[DannyBee]

So, there's so many problems with this i don't know where to begin. Since folks have already noted the "not notifying google" issue, let me point out another:

Prior to banning, i can find literally no discussion or details about this being about to happen (IE no notice), pretty much ever.

You can see it was initially noted here: https://github.com/mozilla/addons-linter/commit/86f4dfb44355...

I can find no discussion around it (maybe it's there but i'm missing it? I looked in a lot of places).

You can see it fixed an issue to "warn third party developers of things we banned/don't advise", but there's nothing about initially banning anything there, and it was added with an initial ban list containing angular. I would have expected a page added, then a ban discussed, then a ban added. or something.

In fact, the details of the ban changed (https://github.com/mozilla/addons-linter/commit/2dcc2226e2ec...) repeatedly without notice either.

This seems really bad. I would have expected, at the very least, a heads up to extension developers or something or even a more public notice when it happened so that some discussion could be had about it.

Instead, it looks like the only way you would have found out about it is by trying to lint an extension and see it banned (IE after you developed it), or somehow random browsing of doc pages mozilla has.

[TAForObvReasons]

> Instead, it looks like the only way you would have found out about it is by trying to lint an extension and see it banned (IE after you developed it)

It's one of the big dangers of a "walled garden": you are subject to the whims of the arbiter.

[ben_jones]

I wonder if any business-critical apps stopped working because of this?

[tptacek]

Google has repeatedly been equally abrupt in making breaking changes to other people's apps/products/pages/sites to resolve security problems. I'm glad they do, and I'm glad Mozilla isn't fucking around with stuff like this either.

[DannyBee]

I'll assume this is true (not my area!):

1. Just because one guy is an idiot does not mean the other should be.

2. You know, you may want to tell people and establish a process for telling people that this is happening (ie it should not take until person files github issue asking what's up when they validate their app to know what's going to be okay and not)

(and if the answer is "google doesn't do that", see #1 :P)

[tptacek]

The people you just called idiots are demonstrably not idiots. Your company is extraordinarily lucky to employ them.

[DannyBee]

Sorry, yes, that was crass, and i apologize. I can't edit it, sadly, anymore.

I meant it really in the sense that: You have given no reason this couldn't have been done in a fashion that provided the barest minimum of notice or information. Doing so when you can do so is the right thing, and if someone else is not doing that, that does not mean you should duplicate that process.

As far as i know, nobody has claimed otherwise, here or there.

In fact, there are a number of factual inaccuracies that seem to have been driving parts of this decision (IE "google has stopped supporting angular 1") that a trivial notice and discussion process probably would have corrected.

Past that nothing in this discussion has pointed to anything so urgent (especially given the 6+ month time period involved between the original presentation and any notice at all it was banned, and then another 6 months till now) that it required immediate action at the point they did it. If there was something, again, someone could have, at the very least, said that ("Hey, we discovered a problem, we're going to take immediate action, this may hurt. Sorry").

TL;DR I'm a fan of Ready, aim, fire, not fire, ready, aim. If it can't be done that way, fine, but no data says that this was the case here.

[tptacek]

Sorry, I thought I had written a longer comment but got distracted, so that came out sharper than I meant.

I agree. Notice is good. But all sorts of pressures interfere with notice, like embargoes, multiple stakeholders, threat intelligence, IR and active exploitation, and so on.

The important thing is to close the vulnerability. Everything else is distantly secondary.

Also, and respectfully: it is not so much Mozilla's job to know the maintenance status of Google Javascript libraries so much as it is Google's responsibility not to ship Javascript code (or extensions) that make Mozilla insecure.