On 6/24/2014 12:08 AM, Philipp Kewisch wrote:
> When I first read your email it sounded like all that would be
> required is any SSL certificate to be able to install addons.
You cannot today sign add-ons with SSL certificates, they must be
"object signing" certificates. I'm not proposing to change that. The
proposal is that signing will now be required, and that the cert must be
issued by Mozilla rather than a random CA.
> it rather sounds like a Mozilla-issued certificate is REQUIRED for
> installing non-AMO addons. Two questions on that:
A Mozilla-issued certificate is required for installing ALL addons, but
if you go through AMO review Mozilla will take care of the signing for
you for free.
> * Can I instead get an AMO certificate by uploading an extension
> with preliminary review, then use that certificate for all future
> versions that I do NOT upload to AMO?
Signing through the review process will yield a signed add-on, but not a
certificate that will let you sign additional things AMO hasn't seen.
> * How often do these certificates expire?
TBD, but a year or two is typical for certs. signed code doesn't expire,
only the ability to sign new code. Once a developer is signed up cert
renewals will be free.
> I am also concerned that charging for these certificates will require
> a strong public statement as to why Mozilla is doing this,
We're doing this because every time any of us visits our family their
Firefox is a toolbar laden crapfest that we have to clean up, and
because the resulting bad performance is causing us to lose users. To
get a cert you will have to agree to our Terms of Service for a
well-behaved add-on. Not proposing any change to those, just adding an
enforcement mechanism for add-ons not distributed through AMO
https://addons.mozilla.org/en-US/developers/docs/policies/reviews#section-policies
> Especially since Marketplace addons can be distributed from any app
> store, centralizing on AMO like this might cause a certain uproar,
Argh. This is the problem. Marketplace APPS are NOTHING LIKE add-ons,
but people think of them the same. The Firefox OS apps you can get
"anywhere" are glorified bookmarks and cannot do anything that a web
page cannot do. "Privileged" apps must be signed by the One True Mozilla
Marketplace, and even if one of those apps had every possible privilege
it still wouldn't be as powerful as an add-on. [off topic: I think it is
a terrible, no-good, horrible thing that we don't show the privileges an
app is being granted, making this distinction completely mysterious to
people.]
> especially from companies that use internal addons for their
> customers and do like the idea of paying extra to continue to be able
> to push their addons to their customers.
If it's internal as in Enterprise stuff, and they don't want to get a
certificate then they can always build and distribute their own internal
Firefox with the signature checking disabled. If they're distributing
the add-on to public customers then they have to get a cert. I'm not
worried about companies, the cost of a cert (whatever model) is less
than the cost of a "business lunch".
> (Note for press: I believe none of this is final yet, please don't
> draw any wrong conclusions from my post)
This is no more final than Jorge's previous proposals to which I offer
mine as an alternative. I ran this by a couple of colleagues as a sanity
check before posting but no one with decision-making authority over
Firefox has commented or agreed to do this.
-Dan Veditz