On 8/24/15 10:45 AM, Rory wrote:
> Hi,
>
> With the mandatory addon signing from FF 41/42, what is the situation for private add-ons that are used in enterprise environments? Many enterprises don't use ESR so will be affected from Sept 22, or Nov 3 if disabling the signing requirment via preference.
>
> I work with addons for corporate environments that are installed via the registry (
https://developer.mozilla.org/en-US/docs/Adding_Extensions_using_the_Windows_Registry). The FAQ (
https://wiki.mozilla.org/Addons/Extension_Signing) says "We haven't announced our plan for this case yet. Stay tuned." so I'm keen to find out things like:
>
> 1. Is there a way for enterprise addons to not need to be signed or not need to go through the review process? e.g. Chrome extensions get around the Store submission requirements by allowing GPO installation from non-Store URLs, but only on workstations joined to a windows domain.
Like it's mentioned in the wiki page, ESR will probably continue to
support the preference to disable signature enforcement. Enterprises
that use the regular release version of Firefox will have to have their
extensions reviewed signed or use one of the alternatives (Dev Edition,
Nightly, or unbranded builds).
I'm not familiar with the GPO solution, but if it were implemented it
would probably be exclusive to ESR.
> 2. If enterprise addons need to be submitted for review, what controls are in place around non-disclosure of source code? e.g. Who will have access to it and what agreements are in place to ensure this isn't made available to anybody else?
Assuming the add-on is submitted with obfuscated or compiled code (very
likely if you want to protect your code), this policy applies:
https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#Binary_Components_Obfuscated_Code.
Essentially, only a small group within Mozilla will have access to the
sources (which we will request) and it will not be shared outside of
that group. For unlisted submissions, there are some exceptional cases
where we can allow add-ons to be reviewed without sources.
> 3. If enterprise addons need to be submitted for review, what review requirements does a registry-installed addon need to comply with? The AMO Policy agreement (
https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Agreement) section (c)(i) says that Unlisted addons need only comply with the Security criteria, is that correct?
We you submit an unlisted add-on (that is, and add-on that won't be
listed on
addons.mozilla.org), you should see an option to request
side-loading. This is necessary for the add-on to be allowed to install
via the registry. Selecting this option means the review is not
automatic (it takes a couple of days), but it's still aimed at verifying
that the add-on meets our security standards.
>
> many thanks!
>
> Rory
>