox is already using Servo (at least in the form of
| Quantum) under the hood and is still the best option available
| to prevent more of a complete Blink monoculture than already
| exists with every other major browser being Blink-based or some
| reskin/fork of Chromium
| thoroughburro wrote:
| This _used_ to be true. The Servo project is actually
| building a full browser, now.
|
| https://servo.org/blog/2024/09/11/building-browser/
| nix0n wrote:
| If Raymond Hill endorsed a Firefox fork, I would switch to it
| immediately.
| pessimizer wrote:
| Yes, uBlock should incorporate Firefox, rather than Firefox
| incorporating adblocking.
| g-b-r wrote:
| A first effect of Mozilla's new "focus on AI"...
| TZubiri wrote:
| First came NetScape and all was good. Then came Internet
| Explorer, but apparently bundling a web browser with an operating
| system was bad, ok. Then came Google's Chrome trying to profit
| from a web browser with ads, and that was deemed 'bad' again.
| Then it was not sufficient for the browser manufacturers to push
| no ads, but the consumer demands that the browser block ads from
| websites. Now the browser developer and the third party ad
| blocker have some fight over who gets to serve clients that not
| only don't pay, but don't want advertisers to foot the bill
| either.
|
| I have no sympathy for users that don't want to pay for software,
| or for developers that cater to that demographic. Enjoy fighting
| for crumbs.
|
| Sent from Microsoft Edge.
| pessimizer wrote:
| Nobody is forcing you to put your website on the open internet,
| you're doing it because you're making a value judgement about
| how much money you can make by not closing or paywalling your
| system. Nobody cares what your business model is (that's your
| business and your decision barring illegality), and if it's not
| working for you, you should change it or shut down. Why should
| anyone have any sympathy for you?
| totetsu wrote:
| Tangentially has anyone else noticed chrome extensions management
| page now saying unlock origin will soon be disables and to please
| find a replacement?
| grahamj wrote:
| Yep. Fuck Google, I won't use a desktop browser without it.
| silverliver wrote:
| I wouldn't use a mobile browser without it either.
| grahamj wrote:
| Wish I could say the same but that would require using an
| OS by Google... we can't win :P
|
| Luckily there are other good options on the iOS front but I
| wish uBO was one of them.
| eYrKEC2 wrote:
| The replacement is Brave browser https://brave.com/. Skip the
| crypto. Enjoy the integrated ad blocking.
| yapyap wrote:
| honestly we arent missing much by a manifest v3 ublock origin
| lite extension going away on firefox because firefox is still
| compatible with v2 so realistically we wouldnt have any use for
| it.
|
| nevertheless it still is a sucky situation
| Havoc wrote:
| Those don't seem like unreasonable asks on Moz side
| Sephr wrote:
| Doesn't this behavior from Mozilla staff indicate that using
| Firefox extensions at all is a security issue?
|
| This shows that the reviewers may not be competent enough to
| catch actual malware uploaded to their add-ons site.
| Aachen wrote:
| Yes. I never took the review process seriously, I assumed
| people could publish pretty much whatever. Today I learned it's
| meant to be tight as well as that you can't run your own code
| anymore; that it needs to go through review or you get to
| reinstall every time you start your browser.
|
| I've held out for a long time with Mozilla, trusting they
| thought it's a useful thing to do when they partner with
| Facebook to make privacy preserving adtech. This is a big ask
| of me though. I don't use it myself but I'm constantly running
| into limitations on Android and, at work, iOS because you can't
| simply do what you want on the devices without all sorts of
| hoops and fearmongering surrounding having actual access to
| your own device--the stuff I use my phone for simply doesn't
| run without root and one can't even make a full system backup
| without. It's not your device. Learning this about Firefox
| makes me feel it's not my browser...
| vednig wrote:
| Automated process have so far managed to destroy the experience
| of the world wide web as a whole for developers and users both.
| And AI based tools seem like gas to this fire. Seems very soon
| web will die out of it's quality and only bots will remain.
| NelsonMinar wrote:
| I'd hoped Google sabotaging uBlock Origin would be an opportunity
| for Mozilla to pick up some new users for Firefox. Lol.
| neilv wrote:
| Gorhill's full uBlock Origin might be the only remaining selling
| point for Firefox.
|
| With the outrageous sum of money that the Mozilla top executive
| was recently taking for themself, they could've instead staffed
| an entire team of first-rate people, with the sole mission of
| doing whatever Mr. Gorhill needed.
| move-on-by wrote:
| They are too busy working for the advertising companies Mr.
| Gorhill is blocking. Most recently adding 'privacy preserving
| attribution' - a feature that no user has asked for.
| paulryanrogers wrote:
| People don't want 3P cookies tracking them around the web.
| They also don't want to pay to visit sites. Mozilla is trying
| to provide a middle path, I salute the effort.
| ectospheno wrote:
| I pay to visit many sites on the internet. Netflix, Hulu,
| Disney, Max, Twitch, etc. They provide value for my money.
|
| I don't pay for news. Intelligent employees of news
| organizations would learn from that but no...
|
| Instead we get advertising apologists trying to gaslight me
| into thinking tracking is ok.
| tremon wrote:
| > Intelligent employees of news organizations would learn
| from that but no
|
| They did learn from it, that's why many "news" sites are
| now content-free entertainment, and why intelligent non-
| employees of news organizations complain that they're not
| providing news.
| thoroughburro wrote:
| Is everyone who claims the Internet cannot work without
| advertising only 20 years old? Why try to gaslight so many
| people who remember the Internet without advertising just
| fine. It was just a few decades ago!
| paulryanrogers wrote:
| I remember the BBS's, Compuserve, AOL, and the Internet
| before (ubiquitous) advertising. It was fun yet spartan.
|
| In light of the alternatives (like paying for everything
| with discrete purchase or subscriptions), I'd prefer that
| advertising survive. Ideally with less invasive ways of
| detecting my interests.
|
| My intention is certainly not to gaslight anyone. Not
| sure how you came to that conclusion.
|
| Full disclosure, I work for a paywall SAAS.
| qwertox wrote:
| I wish we could add PPAs to browsers just like we can in
| Debian/Ubuntu.
|
| Maybe the EU should look into this, and also allow the users to
| "weaken" their security in order to continue using Manifest
| Version 2.
| Log_out_ wrote:
| If you would group those woes, by type of addon, i guess there is
| "irrelevant " and "a world of pain for those threatening google
| add revenues " .. the hand that feeds.
| Lerc wrote:
| It seems to me that any platform with a review gateway should
| treat failing a review erroneously as a critical failure.
|
| In fact it does literally constitute denial-of-service.
|
| When a failure like this occurs, it needs more than an apology,
| it should have an incident report to show that the failure was
| understood and steps were taken to prevent future failures.
| tatersolid wrote:
| From a security standpoint the opposite is true: false
| negatives are to be avoided at all costs, even when that
| posture increases false positives. There's always a trade-off.
| eviks wrote:
| Or there isn't and such level of competence just increases
| the chances of both types of negatives: there is no good
| reason to think that people who can't see the obvious in
| cases like this one will catch hidden vulnerabilities
| andrewmcwatters wrote:
| We need an industry movement of just saying no to app stores.
| throwaway984393 wrote:
| This is why app stores / extension stores are simply an
| antipattern. The intent is to make usability easier, but it's
| actually useful functionality.
|
| Get rid of the app and extension stores and let users just
| install software they find on the internet. Safe and secure
| software is found on websites dedicated to reviewing them, like
| the Freshmeat of old, Tucows, etc.
| AndrewKemendo wrote:
| Is it even possible to connect to the public Internet in a way
| that isn't completely compromised by a corporation or state?
|
| TOR is busted at this point
|
| DNS have been MITMed
|
| Almost all hosts are under the control of a few players who are
| compelled by their respective states for ubiquitous and server
| monitoring
|
| Any advertised IP has to have tons of routing info and local
| pointers so local hosting is just as risky if not more
|
| What are the remaining options for a free (as in speech)
| internet?
| lez wrote:
| Nostr.
| AndrewKemendo wrote:
| Thanks I've heard of this but hadn't looked too hard
| squarefoot wrote:
| Technically intriguing, but the people involved don't inspire
| the slightest trust.
|
| https://archive.ph/TLwch
|
| ( https://www.businessinsider.com/jack-dorsey-fiatjaf-nostr-
| do... )
| ab_testing wrote:
| I think this is bad for the general population. Chrome is already
| planning to disable uBlock origin and many folks I know were
| ready to move browsers to Firefox to keep uBlock functionality.
| Now if uBlock is removed from Firefox extension store as well,
| there is no clear path to execute it from Github on managed
| machines. Sure if you are a developer and have admin rights, you
| can get it to work on Firefox, but a lot of people don't.
| btown wrote:
| Per the article, uBlock Origin is still in the Firefox store at
| https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...
| ; it's the lighter MV3-based uBlock Origin Lite that was
| removed. So the general population can continue to use the full
| Origin.
|
| And because the original non-lite uBlock Origin supports much
| more complicated rulesets, it should be effective even without
| code updates... but it still is concerning that the same
| Mozilla errors that caused Origin Lite to be flagged might
| extend to time-sensitive updates to the original Origin as
| well.
| dowakin wrote:
| Without Gorhill's uBlock Origin, the internet would be a really
| awful place. Thank you, Raymond!
| paul7986 wrote:
| One of Firefox's value is uBlock origin for it's users yet not
| for Mozilla's money train Google and others.
|
| With uBlock, pop up blocker extensions and Mac Minis connected to
| my TVs (wireless mouse as remote) I have totally ad free Internet
| experience; every site there is & from my couch or in my rooms.
| sfink wrote:
| That sucks. I work for Mozilla, but nowhere near Addons so I
| don't know what pressures they're under or whatever.
|
| But if _I_ ran the zoo... this is gorhill we 're talking about.
| We ought to just make him an add-on reviewer with full rights,
| and tell him it's ok if the only add-ons he reviews are his own.
| We do not need to vet either his competence or trustworthiness;
| we have vastly more historical data backing him up than on any
| contractor or employee.
|
| He's not a one-off either. We aren't nearly as volunteer-oriented
| as we used to be, sadly. But we still get many and major
| contributions from volunteers, and at least in my team
| (SpiderMonkey) there's no wall between external and paid
| contributors. (Except for the company-wide offsites, grr...) I
| don't see any reason why gorhill couldn't be made a full member
| of the review team, not that I'd expect him to be up for it right
| now given what's happened.
|
| That makes more sense to me than giving him a special pass that
| we could potentially give out to other people or organizations.
| He _is_ a major contributor to Firefox 's capability and success
| already, let him contribute reviews that are already a thing and
| provide value. (Again, only self-reviews would be just fine with
| me.)
|
| Now I need to figure out who to pester on Slack.
| EasyMark wrote:
| I suspect he will simmer down a bit (I do not at all blame him
| for what he did, it has to be frustrating to dedicate thousands
| of hours into something just to have some clueless person pull
| it). I think it will be back inside of a week, it's important
| and can save battery over regular ublock origin on Firefox.
| thoroughburro wrote:
| > it's important and can save battery over regular ublock
| origin on Firefox
|
| That sounds like a reason for Mozilla to simmer down and
| compromise, not gorhill.
| omoikane wrote:
| This sounds like a proposal to make the review process giving
| more weight to reputation, unlike the current process which is
| supposed to be entirely technical[1]. This might be a good
| idea, but I can see how Mozilla would get a different set of
| complaints about reputation not being consistently evaluated.
|
| [1] https://wiki.mozilla.org/Add-ons/Reviewers/Guide/Reviewing
| sfink wrote:
| That's a fair complaint, and I definitely agree that using
| reputation as a factor in the decision for an individual
| addon is a very bad idea. But why is that? (1) Because
| reputation does not imply trustworthiness. Someone could
| build up a reputation with a set of very proper addons, and
| then use that reputation to sneak in problematic ones. (2)
| Because it's unfair special treatment. The chosen person's
| addons would be subject to different standards than others'.
|
| Again, this is gorhill. People are offering authors of
| popular addons some mind-bendingly large sums of money to
| sell out. (1) does not apply: gorhill is the author of the
| most popular addon, which implies that he has been offered if
| not the most money, at least a lot more than most. And the
| well-known history is that someone did make money off of his
| original version, that someone isn't him, and in response he
| rebirthed the addon that he didn't particularly want to
| maintain. Try to find someone with a more convincing
| backstory.
|
| (2) is trickier, and it's why the distinction between uBlock
| Origin getting a free pass and gorhill being a reviewer makes
| sense to me, even if it seems like I'm just obscuring
| influence. As a reviewer, gorhill would be expected to not
| just automatically approve his own addons, but to apply the
| agreed upon evaluation criteria. This would be a farce if his
| integrity were in question, but see (1). It's pretty clear to
| see that he is the person most qualified to make that
| evaluation (heck, he's already doing it before releasing;
| he's not new to the game), so it comes down to trust.
|
| Sure, I am not the best person to review my own code, no
| matter how honest I might be. But read the Technical Code
| Review portion of the link above[1], since it's the only part
| that matters here. There are some addons where those criteria
| might be difficult to evaluate, but we're not talking about
| those. If significant code changes cause those to be less
| clear cut, gorhill can always pass it by another reviewer.
| (Yes, this again requires trust. See (1).)
|
| Plus, you don't even have to depend on (1). People can be
| skeptical and double-check, and news would get out very very
| quickly. (Even shortcomings in areas like a reproducible
| build would get called out.)
|
| I don't see this being a wide open backdoor into the process.
| Not many people are going to come by with the #1 installed
| addon, together with the history of uBlock and uBlock Origin.
| Sure, factoring reputation into the process is fraught with
| problems, but I'm not suggesting that everyone above 1M
| installs gets grandfathered in. This slippery slope is bone
| dry and covered with cobblestones.
|
| [1] https://wiki.mozilla.org/Add-
| ons/Reviewers/Guide/Reviewing
| AndrewKemendo wrote:
| People should read this when they think about AI
| "Alignment"
|
| Can't even have a singular aligned person with full
| confidence
| fph wrote:
| I disagree here. You don't want to allow people to review their
| own code. That defeats the purpose of a review. No matter if
| he's a superstar, have someone else look at his code so that he
| doesn't get sloppy with security practices.
|
| And if you allowed this, then more borderline superstars would
| want the same privilege.
|
| In scientific publishing, even if you're the editor in chief,
| your paper gets reviewed by someone else and the whole decision
| process happens away from your eyes; this is good for science.
| thatguy288 wrote:
| Probably a big ask, but could you find out why one is not
| allowed to add your own root cert to FF and sign an addon
| yourself, instead being forced to use an ESR/develop/nightly
| version and setting xpinstall.signatures.required to false,
| significantly reducing your security?
| Timber-6539 wrote:
| I fully agree with Gorhill's decision to pull the addon. Any
| downgrade of user experience on Firefox is solely due to their
| addons review team.
|
| Maybe if more developers refuse to put up with such bullshit in
| the name of gatekeeping the extensions store, browser vendors
| will start acting properly.
| superkuh wrote:
| uBlock Origin 1.60 for desktop (not lite) has also been stuck in
| Mozilla review for a week now. On the firefox add-on site it is
| still 1.59 which doesn't really work for common things like
| youtube.
| EasyMark wrote:
| I'm glad he put it back up, I for one use it knowing that it's
| saving me battery on my phone and it works quite well.
| adam-p wrote:
| If you want another example of difficulty with the AMO review
| process: https://github.com/adam-p/markdown-here/issues/21
|
| And that's just one of the examples; another resulted in me
| having to add a preprocessor that removes code at build-time,
| which was annoying. I like Firefox, but it wasn't always easy to
| justify the effort.
___________________________________________________________________
(page generated 2024-10-02 23:02 UTC)