I'm reminded of the ArchLinux AUR, which deals with a problem kind of like this. AUR managers show a diff of what changed in a package on each update.
Perhaps one could make extension auditing easier by scripting together a Git repository from extracted xpis, and presenting updates as patches to that repository. This is probably only viable for high-security environments - it's not with it in the common case.
Of course, the real fix would come from Firefox itself: it should provide signed extensions and a way to tie them back to Git repositories with source code, which would eliminate the need for the above automation, and allow people to crowdsource extension auditing.
I'm reminded of the ArchLinux AUR, which deals with a problem kind of like this. AUR managers show a diff of what changed in a package on each update.
Perhaps one could make extension auditing easier by scripting together a Git repository from extracted xpis, and presenting updates as patches to that repository. This is probably only viable for high-security environments - it's not with it in the common case.
Of course, the real fix would come from Firefox itself: it should provide signed extensions and a way to tie them back to Git repositories with source code, which would eliminate the need for the above automation, and allow people to crowdsource extension auditing.