Hi,
read the thread now. I ignored it based on the subject, btw, didn't seem
to affect anything in real life from just glancing at that.
I'd like to get langpacks excluded. Maybe we need to make their
abilities to do stuff more robustly checked, but for a localizer wanting
to test their work, this is really cumbersome. Note, the default config
of those might even fail the malware checks, as the default identifies
the author as "mozilla.org".
For non-l10n questions:
We'd need developers to grant us a license to their code, right? Do we
know for how many add-ons we'd actually need a license agreement that's
not covered by the EULA of the add-on?
I think that the current proposals for developers and internal org
add-ons are too course. The proposal seems to expose them to malware
just for the sake of their own development or deployment.
I think that blocking the install is too hard for non-registered
add-ons. A consistent UI that encourages users to uninstall
non-registered add-ons might be all we need to get developers to
register voluntarily.
Also, the "just break the network" path seems to be easy to get to for
malware installed by .exe installers on windows, at least. Or at least
be open to social engineering as much as dismissing a non-registered
add-on UI.
Axel
On 10/30/13 10:55 PM, Jorge Villalobos wrote:
Cross posting to dev.planning, where I originally intended this to be.
Please follow up to dev.planning.
Jorge
On 10/30/13 3:42 PM, Jorge Villalobos wrote:
Hello!
As many of you know, the Add-ons Team, User Advocacy Team, Firefox Team
and others have been collaborating for over a year in a project called
Squeaky [1]. Our aim is to improve user experience for add-ons,
particularly add-ons that we consider bad for various levels of "bad".
Part of our work consists on pushing forward improvements in Firefox
that we think will significantly achieve our goals, which is why I'm
submitting this spec for discussion:
https://docs.google.com/document/d/1SZx7NlaMeFxA55-u8blvgCsPIl041xaJO5YLdu6HyOk/edit?usp=sharing
The Add-on File Registration System is intended to create an add-on file
repository that all add-on developers need to submit their files to.
This repository won't publish any of the files, and inclusion won't
require more than passing a series of automatic malware checks. We will
store the files and generated hashes for them.
On the client side, Firefox will compute the hashes of add-on files
being installed and query the API for it. If the file is registered, it
can be installed, otherwise it can't (there is planned transition period
to ease adoption). There will also be periodic checks of installed
add-ons to make sure they are registered. All AMO files would be
registered automatically.
This system will allow us to better keep track of add-on IDs, be able to
easily find the files they correspond to, and have effective
communication channels to their developers. It's not a silver bullet to
solve add-on malware problems, but it raises the bar for malware developers.
We believe this strikes the right balance between a completely closed
system (where only AMO add-ons are allowed) and the completely open but
risky system we currently have in place. Developers are still free to
distribute add-ons as they please, while we get a much-needed set of
tools to fight malware and keep it at bay.
There are more details in the doc, so please give it a read and post
your comments and questions on this thread.
Jorge Villalobos
Add-ons Developer Relations Lead
[1] https://wiki.mozilla.org/AMO/Squeaky
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
