[conspire] even though I install an add-on to create a tiny url in Firefox, the add-on is not available

Rick Moen rick at linuxmafia.com
Wed Dec 23 14:44:59 PST 2009


Quoting Darlene Wallach (freepalestin at dslextreme.com):

> I installed an add-ons to create a tiny url, TinyUrl Creator 1.0.5 and
> TinyUrl Generator 1.0.12 to Firefox 

Near as I can tell, both of these are proprietary extensions.  Why go to
the trouble of running an open-source browser on an open-source
operating system, and then install unaudited extensions into it written
(I assume) by someone you don't know and have no reason to trust with
the security of your system?

Pardon me if I seem to be picking on you, Darlene, which is not my
intention, but I notice that people seem to be picking up the habit of
installing software without bothering to attend to the basics of
security.  

One of the worst offenders in this area is the Mozilla Organization,
which encourages such behaviour through sites like
https://addons.mozilla.org/ .  Notice that each extension entry has a
big "Download Now" button, and absolutely no information about source
code or licensing -- let alone any information about why that software
foundry can be trusted with your user-level or system security.

I'm about to publish an article in (probably) the January issue of
_Linux Gazette_ about Firefox extensions, Firefox privacy, and security.
It includes a brief reminder that you should _always_ try to get all
software from maintained distro packages where humanly possible.  Maybe
I should go back and revise the article, while I still can, to stress 
how dangerous going outside that regime is, and how poorly regulated the 
"add on" world is generally.


The bad habit of installing any-old-damned-thing outside one's distro
package regime is not only courting disaster, but that disaster is
already starting to occur:  Note the distributions of Trojan Horse
software in .deb "screensaver" packages in third-party downloads hosted
by gnome-look.org .  

Looking at that situation, my immediate reaction is:

1.  Why the fsck does gnome-look.org encourage distribution of
screensaver artwork inside .deb packages, which get installed with
root authority and can include preinst and postinst scripts?

2.  Why the fsck do user browsing gnome-look.org trust software
listed there by unknown third parties?





More information about the conspire mailing list