logoalt Hacker News

VoxPelli10/01/20246 repliesview on HN

Because no one ever have taken over and compromised high profile extensions?

Chrome battles with it a lot, see eg. https://news.ycombinator.com/item?id=36146278

I find Mozilla's process to be quite reassuring, but would be good to have alternative "addon stores" that also have a review process

Replies

sdflhasjd10/01/2024

Mozilla is definitely doing the right thing by reviewing the extensions, but the issue here is that were wrong, they found issues that didn't exist (such as claiming it contained obfuscated code and collected private data).

It appears the issues were found using simple heuristics (e.g they detected string pagead2.googlesyndication.com in a comment) and these detections weren't then manually reviewed as claimed, which is wasting everybody's time.

show 1 reply
JohnBooty10/01/2024

Absolutely. But: I don't think anybody is saying that high profile extensions should receive less scrutiny?

For high-profile extensions, the impact is higher for both false negatives and false positives. So they should receive more attention.

I do not know anything about Mozilla's internal procedures regarding add-on approvals. However, for a high profile extension like uBO/uBO Lite... it should either require multiple reviewers, or maybe just an escalation to a senior reviewer or something. You should never be a single human error away from a high impact mistake.

Maybe they do that already, I dunno. But it seems hard for me to believe that multiple people approved uBO Lite's yoinking.

Extensions are SUCH a crucial part of FF's appeal. And uBO/uBO is arguably the most important of them all.

latexr10/01/2024

> I find Mozilla's process to be quite reassuring

The fact that a review process exists might be reassuring, but the way they went about it surely isn’t.

https://github.com/uBlockOrigin/uBOL-home/issues/197#issueco...

mossTechnician10/01/2024

Mozilla has the capability to handle compromised addons; this whole mess happened because they wiped out every version of uBOL except for the earliest one.

They just haven't used that capability responsibly... Yet.

finnthehuman10/01/2024

There is a difference between questioning if a review process should exist for the official addon index and questioning if the implementation is any good.

You address the former when it seems like the issue is the later.

eviks10/02/2024

What's reassuring about the lack of basic competence? Why would you think such people/processes will help catch the types of issues mentioned in the Chrome link?