Firefox
The latest news and developments on Firefox and Mozilla, a global non-profit that strives to promote openness, innovation and opportunity on the web.
You can subscribe to this community from any Kbin or Lemmy instance:
Related
- Firefox Customs: [email protected]
- Thunderbird: [email protected]
Rules
While we are not an official Mozilla community, we have adopted the Mozilla Community Participation Guidelines as far as it can be applied to a bin.
Rules
-
Always be civil and respectful
Don't be toxic, hostile, or a troll, especially towards Mozilla employees. This includes gratuitous use of profanity. -
Don't be a bigot
No form of bigotry will be tolerated. -
Don't post security compromising suggestions
If you do, include an obvious and clear warning. -
Don't post conspiracy theories
Especially ones about nefarious intentions or funding. If you're concerned: Ask. Please don’t fuel conspiracy thinking here. Don’t try to spread FUD, especially against reliable privacy-enhancing software. Extraordinary claims require extraordinary evidence. Show credible sources. -
Don't accuse others of shilling
Send honest concerns to the moderators and/or admins, and we will investigate. -
Do not remove your help posts after they receive replies
Half the point of asking questions in a public sub is so that everyone can benefit from the answers—which is impossible if you go deleting everything behind yourself once you've gotten yours.
view the rest of the comments
Ah yeah, true, getting just the signed XPI should work as well.
And well, it is tricky. The signing requirement allows them to block malicious add-ons, which could also be used for state censorship.
I think, offering a separate path for people to install unsigned extensions, if they need it, while blocking them for the majority and therefore making them inviable for malware to target, that's in principle a smart compromise.
Also, side-note: Folks who are on Linux likely don't need to install a separate version of Firefox. Linux distros tend to compile with the unsigned extension support enabled (just need to toggle the flag in about:config).
I guess in this case the malware angle means it's probably better to require signing, since maybe Russia could successfully distribute malicious fake versions of these extensions otherwise. Still, the centralization here is worrying.