On 10/20/15 8:26 PM, Mike Connor wrote:
> On 20 October 2015 at 16:33, Dan Stillman <dsti...@zotero.org
> You never had unlisted add-ons before, so this doesn't make any
> sense. You haven't been reviewing Zotero for years, so Zotero has
> in effect been whitelisted. Are you suggesting that, in this time,
> Zotero has been a failure? Has it become a threat to Firefox
> users? (Apparently not, since you accepted an essentially
> unchanged version a month ago.) If it hasn't, then that undermines
> your whole argument. The notion that code that's not reviewed by
> AMO editors somehow inherently gets worse over time is laughably
> absurd, not to mention offensive to responsible developers of
> unlisted add-ons.
> AMO had a set of add-ons that were whitelisted, which meant those
> add-ons were auto-approved and hosted on AMO. Not unlisted, but
> unreviewed by AMO. The program was ended because the majority of
> developers failed to maintain appropriately high standards, and users
> quite often blamed Mozilla for problems they couldn't isolate to a bad
I understand that, but I still don't see how it's relevant. We're not
talking about extensions on AMO. We're talking about Zotero and other
extensions that have been unhosted for years without problems. People
have downloaded them directly from websites, they've trusted the
developers, and the developers have honored their trust. Nothing has
changed to affect the quality or security of those add-ons. So why is
Mozilla insisting on punishing Zotero out of existence for the past
behavior of a few hosted add-ons when none of the factors that have
guided Zotero's development up until now have changed?
> Introducing product quality issues for developer convenience is a
> pretty poor tradeoff, overall.
This isn't an issue of developer convenience — this is an issue of
Zotero no longer existing as a Firefox extension, because, as I
explained in the original whitelisting thread, we can't be in a
situation where we can't release a critical update to our users
immediately. For most extensions it might not be a big deal if there's a
major bug for a few days. For Zotero it's a huge deal.
> For every developer who's building good add-ons, there's probably 2-3
> who don't have the knowledge or desire to maintain code to our standards.
So don't whitelist those. Save whitelisting for developers who have
demonstrated that they're knowledgeable and responsible and for whom the
normal review process clearly does more harm than good.
> That's a ballpark estimate, but ultimately we've spent a ton of time
> helping people get up to speed in the last six months. With
> professionally written add-ons, that ratio was even worse. At least
> 2-3 major add-ons by install base required months of rewrites.
> So... no, I don't think it's laughably absurd, or offensive. It's the
> facts. Zotero being an exemplary citizen doesn't change the reality of
> our ecosystem. And hard cases make bad law.
Again, I'm talking about Zotero and other unhosted add-ons, which
despite not having the magical guiding powers of AMO haven't become
"significantly worse over time", as Jorge claimed invariably happens —
that's what I'm saying is absurd and offensive, because it's
demonstrably untrue. Mozilla distributing extensions from AMO that turn
rogue is Mozilla's problem. It shouldn't be ours.
> In any case, if you sign extensions — which most of us aren't
> objecting to — there's nothing preventing you from reviewing
> extensions after the fact while still allowing legitimate
> developers to release timely updates to their users. If you find
> genuine exploitable holes, any responsible developer will fix them
> and be grateful for the extra eyes — and if they don't then they
> can lose whitelist privileges. How is that possibly not sufficient?
> Closing the barn door after the horse has bolted is a pretty poor
> horse retention strategy. Opening the door only when the horse isn't
> going to bolt is a lot better.
Can we not just agree that Zotero is a horse that probably isn't going
to bolt? Certainly an extension being reviewed is no guarantee that it
won't, since it's easy to bypass the automatic validator, and we could
trivially insert malicious code in Zotero that made it past a review if
we wanted. Whether you like it or not, you still have a system built
largely on trust.
> Less convenient for sure, but it's a tradeoff. (I'll note that you
> made no mention of the potential impact on users.)
Well, I'm most concerned about Zotero's users, who will no longer be
able to use Zotero in Firefox. That seems like a pretty big impact to me.
But yes, I value the continued existence of high-quality extensions for
Firefox over futilely trying to prevent every manner of theoretical harm
that might befall a Firefox user, instead of accepting the reasonable
compromise of going after the side-loaded malware that was the target of
this scheme to begin with.
> I missed the origin of this thread, but overall it's pretty much
> summed up as "this is stupid, and your reasons are obviously wrong"
> vs. "what we've seen in practice makes us unwilling to repeat past
> issues with whitelisting." I can't imagine a positive resolution
> coming out of this thread, so I'd encourage everyone to take a deep
> breath and take a step back.
The origin of this thread was my whitelisting thread, where I said that
we'll have to discontinue Zotero (or somehow convince all our users to
install the unbranded build) come Firefox 43 if we can no longer release
immediate updates to our users. So I'm afraid we don't have the luxury
of taking a step back.
> I'll also add that accusing people of lying or otherwise acting in bad
> faith is a surefire way to block forward progress, so I'd encourage
> people to try to assume good faith. I don't think anyone here is
> trying for anything other than what they think is best for their users.
I believe that Mozilla folks are trying to do what they think is best
for their users. It's the complete disregard for our users that I have a
problem with. Beyond that, I don't appreciate the repeated, baseless
accusations today that Zotero has security issues or "insecure
practices" in an attempt to defend this broken system.
Finally, it's frustrating that no one from Mozilla will even acknowledge
that the entire premise of this scheme has changed drastically from what
was sold to the community. Just suddenly claiming that there are a range
of other concerns besides malware doesn't change the record we have of
the last 1.5 years. It's hard to make forward progress when we can't
even acknowledge the documented past.