[conspire] (forw) [DNG] Life After Firefox 56

Rick Moen rick at linuxmafia.com
Thu Feb 23 20:29:53 PST 2017 

Important correction, prompted by Akkana's sharp-eyed query:
The Firefox-ESR (Extended Support Release) edition will preserve the
ability to switch off mandatory enforcement of extension signing, via an
about:config toggle (that will be switched on by default).

As Akkana notes, the current Debian package of Firefox is based on
Firefox-ESR (currently, version 45.7.0esr-1~deb8u1 in Debian-stable).
Debian package info:  https://packages.debian.org/jessie/firefox-esr
https://packages.qa.debian.org/f/firefox-esr.html

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Thu, 23 Feb 2017 18:24:56 -0800
From: Rick Moen <rick at linuxmafia.com>
To: svlug at lists.svlug.org
Subject: Re: [svlug] (forw) [DNG] Life After Firefox 56

Quoting Akkana Peck (akkana at shallowsky.com):

> Rick Moen writes:
> [about Firefox's upcoming lockdown of extensions]
> 
> Yikes! Thanks for the alert, Rick.
> 
> I have to wonder: in a world where extensions can't run unless
> they're signed by Mozilla.org, how can anyone develop extensions?
> How do you test your changes on your own browser so you know it
> works before you publish it on Mozilla.org?

On Nightly and Developer Edition builds, as well as unbranded builds.
_And_, turns out, ESR releases (see below, and thank you for raising
that).

In fairness, there may be substantial changes as this gets rolled out.


> Running firefox by itself with no extensions sounds like a disaster.
> No control over scripts, cookies, flash or other security risks?
> It sounds like a red carpet for malware, not protection against it.

What I hear is that there will be WebExtensions reimplementations of the
most key XUL extensions by the time this becomes an issue.  This is so
new to me (though it's been in the offing for a long time without my
being aware) that I cannot be more specific than that.

In particular, on https://wiki.mozilla.org/Addons/Extension_Signing, it
says:  'All Firefox extensions - for Desktop and Android - on AMO
[addons.mozilla.org] that have passed review are now signed.
For unlisted (non-AMO) add-ons, submission and signing is active through
AMO, and there is a Signing API available [link] for automated submission and
retrieval of unlisted addons.'


> I wish there were more open-source browser engines. Webkit used to
> be great, but it seems to be bitrotting lately. Konqueror on a non-KDE
> system wants to pull in 66 other packages including a lot of desktop
> cruft. I'm not convinced any of the other mozilla-based browsers is
> all that well supported (galeon was pretty good for a while, but
> it's orphaned now), but Pale Moon looks pretty interesting: anybody
> here use it? Do you trust them to keep up with security updates?
> Chromium might be the best bet, but how is it on privacy and control
> over scripts and cookies and such?

FWIW, I maintain a list of all Linux-supporting graphical Web browsers
I'm aware of at
http://linuxmafia.com/~rick/faq/kicking.html#linuxbrowser .  It in no
way evaluates any of the browsers mentioned, but could serve as a
starting point for anyone wishing to do a survey.

Steve Litt (/me waves) has been doing browser testing for quite a long
while, now.  Hey, Steve!  Feel like dredging up some links for us?

> There's also firefox-esr, the Extended Support Release (which is the
> firefox that Debian packages): with any luck, Mozilla may not lock
> it down for quite a while, giving users more time before they have
> to switch.

Good point!  I completely failed to check that.  I've just found the FAQ
entry:

Q:  What about private add-ons used in enterprise environments?
A:  The ESR release will support signing starting with version 45-based
    releases. Signing enforcement will be enabled by default in these
    releases, and enforcement can be disabled using the
    xpinstall.signatures.required preference.

https://wiki.mozilla.org/Addons/Extension_Signing

The 'Timeline' section of that page includes:

  The first ESR version to include signing support will be the Firefox
  ESR 52 release.

So, Firefox-ESR releases get added to Nightly and Developer Edition as 
releases that do not absolutely, uncorrectably require corporate
signing.

Further details can be found in this page by Martin Brinkmann:
http://www.ghacks.net/2015/06/19/how-to-disable-the-firefox-40-add-on-signing-requirement/


_______________________________________________
svlug mailing list
svlug at lists.svlug.org
http://lists.svlug.org/lists/listinfo/svlug

----- End forwarded message -----

More information about the conspire mailing list