[conspire] People failing to learn about package gatekeeping, part 1

Deirdre Saoirse Moen deirdre at deirdre.net
Mon Apr 18 14:55:46 PDT 2022


On Sun, Apr 17, 2022, at 12:21 PM, Rick Moen wrote:
> I haven't followed closely what a.m.o (addons.mozilla.org) has been
> doing since the company's shocking decision that Firefox would no longer
> run non-Mozilla-signed extensions.  That certainly fixed one problem for
> the corporation, but in my view was open-source-hostile and, along with
> other things, has largely impelled me to look elsewhere.  

Maybe it's because I've been on a browser team, but I don't consider that decision either surprising or shocking.

There's no other way to manage cert revocation effectively (i.e., if you're permitting unsigned things, there's no way to axe something malicious because they could just use the unsigned variation), and you've got to have *something* in place that prevents extensions that were made by legit people that have, over time, gotten into the hands of shady people and therefore need to be mass disabled. Or things that were intended to be turned into malware, but weren't yet when the extension was initially signed/reviewed.

Deirdre



More information about the conspire mailing list