<Glazblog/>

Grrrr

Step 1:

Dear add-on author,

You're receiving this message because one or more of your add-ons has been
removed from the trusted add-on list. This is part of an ongoing effort to
tighten security on AMO and improve add-on quality. Close to 100 add-ons
have been removed from the list, and obtaining trusted status will be much
harder in the future.
...
Jorge Villalobos
Add-ons Developer Relations Lead, Mozilla

Step 2:

Hello,

There's a question I've been asked so much, that I think it deserves some
clarification for everyone: "Why was my add-on removed from trusted status?".
I realize now that I was to vague in my initial message. I apologize for that.

The answer is pretty much the same for everyone.

Trusted status was previously handed out on a basis of merit. If you deserved
trusted status (for being an outstanding member of the community, for having
a good relationship with Mozilla, for creating a really good add-on, etc),
you got it. This lead to the trusted list to become very large and hard to
manage.

Now the trusted status will only be given on a basis of need. None of the
reasons mentioned above are sufficient to get trusted status. You will only
be considered if you can prove a *need* for instant updates. I removed all
add-ons that didn't appear to have that need.
...
Jorge Villalobos
Add-ons Developer Relations Lead, Mozilla

Ah. My reaction stands in one word only : Grrrrrrrr... I don't mind having my new extensions not trusted since they are new, but un-trusting an already existing and trusted extension is just a pain - for authors and also users even if not millions of users - and, to tell the truth, quite unfair.

Comments

1. On Thursday 26 November 2009, 19:40 by Brian King

Actually I think it is fairer to users because it keeps them safer.

2. On Thursday 26 November 2009, 21:47 by Pavel Cvrček (JasnaPaka)

I disagree with you Daniel. My extension was removed too but I understand the reasons. Just remember NoScript which was discussed few months before. "Trusted" extension and what author did? Have a look at it in view of AMO.

3. On Friday 27 November 2009, 00:02 by Sylvain D

Hum, Am I the only one to find links with Apple's app store's approval process?

Where is hackability gone?

4. On Friday 27 November 2009, 01:16 by paercebal

I found this site, perhaps explaining the change of "trusted" policy on Firefox:

http://jake.kasprzak.ca/2009/05/11/...

At first, I was outraged by Firefox' move, but now, I wonder:

My browser should not be the warzone of rival extentions hackers.

5. On Friday 27 November 2009, 05:55 by Fritz

Sylvain, there is not really much of a comparison with Apple. Apple is a monopoly. AMO is only the main site. You can put your extensions anywhere and have users get them without AMO approval. The problem with AMO's success is that people expect some sort of vetting and assume most add-ons from AMO will be safe. Mozilla is trying to do this. I'm not sure this was necessary, but I don't think a comparison to the Apple Appstore is fair.

6. On Friday 27 November 2009, 09:28 by Pete

@Fritz: The problem ist that currently "untrusted" extensions on AMO are treated the same way as on any other website. This leads to the point that AMO won't be THE source for extensions anymore. And this leads to the point that users simply download extensions from all over the world. And combined with the fact that an extension has full access to almost everything, this finally leads to a huge security problem and a threat to Firefox's reputation.

7. On Saturday 28 November 2009, 08:48 by Colby Russell

Pete: fantastic, but it doesn't make the comparison to Apple's app store any more à propos.

8. On Saturday 28 November 2009, 09:00 by Daniel Glazman

@BrianKing: you'll have to explain me how self-hosted add-ons are safer too...

Comparison with App Store is exagerated. But removal of trusted status is unfair because it is retroactive. That status was given to my extensions because I uploaded several versions w/o any review issue, because they were popular, because I am myself trusted, because I am very unlikely to introduce a security hole in my new versions or even something that breaks other extensions. That status gave me an advantage : no review delay. So now, to be trusted, you need millions of users. Aaaaah, so basically, it's better to allow an author to distribute unreviewed code to millions of users than to hundreds of thousands. Let me laugh, code mistakes will just spread more widely, that's all.
And if an add-on with only 1000 users but is totally critical to those 1000 users, I don't see why it's less important to update fast than for a 1M+ users' add-on.

Trusted status should be removed for everyone, or for noone. An in-between decision makes no sense.

9. On Saturday 28 November 2009, 09:30 by Sylvain D

ok, my bad.
But I thought that auto-updates where allowed only by this status, maybe I need to check again if it's the case.