[reubenmorais]

> And if someone can trick me into modifying /usr/lib, they can just trick me into replacing Firefox completly with their malwared build, so signing will not save me anyway.

As you said yourself, that's a much bigger hassle and cost. In other words, it's an effective deterrent. Writing to a user owned file is a very low bar for allowing privileged code execution in the browser.

A long time ago browsers used to be infested with all kinds of toolbars and extensions automatically installed by third party software, I for one am glad to not have to worry about that in my computer and on networks I manage or frequent.

[SunlitCat]

It's an effective deterrent to keep power user away from your software as well! So if that's what Mozilla wants, they have their mission accomplished!

[reubenmorais]

A power user only needs to RTFD: https://wiki.mozilla.org/Add-ons/Extension_Signing#FAQ

[SunlitCat]

Yeah...no.

Only preview versions and developer versions can run unsigned addons. Both coming with their own set of reasons why you shouldn't use them as your daily browser.

[megous]

And ESR, but that may not be normally distributed in Linux distros. It's not in Arch Linux.

There's no hassle free solution. Only way to run your own code on normal branded Firefox release is to rely on third party signed extensions (eg. Violentmonkey), but that's not really hassle free either if you have 10s of userscripts and multiple browser profiles, and you have to trust some third-party to not go rogue. I got pretty terrible malware from mozilla add-on store in the past.

[megous]

/usr/lib are not user owned files