[megous]

I can not run my own extension in Firefox by modifying a config file. It's not possible. Not even if I don't let dishonest actors anywhere near my Firefox install.

I can murder some trees and poison the environment for all of us, to do pointless mutli-hour re-builds of Firefox for each release and point release to have it accept my add-ons, though.

I've also never seen a reason, why I can't at least place my CA into Firefox /usr/lib/firefox folder or /etc/firefox and have it be respected. Or just place local extensions there and have firefox not require signatures for them, because there's no way these can be installed accidentally from web by clicking some link.

And if someone can trick me into modifying /usr/lib, they can just trick me into replacing Firefox completly with their malwared build, so signing will not save me anyway.

[pabs3]

The Debian build of Firefox does load extensions from /usr/share/mozilla/extensions, so that it will load the extensions in the Debian webext-* packages. You can even add a symlink there pointing at a dir in your /home so you can load extensions you are developing.

[megous]

That's because it's an ESR build. Normal build does that, too. The extensions still have to be signed. It's not a Debian thing.

One ESR build, you can disable signature checks though in about:config. Not sure how this fits into the standard Mozilla orthodoxy. Remember that core tenet of the orthodoxy is that users can't be trusted to protect themselves...

So maybe Mozilla cares less about safety of users that want to use their ESR (extended support) build. There are way fewer of these users than that of main Firefox build, so their safety is maybe not that important on the grand scale of 2.5% marketshare that Firefox still holds.

[pabs3]

The extensions in /usr definitely do not need to be signed, I've loaded unsigned ones before and the webext-* packages do not contain signatures.

[megous]

Looks like the cause that this does not work for me is extensions.autoDisableScopes defaulting to 11

Well, great. This is at least something :)

[pabs3]

What I said applies to both of Debian's firefox and firefox-esr packages, so it definitely isn't just an ESR thing.

[reubenmorais]

> And if someone can trick me into modifying /usr/lib, they can just trick me into replacing Firefox completly with their malwared build, so signing will not save me anyway.

As you said yourself, that's a much bigger hassle and cost. In other words, it's an effective deterrent. Writing to a user owned file is a very low bar for allowing privileged code execution in the browser.

A long time ago browsers used to be infested with all kinds of toolbars and extensions automatically installed by third party software, I for one am glad to not have to worry about that in my computer and on networks I manage or frequent.

[SunlitCat]

It's an effective deterrent to keep power user away from your software as well! So if that's what Mozilla wants, they have their mission accomplished!

[reubenmorais]

A power user only needs to RTFD: https://wiki.mozilla.org/Add-ons/Extension_Signing#FAQ

[SunlitCat]

Yeah...no.

Only preview versions and developer versions can run unsigned addons. Both coming with their own set of reasons why you shouldn't use them as your daily browser.

[megous]

And ESR, but that may not be normally distributed in Linux distros. It's not in Arch Linux.

There's no hassle free solution. Only way to run your own code on normal branded Firefox release is to rely on third party signed extensions (eg. Violentmonkey), but that's not really hassle free either if you have 10s of userscripts and multiple browser profiles, and you have to trust some third-party to not go rogue. I got pretty terrible malware from mozilla add-on store in the past.

[megous]

/usr/lib are not user owned files