[Jach]

Making it so extensions don't auto-update themselves would be a helpful step in the right direction, it would cut down on the impact of when these things happen. Unfortunately I think we'll sooner see Firefox aping Chrome on this than the other way around.

[paulryanrogers]

But this goes against other security advice: stay up to date.

[Jach]

The real security advice is: keep up to date with security patches. Staying up to date just because is not good advice.

Gentoo has a nice system, "Gentoo Linux Security Advisories", where you can periodically run a program called glsa-check which lets you know if you have packages installed that have security problems, what the problems are, and points to more info (like CVEs). You can even have it upgrade stuff on its own if you don't want to think about it. Something like this would be a nice feature for browser extensions.