|
|
|
|
|
|
by aepiepaey
2542 days ago
|
|
|
> This tool binary-patches your local system rather than shipping via AMO. That’s not healthy. Modifying/creating/updating a few text files in your profile directory is not "binary-patching". And it's done this way because it's impossible to do it with only a WebExtension published on AMO. |
|
|
Correction #1: "This binary tool patches"
Predicted reply: "It's a shell script, not a binary"
Correction #2: "This executable tool patches"
Predicted reply: "It doesn't patch Firefox, it just alters your Firefox profile"
Correction #3: "This executable tool alters your profile"
Predicted reply: "Shell scripts aren't executables"
Correction #4: "This arbitrary code alters your profile"
Predicted reply: "It just adds a theme that AMO won't allow!"
And so, having nitpicked that to death to save us death by nested replies, I'm going to focus on your second sentence:
> it's done this way because it's impossible to do it with only a WebExtension published on AMO.
Correct. My point is that you can get lots of HN readers to do completely unsafe things — like allow a shell script to make modifications to their Firefox profile — by phrasing it as something appealing, like 'dark mode'. This modification is, by nature of being a command-line profile modification, horrendously unsafe.
It makes a case for why Apple is now implementing kernel-level restrictions for read/write access to ~/Library/Mail, ~/Photos, and so forth — because sooner or later someone will run something that unexpectedly demands access to something it shouldn't have, and the user will be given a chance to deny it. After I upgraded to Catalina beta, Dropbox tried to access my ~/Desktop folder. Why? I only use ~/Dropbox. I denied it access.
I wish I could have the same "permission dialog required" approach applied to ~/Library/Application Support/Firefox, so that nothing but Firefox and tools I explicitly authorize can edit my profile.
Until that day, people will continue running things like this, thinking that they're somehow safe, without any warning from the Firefox team that "Granting this access could allow malicious software to intercept your communications and steal your credentials", which this dark mode thing very much could if someday the author of this "shell script" decides to make it do so.