No more unsigned add-ons? Has Mozilla lost their mind?

[trainman261]

While browsing the Gizmo's Freeware forum this morning, I read about Firefox 48... and that you can't install unsigned add-ons anymore, WITH NO WAY TO BYPASS IT. What? Has Mozilla gone completely bonkers? Mozilla, that keeps on talking about open systems, the open web, has now closed their web browser. This is insanely stupid at best. This is one of the main reasons I was using firefox. It's my system, I should have control over what can be on it, not some organization. There's a reason I don't use Apple devices, and there's a reason I stopped using Chrome when it stopped accepting extensions not in the Chrome Web Store. I can understand why unsigned extensions could be disabled by default, I can understand that. But the fact that there is no way to enable unsigned extensions is simply ludicrous. I use several of them and have no reason to stop using them, but at this point, I may well just stop using Firefox.
Mozilla, I am extremely disappointed.

[rajpau...@gmail.com]

I hope someone from Mozilla is reading because I need to be able to use unsigned addons but I don't want to deal with the instability of using nightly or developer builds. I'm not an addon developer, but I have a few addons that I crack open and tweak to customize a bit. Now they can't load in 48!!

There's no good reason for not having a way to bypass this requirement.

[WaltS48]

On 08/03/2016 01:24 PM, rajpau...@gmail.com wrote:
> I hope someone from Mozilla is reading because I need to be able to use unsigned addons but I don't want to deal with the instability of using nightly or developer builds. I'm not an addon developer, but I have a few addons that I crack open and tweak to customize a bit. Now they can't load in 48!!
>
> There's no good reason for not having a way to bypass this requirement.

If you crack them open and tweak them, submit them to Mozilla for signing.

I believe that was documented back when this was first proposed.

<https://wiki.mozilla.org/Addons/Extension_Signing#FAQ>

You also have the option of using an unbranded build or the current ESR.


--
Visit Pittsburgh <http://www.visitpittsburgh.com/>
Three Rivers Regatta <http://yougottaregatta.com/>
Little Italy Days <http://littleitalydays.com/>
Pittsburgh Renaissance Festival <http://pittsburghrenfest.com/>
Britsburgh <http://bacpgh.com/our-programs/events/britsburgh/>
Ubuntu 16.04LTS

[hendrik....@gmail.com]

Sooo... Firefox 48 is released, our internal extension (never meant to be published or leaving our network in any way) stopped working... what is the proposed fix? The blog announcement mentioned a third option:

> For extensions that will never be publicly distributed and will never leave an internal network, there will be a third option. We’ll have more details available on this in the near future.

What is this option? We really would like to run our extension again. Or do we have to stay on outdated browser versions until "near future"?

[Jorge Villalobos]

Your options:

1) Sign it as an unlisted add-on:
https://developer.mozilla.org/en-US/Add-ons/Distribution

2) Use Developer Edition, Nightly, or ESR.

3) Use the unbranded builds for beta or release.

4) If it's restartless, load as a temporary add-on in about:debugging
(this is meant for testing and development, not permanent installation).

Jorge

[The Wanderer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-08-04 at 10:12, Jorge Villalobos wrote:

> On 8/4/16 12:54 AM, hendrik....@gmail.com wrote:
>
>> Sooo... Firefox 48 is released, our internal extension (never
>> meant to be published or leaving our network in any way) stopped
>> working... what is the proposed fix? The blog announcement
>> mentioned a third option:
>>
>>> For extensions that will never be publicly distributed and
>>> will never leave an internal network, there will be a third
>>> option. We’ll have more details available on this in the near
>>> future.
>>
>> What is this option? We really would like to run our extension
>> again. Or do we have to stay on outdated browser versions until
>> "near future"?
>
> Your options:
>
> 1) Sign it as an unlisted add-on:
> https://developer.mozilla.org/en-US/Add-ons/Distribution

I presume you're listing that one only for the sake of completeness,
because that does not fit the criterion "will never leave an internal
network"; submitting an add-on for signing, even as unlisted, involves
sending it outside of the internal network.

> 2) Use Developer Edition, Nightly, or ESR.

While I do recommend using the ESR exclusively for everyone, others may
consider doing so to constitute "staying on outdated browser versions".
And of course the other two are not exactly suited for broad
ordinary-users deployment.

> 3) Use the unbranded builds for beta or release.

For people who can't use or aren't comfortable with the ESR, this is
really the only option, though for environments which do want
auto-updating the solution which was chosen for bug 1290548 leaves this
non-viable at the moment.

- --
The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXo1O3AAoJEASpNY00KDJrhtMP/iDixWp3N3L0+zY9bV6RDiLt
2gPIlM3/8gfeJY1TP81zxCg/C190e6Tn8hWYZji2EQPFEhyzWN6qD+7hjMJ/GBLd
wqGpWf9uhp/QbSLpLKO+GaICNohaV2CYI4ydKOTsUDos5++a67YZCbbkBc4VY71I
hiQGb92ZAXw8DMwC+IZMic0r0wRX8ed44EmEwNW2VIXxu7FfSnjqyrpCEpqx8X9U
6MT/9fFfMdBAEcP+j7pC3QKQN2whgEZ5J1c4GqoQR19i3HZxev2jRyFkFiiWNI+r
trSHVfAZZXsikPIAjx5BS0DvcEGstzJs8R8rm/gEYLefd+IyCPIUtNYjsLXFSWqs
qVH+Z9+ri/gnApAnwEE1O5zSCqQWDBQ57SjNwsK12jVkvUCLblK3AQQFYi1uYNOD
NJrYyQgsjzT47iJxqGdBvARy2M7juPanCQ5jVK7ifD6wR1VFd+XkX2mJjbsVB+Qm
Gqi5ktggRaIPvcaXjQwX6AE5wWT0OBQfmdrphdWpsEMaNkxB+H8Au7AMgPwW1sYA
+Tm2Q9T5cgRaVgaplXtxHUWg7TUcSENYE3J4QOF6yafM+qmFOpsoss13DH9kXv9z
Gu9hVJd7KoiVogmrfH9s+Ih6SGe3otrmI1dR+wZVAWDmObKUb0FyhIgifn3jC2YG
C112ajk3+h2ULkhaYDZY
=g03n
-----END PGP SIGNATURE-----

[neo...@gmail.com]

On Thursday, August 4, 2016 at 7:40:40 AM UTC-7, The Wanderer wrote:
> >> Sooo... Firefox 48 is released, our internal extension (never
> >> meant to be published or leaving our network in any way) stopped
> >> working... what is the proposed fix? The blog announcement
> >> mentioned a third option:
> >>
> >>> For extensions that will never be publicly distributed and
> >>> will never leave an internal network, there will be a third
> >>> option. We’ll have more details available on this in the near
> >>> future.
> >>
> >> What is this option? We really would like to run our extension
> >> again. Or do we have to stay on outdated browser versions until
> >> "near future"?
> >

I'm in the same boat as The Wanderer. We have an internal add-on with confidential information that I am legally not allowed to send outside of our network. Internal users are not going to be happy with running dev or nightly, and I shutter to think how out of date they'll get if we use unbranded if it's not going to auto update.

[Emiliano Heyns]

Unbranded is also only available in English, I think, so that's something to take into account. The best temporary option would be ESR I guess, but even that is going to run out when the new ESR drops.

[Dan Stillman]

On 8/4/16 8:10 PM, Emiliano Heyns wrote:
> Unbranded is also only available in English, I think, so that's something to take into account.

You can install other language packs into the unbranded build,
supposedly. But still pretty useless if it doesn't auto-update.

[WaltS48]

Can't download the next unbranded version and install it in place of the
current if it doesn't? Then again in six weeks it might auto-update.

I have to do that with the SeaMonkey Nightly everyday because it doesn't
auto update for me on Linux.

[Dan Stillman]

On 8/4/16 9:19 PM, WaltS48 wrote:
> On 08/04/2016 08:54 PM, Dan Stillman wrote:

>> You can install other language packs into the unbranded build,
>> supposedly. But still pretty useless if it doesn't auto-update.
>

> Can't download the next unbranded version and install it in place of
> the current if it doesn't?

You can, of course, but that's an absurd requirement, particularly for
something that exists in large part to allow developers to develop their
add-ons against the current version of Firefox. It's a huge waste of
people's time, and people are also going to forget and end up releasing
broken software when new versions of Firefox come out. (This isn't
hypothetical — I've done this in the past when I had auto-updates off
and thought I had been testing against the latest beta.)

But as I say in the other thread [1], I'm hoping this is just a
misunderstanding and the Add-ons team will communicate to Release
Engineering that these builds need to auto-update.


[1]
https://groups.google.com/d/topic/mozilla.addons.user-experience/FlYaMEpxBAY/discussion

[shado...@gmail.com]

Please re-add the value, this is terrible. I get promoting security for casual users, but people have to accept a disclaimer to access these features, you could have implemented a tool tip of some kind so that the user could make an informed decision on the value.

Instead, all of my tinkering and beta versions by authors or fixes from others I cannot use, it's bananas that I would even need to install another version of the browser.

[Emiliano Heyns]

On Friday, August 12, 2016 at 8:19:41 PM UTC+2, shado...@gmail.com wrote:
> Please re-add the value, this is terrible. I get promoting security for casual users, but people have to accept a disclaimer to access these features, you could have implemented a tool tip of some kind so that the user could make an informed decision on the value.
>
> Instead, all of my tinkering and beta versions by authors or fixes from others I cannot use, it's bananas that I would even need to install another version of the browser.

Not that I like how it's been done, but in their defense: most people blindly click "accept" on such disclaimers, so having a disclaimer+go situation is functionally equivalent to a just-go scenario. If people made informed decisions routinely, malware wouldn't be half as successful as it is.

I now just always sign tinkering/beta versions using the API. That results in a growing number of "versions" on AMO that will never see any use, but that's not my problem (and I'll be happy to delete throwaway versions should the API be extended to allow me to list older versions and delete them -- if it's more than a day old, I don't need it on AMO)

[henrique...@gmail.com]

Only posting to agree with trainman261. I would have expected other browsers to try to force things like that down my throat, but not Firefox. I would completely understand to disallow unsigned addons by default, while providing one "not suggested and hidden from common user" way to override it. Now we can't have "possibly dangerous" configuration even on about:config, that was the sanctuary to "people that know what they are doing" to mess with this kind of thing.

I use an addon that I inspected the code to check if it wasn't malicious. I know it isn't. I'm not the addon author. Now I will have to learn how to sign, and sign an addon isn't even mine and I don't know if I have permission sign? What a waste of time.

Can't Mozilla reconsider its decision? I will not say that I will stop using Firefox because of this, because it will remain being the best option for me, but the gap between other options will begin to shrink if this kind of thing keep happening. This also weakens my motivation to contribute; what is a big downer as there isn't other open source browsers on firefox level around.

[Emiliano Heyns]

On Monday, August 15, 2016 at 11:01:01 AM UTC+2, henrique...@gmail.com wrote:
> Only posting to agree with trainman261. I would have expected other browsers to try to force things like that down my throat, but not Firefox. I would completely understand to disallow unsigned addons by default, while providing one "not suggested and hidden from common user" way to override it. Now we can't have "possibly dangerous" configuration even on about:config, that was the sanctuary to "people that know what they are doing" to mess with this kind of thing.

The problem with this though is that extensions can easily manipulate such settings.

Another option however would just be for Mozilla to create an option during install to enable xpinstall. A re-install over an existing installation could be used to flip it on after installation. That seems to me a significant enough hurdle to overcome so the default is enforcing, a rogue extension can't flip the switch, but a user has a documented path to do so if desired.
If we can't trust the Firefox installer to put in place trusted files, the entire effort is doomed anyway.

[»Q«]

In
<news:mailman.1857.1471252803.18...@lists.mozilla.org>,

Emiliano Heyns <emilian...@iris-advies.com> wrote:

> Another option however would just be for Mozilla to create an option
> during install to enable xpinstall. A re-install over an existing
> installation could be used to flip it on after installation. That
> seems to me a significant enough hurdle to overcome so the default is
> enforcing, a rogue extension can't flip the switch, but a user has a
> documented path to do so if desired. If we can't trust the Firefox
> installer to put in place trusted files, the entire effort is doomed
> anyway.

There's no UI for it, but Brinkman at Ghacks has already documented a
way for a privileged user to disable enforcement,
<http://www.ghacks.net/2016/08/14/override-firefox-add-on-signing-requirement/>.

[Emiliano Heyns]

On Monday, August 15, 2016 at 5:04:03 PM UTC+2, »Q« wrote:

> There's no UI for it, but Brinkman at Ghacks has already documented a
> way for a privileged user to disable enforcement,
> <http://www.ghacks.net/2016/08/14/override-firefox-add-on-signing-requirement/>.

That's awesome. Someone should package that as an unlisted extension. Extensions can find the installation dir, and the elevate-and-copy-a-file cannot be hard to do for the three major platforms.

[»Q«]

In
<news:mailman.1858.1471294622.18...@lists.mozilla.org>,

If such an extension is written, it should be careful not to clobber
those files if they pre-exist.

[filimo...@gmail.com]

Mozilla, it is not up to you to decide which already installed unsigned add-ons you can disable in FF 48: The user alredy trusts the developer. It is the user's matter only. There are add-ons used in everyday job. You broke my tools, my job processes. Why (and how) to use FF now to complete my job?!

[rob...@gmail.com]

[rob...@gmail.com]

Arrogant and stupid. - Can't see Epson and Logitech (to mention just two affected) agreeing to jump through Mozilla's hoops. - They find it hard enough to keep up with Microsoft even if they can be bothered.

Another nail in the coffin.

[Brian Nakamoto]

On Monday, August 22, 2016 at 3:34:56 AM UTC-7, filimo...@gmail.com wrote:
> Why (and how) to use FF now to complete my job?!

A solution is to use the unbranded build of Firefox – https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded_Builds

-Brian

[Brian Nakamoto]

On Tuesday, August 23, 2016 at 7:57:29 AM UTC-7, rob...@gmail.com wrote:
> Arrogant and stupid. - Can't see Epson and Logitech (to mention just two affected) agreeing to jump through Mozilla's hoops. - They find it hard enough to keep up with Microsoft even if they can be bothered.

Have you tried contacting Epson and Logitech to ask them when or if they'll support Firefox 48 and newer? (It's relatively easy to get an extension signed by AMO.) IMHO, it's the responsibility of developers to maintain compatibility with their customers' platforms if they desire to keep their customers happy.

-Brian

[kgar...@gmail.com]

I have an addon that I really like that is not being supported anymore. I have tried contacting them about this, but have gotten zero response. So, to keep using my beloved addon I am now stuck never upgrading from Firefox 47 (my current choice) or switching to Safari which still supports it, but for which versions of other addons I like are not available.

I understand the rationale for this, but the failure to allow for the situation I describe above is just plain annoying beyond belief. It has generated several hours of frustrated searching, writing for help, attempting to get the addon signed by myself, and other stress inducing behaviors. Firefox is supposed to be making my browsing experience less stressful. They are roundly failing at that now.

Kurt

[Brian Nakamoto]

On Wednesday, August 24, 2016 at 12:35:08 PM UTC-7, kgar...@gmail.com wrote:
> I have an addon that I really like that is not being supported anymore. I have tried contacting them about this, but have gotten zero response. So, to keep using my beloved addon I am now stuck never upgrading from Firefox 47 (my current choice) or switching to Safari which still supports it, but for which versions of other addons I like are not available.

If you want to stick with "Firefox" you can switch to the unbranded version that should still support the abandoned, unsigned extension.

https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded_Builds

-Brian

[Jorge Villalobos]

If you think it's abandoned, you can submit it as unlisted (ideally with
a different ID) so at least the file is signed and you can continue
using it.

Jorge

[chsn...@gmail.com]

On Wednesday, 3 August 2016 15:52:07 UTC+1, trainman261 wrote:
> While browsing the Gizmo's Freeware forum this morning, I read about Firefox 48... and that you can't install unsigned add-ons anymore, WITH NO WAY TO BYPASS IT. What? Has Mozilla gone completely bonkers? Mozilla, that keeps on talking about open systems, the open web, has now closed their web browser. This is insanely stupid at best. This is one of the main reasons I was using firefox. It's my system, I should have control over what can be on it, not some organization. There's a reason I don't use Apple devices, and there's a reason I stopped using Chrome when it stopped accepting extensions not in the Chrome Web Store. I can understand why unsigned extensions could be disabled by default, I can understand that. But the fact that there is no way to enable unsigned extensions is simply ludicrous. I use several of them and have no reason to stop using them, but at this point, I may well just stop using Firefox.
> Mozilla, I am extremely disappointed.

I have a few addons that are distributed internally and for internal use within my company. My addons contain information I do not want to be shared externally which happens when signing. These addons are now useless.

[chsn...@gmail.com]

I have internal addons that must not leave the network as well. Please let me know if you find a fix for this.

[tsukin...@gmail.com]

Well, it looks like I'm downgrading to 47 and holding there until a better solution presents itself.

This is completely ridiculous. I understand protecting the casual user, but let's be realistic: most of them have already installed ten different toolbars and a couponing app that eats their RAM like candy. There's only so much you can protect a machine before you may as well put it back in its box. The about:config work around was a nice compromise. Let's go back to that.

[The Wanderer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-08-25 at 21:36, tsukin...@gmail.com wrote:

> Well, it looks like I'm downgrading to 47 and holding there until
> a better solution presents itself.

(Are you the same tsukinofaerii who writes under that name on AO3? If
so, I love some of your fic.)

May I suggest downgrading to ESR45 and holding there, instead? That will
continue to receive security updates until ESR52 is released, whereas 47
will not be so updated; you'll be safer and better supported that way
for at least a year.

> This is completely ridiculous. I understand protecting the casual
> user, but let's be realistic: most of them have already installed
> ten different toolbars and a couponing app that eats their RAM
> like candy. There's only so much you can protect a machine before
> you may as well put it back in its box. The about:config work
> around was a nice compromise. Let's go back to that.

It is my understanding that the ESR still has the about:config option,
and is expected to continue to have that option indefinitely.

I've recommended for years that everyone use the ESR, and this provides
just one more reason for that recommendation.

- --
The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXwDJ6AAoJEASpNY00KDJrttEP/RXMKzPOXYP3UC5yfw1hJF3k
tZVFlW3idcwGX4srb6zZgzzsxMKVLNDpRVxsqqdApbXHbtGW0QzOB1nPiAfRvGyd
MJwgiZdb3YAxBBIuWpj7fJknl85BOm0M9Mvs1soy+x0u6lu9lxZaLiuW2UB/7qtM
zC+t/kpOvJs3o0QUBjR9gdRK6vx2VWp2i2Mk7R82Qz5Kl960+0E6uOIrKkkFb7U8
0JX1AQqiDtEJNoSAOy6yzEw+ezyjMgUMO87PNfWKuC2EcSPcy5Zbr95HalMYC6ix
u9fur/oUkQVeC7+yp8G6J9vbyMVKkunoiNAfdesxp7QZjN0mtr20nMUwJmG5OXQX
O65IwGcjqaoFP3HzMdIB1kMWf2gN9IdqtQ3cJNvPBgVzUWEAM7sBmSCgpe7hQV4A
8t1JKh6tipdV7R7bFHZkCf0JM7gRSm3BMkNWESfHYtzSJV9Nbqv3nxs4e8mdm3Ah
ZyAcpggx8E5907WWDAvEsz3Q+vlspRw29XyweOc+HeR8JUjvB8HeklmZHnniFsms
dvENACGmmmk+LFJBlr9jRcIBVlsfqHSC9iaaarUUX23jDZAgSMv7b7lzC08QVytN
03IM1/xbqHCaBDSLRGMPk5S98Yh1UXrphwLS2On6PUz0lom6TfeMWvvoZC0OxYcp
cCI/EITEecLM8IdvJk8G
=Pc4a
-----END PGP SIGNATURE-----

[mike5...@gmail.com]

On Thursday, August 4, 2016 at 12:52:07 AM UTC+10, trainman261 wrote:
> While browsing the Gizmo's Freeware forum this morning, I read about Firefox 48... and that you can't install unsigned add-ons anymore, WITH NO WAY TO BYPASS IT. What? Has Mozilla gone completely bonkers? Mozilla, that keeps on talking about open systems, the open web, has now closed their web browser. This is insanely stupid at best. This is one of the main reasons I was using firefox. It's my system, I should have control over what can be on it, not some organization. There's a reason I don't use Apple devices, and there's a reason I stopped using Chrome when it stopped accepting extensions not in the Chrome Web Store. I can understand why unsigned extensions could be disabled by default, I can understand that. But the fact that there is no way to enable unsigned extensions is simply ludicrous. I use several of them and have no reason to stop using them, but at this point, I may well just stop using Firefox.
> Mozilla, I am extremely disappointed.

There really needs to be a way to whitelist one or more specific extensions as it is not always going to be possible to get an oldish extension signed. Cards is the one I have been using up until now. NOT HAPPY!

[WaltS48]

On 08/27/2016 11:52 AM, mike5...@gmail.com wrote:
> There really needs to be a way to whitelist one or more specific extensions as it is not always going to be possible to get an oldish extension signed. Cards is the one I have been using up until now. NOT HAPPY!

There is a way.

Users can use the Developer Edition, Nightly, unbranded and/or ESR versions.

Download and install a version of your choice. You can find links in the
reference.

Then follow these instructions, also in the reference;

Type about:config into the URL bar.
In the Search box type xpinstall.signatures.required
double-click the preference, or right-click and select "Toggle", to set
it to false.

REF: <https://wiki.mozilla.org/Addons/Extension_Signing#FAQ>

--
Visit Pittsburgh <http://www.visitpittsburgh.com/>

Extreme vetting - What Native Americans should have started using in 1492
Ubuntu 16.04LTS

[wsha...@gmail.com]

There appears to be one alternative way to run unsigned addons in Firefox 48 that I haven't seen mentioned so far. That is to use Ubuntu and set xpinstall.signatures.required to false in about:config. For reasons I don't understand (I don't see anything in the packaging log about Ubuntu disabling signature checking intentionally), the signing requirement does not seem to be enforced on the version of Firefox distributed by Ubuntu.

[kazi bappy]

[»Q«]

In
<news:mailman.2559.1472645577.18...@lists.mozilla.org>,

If that's the case, shouldn't they be shipping their Firefox without
the branding?

[WaltS48]

They probably built it from 48.0b11, which is the unbranded version and
added the branding back in. Sneaky.

[The Wanderer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Do Mozilla actually distribute separate source packages for the
unbranded version?

I was under the impression that the difference between branded and
unbranded is purely a matter of build-time configuration, based on
identical source trees.

As Ubuntu is a Debian-based distribution, the Ubuntu packages for
anything which has source available are almost certainly based on
compiling the source themselves, with whatever configuration they deem
most appropriate to distribute to their users. They may well have
decided to build with the "support the signatures-required preference"
flag, on the principle that supporting unsigned addons - and the freedom
for users to run their own code, without needing to ask permission,
which results - is the better option for that purpose.

It's possible that Mozilla may object to having the Firefox name (etc.)
applied to a version distributed in this way, in which case we may see
Iceweasel return (a matter of mere months after the name was retired on
the Debian side of the fence), but if so that will have to be hashed out
between the Mozilla folks and the maintainers of the Ubuntu package -
most likely on a bug report on the Ubuntu bug tracker.

(That said, I haven't been able to find any discussion of this, or any
sign that such a decision may have been made on the Ubuntu side, other
than this very thread. This may, in fact, turn out to somehow be an
oversight.)

- --
The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXyBWXAAoJEASpNY00KDJrxEwP/RAUjD9a2DDvR4UaiKtuqa6O
z8S5AhNmX/pbvkd7cpPsyTNI4h5OI0/D9x4FD7kGGSPW846FHKQl6FUdVhOmElkF
SgAY7r6agRyWpDjM43iq739jezyOjBlgjct7QGDBVbsogHItIJW+WXqfwPcht9eX
/w8uVdH+M6W9Av7w/6nwNhqENnW+yogjD5gRXx+eBGq4RPCI9PF6fgumxxwkBMAp
/yZkWd5jPPPDeAzMVA1YPec4elhBU8ix8A4x1Xkd6w71upDm2KIWlaljoIJelmAZ
8g/LgN/Ej9uKZme0/Pd/gPIL5M4GAMWjf44CBgiP2sH7bX56a1bhZEbM+/9sLOOO
96H9ax0FkGdsqOb772BV7ArxBGwqRboLjz2cB3E1eBKu+KA4/7uOZ6K9NYcB0d0v
oT0J7tWrCxmgyKiM74tg6qPr6Ee+DpxCdV59SsGJFnnECiij+94FbhvhkNqY8coU
yZ8yEjMyi428/rQz1RIA8iLyC0+TLQzRe24qR2MDcdkvGIPcQEcss9YU2aO1QYaV
kYC1/qJrIBE78cpaQhh2rDnyZ9+ouQnbfxe7CN9Mr9G84M32ZRaIkMmky94dFqIi
91yzvbKcOAjkalREma0lhOxjQtx/W+8HQckHUwxQuo/Ii5gv3jGoB5/5ZpEzQSfK
pQgVq6Rqh6QKdadaPVLd
=e5hd
-----END PGP SIGNATURE-----

[»Q«]

In
<news:mailman.2643.1472730548.18...@lists.mozilla.org>,

The branding is indeed a compile-time option,
--enable-official-branding.

AUIU, Mozilla's basic position on branding is to allow distribution of
branded builds unless they include things which negatively impact users
WRT security or stability, though I'm sure I'm oversimplifying. I
don't know whether Mozilla would consider allowing unsigned extensions
to be a negative impact, but maybe so, since disallowing them was
presented as having a positive impact on users.

I couldn't find any discussion of this anywhere either, and I don't
care enough about it to try to prompt any. If anyone does want to make
sure Mozilla have thought or will think this through, I think
contacting Mike Connor and/or Gerv Markham would be a good way to
start; both of them have dealt with branding and trademark issues for
quite a while at Mozilla. (Well, a better way to start might be to
verify for oneself that Ubuntu's branded version 48 really does allow
unsigned extensions to run, heh. I haven't checked.)

[wsha...@gmail.com]

I noticed this because one of my users complained that the unsigned xpi wouldn't install on some system. I responded that that was normal for Firefox 48 and he responded that it worked on Ubuntu. I then tried it myself on a 16.04 system and was also able to install unsigned add-ons there. I posted here because I was curious if anyone else had noticed this or knew what was going on. Looking at the unbranded build, it looks like there is a "signing_required" entry in a json file and a MOZ_SIGNING_REQUIRED environment variable, but I don't see either used in the deb source for Ubuntu. Maybe it has something to do with Ubuntu being based on Debian which used Iceweasel in the past. Debian is switching back to Firefox though and doesn't build the non-ESR releases any way, so I'm not sure how it impacts Ubuntu.

[The Wanderer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Yes, that much I believe I knew.

The question is whether the "require signing" feature is also a
compile-time option, or whether it requires a different source tree. My
understanding is that it's the former.

> I couldn't find any discussion of this anywhere either, and I
> don't care enough about it to try to prompt any. If anyone does
> want to make sure Mozilla have thought or will think this through,
> I think contacting Mike Connor and/or Gerv Markham would be a good
> way to start; both of them have dealt with branding and trademark
> issues for quite a while at Mozilla. (Well, a better way to start
> might be to verify for oneself that Ubuntu's branded version 48
> really does allow unsigned extensions to run, heh. I haven't
> checked.)

Some Mozillians do monitor this forum - Jorge Villalobos most prominent
among them - so if such people do need to be notified, I imagine they
either will be, or may in fact already have been. My previous post was
written under the assumption that this is the case.

- --
The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXyFVFAAoJEASpNY00KDJrexIP/A/VMSs6SuKuRJn7dnLbhrI/
vHOA2DqscMVClBjjo6wkBn9PKy9LyAMK8i8+XqqY04uFL+EnXJiYGQK+PPWbii6J
UOno2Fx34T3VxWhlopx5KP9of3JeTH3ce1IxVWOFCL0I0wM+kd30qNWgVvh/kjrg
2x93mrCVbaijexoI+WvmCg9pOmgSNA85YJ5dFuDPQuLgalZk9oeMoa1wGmB7c/C8
giakOEdWxQTsmUO3Pagxml5zoeC1K5K3+lcAYx5RGa9wTXafQOqtZ68dO5g3DknQ
q1tkiCFaNoQJ4prZ//q+v8jH7oxu1PW2Q04ZZy3K5TJshjrdCN1OSNBSkp5FnrPQ
aL7rw2Z+9DN4iG43Q6tlUEJ+xrJ4VoTUNsPbISDhyVCIJBxtufPJI/YZL7behYdT
AYUNPHmWoUgx51APlIQs7hoUaNzz0DYHkwnIPA55y1thOpF1px03fypRYUPLHDSF
gYmv1xBWG9gPbEnhnllgPbJqRl2hp9lfHYkZgW3PsZyJuppbs6XYHTlAptx4JHCA
rWm3GFeaVFoDicENOwhVMgvCEG4kXUcj6Pj4SnOf4YzRScGYSiRK7GfN4LLx0abU
A0zIqg/IqRzjAHa3DL6xdtP8o38XSoNs1AQMFeD6UDf7NWuU148i9VScgw4A5bNz
MaZGQmTLmC0VrO7091kU
=Ga3w
-----END PGP SIGNATURE-----

[»Q«]

In
<news:mailman.2653.1472746862.18...@lists.mozilla.org>,

The Wanderer <wand...@fastmail.fm> wrote:

> The question is whether the "require signing" feature is also a
> compile-time option, or whether it requires a different source tree.
> My understanding is that it's the former.

Your understanding is correct.

[Jorge Villalobos]

Yes, we do read these conversations :). I don't have a good answer about
the Ubuntu case (or other distros), but we'll look into it.

Jorge

[gne...@googlemail.com]

On Thursday, September 1, 2016 at 3:43:26 PM UTC+2, »Q« wrote:
> (Well, a better way to start might be to
> verify for oneself that Ubuntu's branded version 48 really does allow
> unsigned extensions to run, heh. I haven't checked.)

For some reason my post as of yesterday was lost/deleted, part of it was:
> Running Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 (en-US) out-of-the-box blocks unsigned add-ons!

[Axel Grude]

> *Subject:*Re: No more unsigned add-ons? Has Mozilla lost their mind?
> *From:*»q« <box...@gmx.net>
> *To:*Mozilla-addons-user-experience
> *Sent: *Thursday, 01/09/2016 14:42:39 14:42 GMT ST +0100 [Week 35]

> In
> <news:mailman.2643.1472730548.18...@lists.mozilla.org>,
> The Wanderer <wand...@fastmail.fm> wrote:
>

> The branding is indeed a compile-time option,
> --enable-official-branding.
>

> AUIU, Mozilla's basic position on branding is to allow distribution of
> branded builds unless they include things which negatively impact users
> WRT security or stability, though I'm sure I'm oversimplifying. I
> don't know whether Mozilla would consider allowing unsigned extensions
> to be a negative impact, but maybe so, since disallowing them was
> presented as having a positive impact on users.
>

> I couldn't find any discussion of this anywhere either, and I don't
> care enough about it to try to prompt any. If anyone does want to make
> sure Mozilla have thought or will think this through, I think
> contacting Mike Connor and/or Gerv Markham would be a good way to
> start; both of them have dealt with branding and trademark issues for

> quite a while at Mozilla. (Well, a better way to start might be to

> verify for oneself that Ubuntu's branded version 48 really does allow
> unsigned extensions to run, heh. I haven't checked.)

Just checked it on Ubuntu 16.04 with Mozilla 48.0 canonical: out of the box, it denies
installing unsigned addons.

hth,
Axel

[wsha...@gmail.com]

What do you guys mean by "out of the box"? When I tested, Firefox blocked unsigned addons "out of the box", but setting xpinstall.signatures.required to false allowed them to be installed. Also, I was testing on Ubuntu Mate 16.04 on a Raspberry Pi (only Ubuntu system I had access to). I don't know if that matters.

[gene...@gmail.com]

On Wednesday, August 3, 2016 at 9:52:07 AM UTC-5, trainman261 wrote:
> While browsing the Gizmo's Freeware forum this morning, I read about Firefox 48... and that you can't install unsigned add-ons anymore, WITH NO WAY TO BYPASS IT. What? Has Mozilla gone completely bonkers? Mozilla, that keeps on talking about open systems, the open web, has now closed their web browser. This is insanely stupid at best. This is one of the main reasons I was using firefox. It's my system, I should have control over what can be on it, not some organization. There's a reason I don't use Apple devices, and there's a reason I stopped using Chrome when it stopped accepting extensions not in the Chrome Web Store. I can understand why unsigned extensions could be disabled by default, I can understand that. But the fact that there is no way to enable unsigned extensions is simply ludicrous. I use several of them and have no reason to stop using them, but at this point, I may well just stop using Firefox.
> Mozilla, I am extremely disappointed.

Couldn't agree more. I detest Big Brother behavior in all its forms and do not need a Nanny, nor Mozilla acting as one, which is not unusual behavior for this "open source" closed minded operation at all. Which is why I primarily use other browsers at this point. This used to be a free world. I wish it still were.

[zara...@gmail.com]

But will I have to reinstall the addons again if I install a new version of Firefox? I won't even be able to find it now that it's outdated!

[lorrainem...@gmail.com]

I am in the exact same situation, and may just switch to Safari because of it. We should not be forced to use "unbranded" versions of FF in order to use legacy add-ons that were once approved and found to be safe, but are no longer supported, so cannot be signed. Why can't Mozilla "back-sign" these legacy add-ons (on request from users), instead of disabling them completely?
I am concerned that using an unbranded version of FF will cause instability; in fact, I did try using one of the Nightly builds, but the add-on in question (Cool Previews), did not function properly, so I had to go back to FF 47, and that's where I will stay, until this add-on is once again usable. If it remains unavailable, I might as well switch to Safari, since this add-on is one of the major reasons I use FF exclusively.

[denni...@gmail.com]

On Wednesday, August 3, 2016 at 10:52:07 AM UTC-4, trainman261 wrote:
> While browsing the Gizmo's Freeware forum this morning, I read about Firefox 48... and that you can't install unsigned add-ons anymore, WITH NO WAY TO BYPASS IT. What? Has Mozilla gone completely bonkers? Mozilla, that keeps on talking about open systems, the open web, has now closed their web browser. This is insanely stupid at best. This is one of the main reasons I was using firefox. It's my system, I should have control over what can be on it, not some organization. There's a reason I don't use Apple devices, and there's a reason I stopped using Chrome when it stopped accepting extensions not in the Chrome Web Store. I can understand why unsigned extensions could be disabled by default, I can understand that. But the fact that there is no way to enable unsigned extensions is simply ludicrous. I use several of them and have no reason to stop using them, but at this point, I may well just stop using Firefox.
> Mozilla, I am extremely disappointed.

Me too. It seems it is time to let Firefox go. Sad.

[Axel Grude]

You are right, after setting the

xpinstall.signatures.required=false

I can still run unsigned addons. I thought Mozilla had removed or at least disabled
the switch.

good news,
Axel

*Axel Grude <mailto:axel....@gmail.com>*
Software Developer
Thunderbird Add-ons Developer (QuickFolders
<https://addons.mozilla.org/thunderbird/addon/quickfolders-tabbed-folders/>,
quickFilters <https://addons.mozilla.org/thunderbird/addon/quickfilters/>,
QuickPasswords <https://addons.mozilla.org/firefox/addon/quickpasswords/>, Zombie Keys
<https://addons.mozilla.org/thunderbird/addon/zombie-keys/>, SmartTemplate4
<https://addons.mozilla.org/thunderbird/addon/smarttemplate4/>)
AMO Editor
Visit my YouTube Channel <https://www.youtube.com/c/thunderbirddaily> for productivity
tips Get Thunderbird!

> *Subject:*Re: No more unsigned add-ons? Has Mozilla lost their mind?

> *From:*Wsha Code <wsha...@gmail.com>
> *To:*Mozilla-addons-user-experience
> *Sent: *Friday, 02/09/2016 16:03:10 16:03 GMT ST +0100 [Week 35]

> What do you guys mean by "out of the box"? When I tested, Firefox blocked unsigned addons "out of the box", but setting xpinstall.signatures.required to false allowed them to be installed. Also, I was testing on Ubuntu Mate 16.04 on a Raspberry Pi (only Ubuntu system I had access to). I don't know if that matters.

> _______________________________________________
> addons-user-experience mailing list
> addons-user...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/addons-user-experience
>

[Jorge Villalobos]

If the add-on is listed on addons.mozilla.org, then it was signed. If
you're referring to a legacy add-on that you got from somewhere else,
you have a workaround. You can upload it yourself for signing (as
unlisted), ideally with a different ID.

Jorge

[Brian Nakamoto]

On Friday, September 2, 2016 at 3:25:14 PM UTC-7, gene...@gmail.com wrote:
I detest Big Brother behavior in all its forms and do not need a Nanny, nor Mozilla acting as one, which is not unusual behavior for this "open source" closed minded operation at all. Which is why I primarily use other browsers at this point.

Which other browsers do you use?

-Brian

[Emiliano Heyns]

I know this question was directed at gene...@gmail.com, but for me, Chrome has become my day-to-day browser, and Vivaldi my tinkering browser. I use Firefox only for two things: a company website that for some reason only works in Firefox and IE9, and Zotero. And I wouldn't personally put any money on Zotero surviving the move to e10s.

[WaltS48]

So everybody has switched to browsers that were just as restrictive
before Firefox?

How many of the unsigned Firefox extensions are you using in them?

[Emiliano Heyns]

Even if the answer to that were "yes", which it isn't if you were paying
attention, the takeaway from that would still be "apparently this is what
differentiated Firefox, and without this differentiation, it's not
competitive".

If you look at the people who say they have extensions that cannot leave
their network, these people can use any browser except Firefox. Sure, it's
a pain in the ass to run unpacked extension in Chrome or opera, but at
least it's a possibility. And if the answer to that is "use ESR", which is
what I've switched to, you're acknowledging that there's a legitimate
use-case that is apparently safe enough to use. It's also the only way to
run selenium, which is a crucial tool in my dev work flow,and the selenium
team is hosed since signing got enforced.

Personally, I have no beef with extension signing since the api
materialized, but my work is public anyway. AMO is dead to me and has been
for a long time because of the unpredictable lead times. And later when xul
and xpcom go, there will no longer be any reason to work on Firefox
extensions afaic.

So are people switching to what you call more restrictive browsers? If the
answer to that is "no" because these browsers are in significant ways less
restrictive, that should give you pause. But if the answer is "yes", that
should also give you pause. Because it would mean that switchers see a
value in these browsers you are not seeing.

[v.nar...@gmail.com]

On Wednesday, 3 August 2016 15:52:07 UTC+1, trainman261 wrote:
>
> While browsing the Gizmo's Freeware forum this morning, I read about Firefox
>48... and that you can't install unsigned add-ons anymore, WITH NO WAY TO
>BYPASS IT. What? Has Mozilla gone completely bonkers? Mozilla, that keeps on
>talking about open systems, the open web, has now closed their web browser.

Agreed. I use Mozilla to access a legacy VPN. It uses an addon
that will never get signed, so Mozilla is making it impossible for me to
upgrade beyond FF47.

--
V.

[WaltS48]

Really? You can't use the unbranded, developer edition or nightly and
set xpinstall.signature.required to false? I believe the ESR version is
also usable.

REF: <https://wiki.mozilla.org/Addons/Extension_Signing#FAQ>

There are solutions. Use one.

--
Visit Pittsburgh <http://www.visitpittsburgh.com/>

Ubuntu 16.04.1 LTS