On 12/02/15 13:29, Brian May wrote: > See > https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/ > > The following threads on the mailing list appear to be relevant (I haven't > read them yet): > > https://groups.google.com/forum/#!topic/mozilla.addons.user-experience/qIgLq28aTdI > https://groups.google.com/forum/#!topic/mozilla.addons.user-experience/slaKs943n4c
Thanks. So Mozilla is to become a central signing authority for add-ons, and all add-ons must be signed before they will be installable on upcoming Firefox releases. Colour me impressed. I'm all for having add-ons signed. I take that pretty seriously actually, and I didn't try Arch for years because they didn't support package signing (which they have apparently since sorted). But there are some big differences between what Mozilla is doing, and what other free software projects do that distribute packages (such as Debian and F-Droid, for example). The main problem is that Firefox is mandating all packages be signed by Mozilla regardless of where and how the packages are distributed. I can set up my own F-Droid or Apt repository just fine (and I have actually done the later for apps installed and developed internally to my workplace) - but *I* get to sign them. I don't need to submit them to Debian first. As it stands, Mozilla is going to hurt add-on developers - making it more difficult to test releases, much harder to find beta-testers, introducing more manual steps, and an unnecessary delay in being able to release. They are going to hurt end users - they will no longer have access to old unmaintained add-ons unless they wish to learn how to fork and submit them (which is unlikely many will do). Lastly, it's going to hurt Mozilla, as IMO it further tarnishes their reputation (although they already lost most of it when they chose to support EME extensions IMO). There are other questions that have arisen, such as what will happen to add-ons that basically enable side-loading scripts such GreaseMonkey and dotjs, or add-ons that do things illegal in the US (eg. due to DMCA restrictions) but are legal outside? What about environments that do not allow private add-ons to be hosted on remote servers for fear of court orders, the NSA, or a server compromise? The responses to such questions have so far not been encouraging. I expect most GNU/Linux distributions which package rebadged versions of Firefox and popular add-ons will be disabling this functionality out of necessity anyway, but I still can't help but feel disappointed.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Free-software-melb mailing list [email protected] http://lists.softwarefreedom.com.au/cgi-bin/mailman/listinfo/free-software-melb Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
