[jimrandomh]

I think the main problem here is the ideology of software updating. Updates represent a tradeoff: On one hand there might be security vulnerabilities that need an update to fix, and developers don't want to receive bug reports or maintain server infrastructure for obsolete versions. On the other hand, the developer might make decisions users don't want, or turn even temporarily (as in a supply chain attack) or permanently (as in selling off control of a browser extension).

In the case of small browser extensions from individual developers, I think the tradeoff is such that you should basically never allow auto-updating. Unfortunately Google runs a Chrome extension marketplace that doesn't work that way, and worse, Google's other business gives them an ideology that doesn't let them recognize that turning into adware is a transgression that should lead to being kicked out of their store. I think that other than a small number of high-visibility long-established extensions, you should basically never install anything from there, and if you want a browser extension you should download its source code and install it locally as an unpacked extension.

(Firefox's extension marketplace is less bad, but tragically, Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself.)

[efskap]

>Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself

It's less than ideal but you can 1) load extensions temporarily in about:debugging, 2) turn off xpinstall.signatures.required in nightly or dev edition to install them for good or 3) sign on addons.mozilla.org without publishing to the marketplace.

[userbinator]

Or 4) patch the checks out yourself. As they say, "Firefox is open-source for a reason."

[ozim]

It might actually be something I would do especially as I could probably vibe code and vibe build it.

Will see if I get time to do so.

[grishka]

For me, the solution is simple: anything you download and run locally should not auto-update ever, period. Installing an update (or refusing one) should always be a conscious user action. Otherwise it's just a socially-accepted RCE backdoor.

[tredre3]

I used to use Duplicacy for my backups. The author was hell bent on not allowing disabling auto updates.

The go binary would be downloaded automatically and silently periodically. I tried to fight it for a while but at some point he added checks (!) to ensure that nobody was blocking his RCE model. Meaning it would no longer run on one of my partially air gapped system.

I moved on, but many other software behave that way.

Most chromium-based browsers will show a big scary and permanent button if they can't update, for example.

[grishka]

> Most chromium-based browsers will show a big scary and permanent button if they can't update, for example.

Vivaldi which I use thankfully doesn't do that. At least on macOS it uses the common Sparkle updater, which would pop up a window in your face when you least expect it telling you that an update is available, showing a changelog and letting you decide when and whether to install it.

Even though it is an interruption, it's still much more respectful than what Chrome does. It insists on running a background service at all times and the only way I was able to neutralize it was to delete its .plist file and create a directory with the same name.

[duskdozer]

Even without that, I can't afford to deal with the constant churn of UI changes and feature deprecation

[olyjohn]

Yep, just like Anti-Virus back in the day. Sure, it might protect you from a virus now and then, but AVs actually caused more broken computers, and false positive triage work than they protected. In the long run it was never worth running an antivirus on your computer.

This is how updates are now. Sure, there are sometimes some security updates that you should have installed. But more often than not it's just some bullshit I don't want.

[babuskov]

If the extension does something that isn't changing, like JSON Formatting, I guess it's best to disable updates right after you install it.

I just did this for all extensions I have in Firefox. Not sure about extensions like uBlock though? Doesn't it fetch new lists of sites to block or something like that? Or is that done separately from updates?

[tredre3]

> Doesn't it fetch new lists of sites to block or something like that? Or is that done separately from updates?

It's done separately from updates.

I also disable auto updates for extensions and I keep extensions that I don't need daily installed but disabled.

It's annoying that firefox doesn't have a "Update all" button but clicking manually on a handful of extensions once a month isn't that much of a chore :shrugs:.