I think it’s reasonable to expect that one of Firefox’s most popular extension publishers gets a higher tier of review service. Gorhill (and other top extension devs) are providing real value to Firefox, and have demonstrated good behavior for years.

This doesn’t mean they should get to publish whatever they want, but if a reviewer is about to reject a high profile plugin, they should get a second set of eyes on it. Which would have obviously caught the mistake here.

Feels like another “Firefox is underinvested in developer relations” story, which is surprising given how much they rely on them.

Edit: honestly the idea that gorhill doesn’t have a dedicated rep at Mozilla is baffling to me. According to their stats the extension has 8.4 million users. They should call him on the phone to let him know there’s a problem with his extension.

I'm not even surprised the addon got flagged. The linked files in the Github issue all had file names insinuating a direct connection to known trackers (which, of course, uBOL is blocking). Whatever automated scanning tool Mozilla uses probably latched on to "oh this is Google Tag Manager" and issued the warning that is normally handed out to addons that do include sketchy scripts like these.

HOWEVER: the email clearly states:

> Your Extension uBlock Origin Lite was manually reviewed by the Mozilla Add-ons team in an assessment performed on our own initiative of content that was submitted to Mozilla Add-ons

Either that is a lie, or the manual reviewer that did the "review" doesn't understand that the automated tool they ran is capable of false positives.

Nothing wrong with automated abuse assessments on a platform like Mozilla's, but don't lie in your communications about it (or hire people who know what they're doing when it comes to blocking addons).

Maybe a less crappy review system at least?

"The burden is that even as a self-hosted extension, it fails to pass review at submission time, which leads to having to wait an arbitrary amount of time (time is an important factor when all the filtering rules are packaged into the extension), and once I finally receive a notification that the review cleared, I have to manually download the extension's file, rename it, then upload it to GitHub, then manually patch the update_url to point to the new version. It took 5 days after I submitted version 2024.9.12.1004 to finally be notified that the version was approved for self-hosting. As of writing, version 2024.9.22.986 has still not been approved."

Doesn't sound like something I'd enjoy as a hobby.

https://github.com/uBlockOrigin/uBOL-home/issues/197

I agree with what you say about the tradeoffs of a review process, but strongly disagree that Raymond Hill overreacted. He's a solo dev working on uBlock as a hobby who doesn't even take donations; he doesn't owe us anything. He gets to decide if the review process frictionless enough for him to contribute his time and energy, and even though he decided it's not in this case, he made his extension open source, so anyone else is free to publish uBlock Origin Lite in his stead.

I don't think the author has overreacted, but your first paragraph doesn't seem to match the timeline, so maybe the article didn't portray it correctly. For a better understanding have a look at the Github issue: https://github.com/uBlockOrigin/uBOL-home/issues/197

It was not an automated review, it was a manual review, poorly done. The author then explains that they don't want to deal with the stress (there are also some extra explanations of what's involved in the AMO review process), and also that they left a somewhat harmful version of the plugin up. Not wanting to deal with stress is a perfectly understandable reaction.

> manually review every add-on revision for safety in a timely manner

Sure, but uBlock Origin, lite or not, is one of the most important browser add-on, if not the single most important one. This may not justify to give it a pass without looking, but it should certainly be reason enough to jump it in front of the queue and review it manually every time.

No he did not. Mozilla is in situation where they should bend backwards with very popular extensions, which I believe both uBlock Origin versions must be. Ensure anything you do with them is absolutely correct.

In general quite many extensions are done for passion. And any chance of destroying that passion will make your product less desirable to work with and thus in long run less popular.

Mozilla is not a single person in a basement with a 20 year old second hand computer. They spend hundreds of millions $ per year. uBlock origin has 8+ million installs. The second extension by install count has 4 (four) times less. If if anything to do with gorhill and their extensions is not priority one in their review system, then something is really wrong at Mozilla.

Don't remove stuff that are used for some time using only automatic tooling ...

And from the start the review was supposedly: "Your Extension uBlock Origin Lite was manually reviewed by the Mozilla Add-ons team".

> No pre-release review at all?

certainly not leaving only the oldest version of the extension up.

Can we build a better sandbox? exfiltrating data is the issue, but if the extensions just weren't able to reach out arbtrarily but could only download a specified url, then that would eliminate the problem for plugins that could adapt to only using a specific permission and then not need manual review.

Meh, it's perfectly reasonable to decide that you don't want to deal with this kind of bullshit and pull the extension from problematic stores. There's probably a miniscule amount of people using uBO Lite on Firefox anyway.

I think that the alternative is some form of "per review", where the effort of performing reviews is spread out among a volunteer f with reasonable "reputation" management and in which a party can accelerate their own review by contributing to the reviews for others.

Exactly. And this is why we need paid browsers. If the ad-supported/donation-supported browsers like Firefox need to apply low-quality automated solutions to approving/rejecting even their most popular addons, then clearly the business model isn't working.

So? Mozilla inserted themselves as middlemen into addon delivery. Even for the so-called selfhosted addons. They can just not do that if doing it properly and without undue delays means more work than they can handle.

I'd pay for speedy reviews. I don't think it would resolve to paywall, but the reviewers are not free.