[jsploit]

> After waiting for a long while, I gave up and switched to the Developer Edition so I can use my own add-on.

I find it very frustrating that they now force users into Nightly / Developer Edition if they want to permanently install unsigned add-ons. What's the harm in simply locking that functionality with a config option?

[dessant]

> What's the harm in simply locking that functionality with a config option?

Nothing, there is nothing wrong with educating and informing users, then letting them use an extension privately. Users should not be forced to use unstable versions of Firefox to install an extension locally, nor should it be Mozilla's business to inspect the source code of that extension.

What's funny is that even in browsers such as Safari and Chrome you can permanently install a local extension after toggling an option, without being forced to disclose the source code to Apple or Google.

Firefox is the only desktop browser that prevents users from installing local extensions, and because Mozilla does not control the platform, malware can trivially bypass their restrictions.

[the8472]

Mozilla is like apple in that regard, users can't be trusted with their own machines and the well-intentioned mothership must at all times be in control since at any moment they could fall to social engineering and then they (apple/mozilla) would get blamed for whatever the malware did.

Installing developer edition is the blessed way to opt out of that.

[dessant]

You can install a locally built and signed extension in the release version of Safari, without disclosing the source code to Apple.

[the8472]

I was referring to apple's general behavior (how they lock down their phones) not their specific browser extension policy.

[hda2]

If apple, one of the most controlling companies on the planet, thinks it's okay for their users to install any extension they want, why does Mozilla feel justified to do the opposite?

What risk are they trying to mitigate, and was it worth pushing addon developers away from their browser too?

Their reasoning? https://blog.mozilla.org/addons/2019/10/31/firefox-to-discon...

No wonder people abandoned them. Mozilla is the digg of browsers.

[SimeVidas]

At least Nightly is the superior version of Firefox, so it’s an upgrade.

[noisem4ker]

Firefox Developer Edition is now based on the Beta release channel, since Aurora is no more. It's supposed to be more stable than Nightly.

[SimeVidas]

That’s technically true, but in practice, Nightly is very stable. I’ve been using it for probably five years, and issues are seldom.

[mastax]

Malware can set that config option without consent.

[jsploit]

If malware has that level of access on your machine, chances are your browser is already fully compromised.

[noisem4ker]

Configuration and add-ons reside in %AppData%, or an orherwise user-writable profile directory. Compromising the executable, which lives under %ProgramFiles%, or an otherwise protected directory, takes administrator rights.

Beyond this plausible inconvenience, however, Mozilla simply doesn't want regular users messing with unapproved add-ons. Just switch Firefox to Developer Edition for that. It's been very stable, in my experience.

[jsploit]

The Firefox profile directory also contains sensitive things like its file cache and trusted CA database, so you don't need to plant a malicious extension to achieve significant impact when you only have write access.

[hda2]

Then why wont they allow users to install their unsigned addons in %ProgramFiles%? I don't think protecting against a compromised %AppData% was their only goal.

[throwaway2048]

Malware can also install firefox developer's edition, or a modified firefox without consent.