Hacker News new | ask | show | jobs
by arp242 747 days ago
> browser extensions never should have required Mozilla's "approval" in the first place;

You don't need Mozilla's approval; anyone can publish an add-on anywhere and anyone can install it in Firefox. I've distributed some bespoke non-public addons like this.

It's just the Mozilla add-on website/listing that's curated, which seems reasonable; it's their website and they can have their rules.[1] You can make your own "clipsy add-on listing" website if you want.

[1]: in this case, it's not even "banned", just not displayed in Russia. It was probably a "ban these extensions or we'll ban all of Firefox" type scenario. Saying "njet" to Putin is tempting, but how does all of Firefox being banned in Russia help Russian people? It doesn't. You may not like the situation, but simplistic takes which simply ignore the reality of the situation are not serious.
3 comments
jwitthuhn 747 days ago
The extension needs to be signed by mozilla for the normal production builds of firefox to let you load it on startup. If it isn't signed, you need to manually load it in using about:debugging each time you restart firefox.
link
arp242 747 days ago
Mozilla is not preventing from signing anything here (and the "security checks" on who can sign are so weak it might as well not exist in the first place).
link
dartharva 747 days ago
Same applies to Chrome as well by that logic; it allows you to sideload unverified extensions too at the cost of annoyingly making you set it up at every startup.

I guess we're all better off using Chrome then?

link
yjftsjthsd-h 747 days ago
Okay, but you've moved the goalposts from

> You don't need Mozilla's approval

to pointing out that Mozilla has approved (signed) this extension.

link
arp242 747 days ago
That's you're pedantically language-lawyering my post while not engaging with the far greater falsehood that the previous poster was perpetuating is not a good look.

And the reality is Mozilla can always block any extension they want. They can just change the Firefox source code. It doesn't matter what functionality does or doesn't exist now or what the policy they do or don't have – everything can always be changed. That's true for almost anything.

So what they "could do" is a complete distraction in the first place because the "could do" anything. What they ARE doing matters.

link
yjftsjthsd-h 747 days ago
No, pointing out that your claims are conceptually false is a fine look.

It's not about things Mozilla could theoretically do to block you, it's that they require you to proactively get their permission to run an extension (in a prod version of the browser on an ongoing basis, which I think is reasonable table stakes). Here's their official docs for self-distribution, i.e. not using the AMO at all: https://extensionworkshop.com/documentation/publish/submitti... Notice that step 1 starts with giving Mozilla your extension to approve of, step 4 goes so far as to say that if your extension doesn't pass their checks then

> The message informs you of what failed. You cannot continue. Address these issues and return to step 1.

then step 7 is make sure Mozilla reviewers can read your source code, step 9 is wait for them to get back to you, and step 13 is download the XPI that Mozilla has approved to be allowed to run in their browser.

So yes, you absolutely need Mozilla's approval to publish an extension, even if you self-publish the XPI after they've blessed it. If they do not perform the action of signing it, they don't need to change any source code, it won't install. It may be true that in this case they have given that approval, but that doesn't invalidate the general point, and this is a fundamental restriction, not "language-lawyering".

link
jwitthuhn 747 days ago
I have to disagree that I'm perpetuating any falsehood here. Mozilla literally needs to approve an addon for it to behave normally. That you are satisfied with the process they have for approving doesn't change that.

To me it seems absurd for a company that claims to be so pro-privacy to not allow any genuinely private extensions to exist. Anyone who wants to make a 'real' addon has to share their code with mozilla.

link
arp242 747 days ago
I actually mostly had the top poster in mind, not you, sorry for the confusion.

What you're saying is technically true, but also not relevant, as explained. They can have the best system in place today, and just change Firefox tomorrow. So it doesn't really matter how the system works now. This is true for anything from Mozilla to XFree86 to Redis to left-pad.

De-facto reality is that right now anyone can create an account and just create a signing key and distribute their extensions $anywhere. Approval is little more than rubber stamp. Mozilla not going around granting "approval" or anything like that.

And they certainly didn't revoke the very weak "approval" here; people can distribute and install it. It's just not listed on the Russian add-on store. So that makes it doubly irrelevant.

link
38 747 days ago
> You don't need Mozilla's approval; anyone can publish an add-on anywhere and anyone can install it in Firefox.

Nope. Not on Android.

link
rjh29 747 days ago
Yep, but you can use Fennec from FDroid.
link
anon66669938144 747 days ago
how do i install xpi on fennec? i'm getting file not found when trying to open xpi with fennec app
link
deadlydose 747 days ago
Settings > About Fennec. Tap the logo five times to unlock the debug menu, then there will be an option to install addons from a file.
link
38 746 days ago
This addon cannot be installed because it has not been verified
link
anon66669938144 747 days ago
thanks, didn't know about that. with all that censorship i been backing up a lot of programs and source tarballs locally. perhaps one day i'll go completely offline and off the grid and move to the mountains or some shit like Tuva where i will have goats and cows livestock. it's all getting so tiresome, i want out of this technological hell.
link
szundi 747 days ago
Yes, seems to be exact way out
link