:: Re: [DNG] Life After Firefox 56
Top Page
Delete this message
Reply to this message
Author: Rick Moen
Date:  
To: dng
Subject: Re: [DNG] Life After Firefox 56
As it turns out, Firefox-ESR is, per Mozilla documentation, _also_ not
going to absolutely enforce Mozilla, Inc. signing of extensions.
This matter was raised by the estimable Akkana Peck, who was a frequent
speaker at our local Silicon Valley Linux User Group meetings before
moving to New Mexico. Her site: http://www.shallowsky.com/


----- Forwarded message from Rick Moen <rick@???> -----

Date: Thu, 23 Feb 2017 18:24:56 -0800
From: Rick Moen <rick@???>
To: svlug@???
Subject: Re: [svlug] (forw) [DNG] Life After Firefox 56

Quoting Akkana Peck (akkana@???):

> Rick Moen writes:
> [about Firefox's upcoming lockdown of extensions]
>
> Yikes! Thanks for the alert, Rick.
>
> I have to wonder: in a world where extensions can't run unless
> they're signed by Mozilla.org, how can anyone develop extensions?
> How do you test your changes on your own browser so you know it
> works before you publish it on Mozilla.org?


On Nightly and Developer Edition builds, as well as unbranded builds.
_And_, turns out, ESR releases (see below, and thank you for raising
that).

In fairness, there may be substantial changes as this gets rolled out.


> Running firefox by itself with no extensions sounds like a disaster.
> No control over scripts, cookies, flash or other security risks?
> It sounds like a red carpet for malware, not protection against it.


What I hear is that there will be WebExtensions reimplementations of the
most key XUL extensions by the time this becomes an issue. This is so
new to me (though it's been in the offing for a long time without my
being aware) that I cannot be more specific than that.

In particular, on https://wiki.mozilla.org/Addons/Extension_Signing, it
says: 'All Firefox extensions - for Desktop and Android - on AMO
[addons.mozilla.org] that have passed review are now signed.
For unlisted (non-AMO) add-ons, submission and signing is active through
AMO, and there is a Signing API available [link] for automated
submission and retrieval of unlisted addons.'


> I wish there were more open-source browser engines. Webkit used to
> be great, but it seems to be bitrotting lately. Konqueror on a non-KDE
> system wants to pull in 66 other packages including a lot of desktop
> cruft. I'm not convinced any of the other mozilla-based browsers is
> all that well supported (galeon was pretty good for a while, but
> it's orphaned now), but Pale Moon looks pretty interesting: anybody
> here use it? Do you trust them to keep up with security updates?
> Chromium might be the best bet, but how is it on privacy and control
> over scripts and cookies and such?


FWIW, I maintain a list of all Linux-supporting graphical Web browsers
I'm aware of at
http://linuxmafia.com/~rick/faq/kicking.html#linuxbrowser . It in no
way evaluates any of the browsers mentioned, but could serve as a
starting point for anyone wishing to do a survey.

Steve Litt (/me waves) has been doing browser testing for quite a long
while, now. Hey, Steve! Feel like dredging up some links for us?

> There's also firefox-esr, the Extended Support Release (which is the
> firefox that Debian packages): with any luck, Mozilla may not lock
> it down for quite a while, giving users more time before they have
> to switch.


Good point! I completely failed to check that. I've just found the FAQ
entry:

Q:  What about private add-ons used in enterprise environments?
A:  The ESR release will support signing starting with version 45-based
    releases. Signing enforcement will be enabled by default in these
    releases, and enforcement can be disabled using the
    xpinstall.signatures.required preference.


https://wiki.mozilla.org/Addons/Extension_Signing

The 'Timeline' section of that page includes:

The first ESR version to include signing support will be the Firefox
ESR 52 release.

So, Firefox-ESR releases get added to Nightly and Developer Edition as
releases that do not absolutely, uncorrectably require corporate
signing.

Further details can be found in this page by Martin Brinkmann:
http://www.ghacks.net/2015/06/19/how-to-disable-the-firefox-40-add-on-signing-requirement/
_______________________________________________
svlug mailing list
svlug@???
http://lists.svlug.org/lists/listinfo/svlug

----- End forwarded message -----