Similar boat. I release an extension with about 1 million installs across Chrome/Firefox/Edge for work.
Firefox (despite being the smallest usage) is utterly insane with regards to process. They demand a reproducible build, but then can't do things like install the right version of yarn (no - npm install -g yarn is not correct, our readme says it in bold like 5 times and provides the exact correct command to install the right version), or follow basic setup steps like "Use this version of node (complete with exact steps to install it and a script to automate that for them)".
God fucking help you if you try to do something completely crazy as a private company like - checks notes - use a private NPM module. Despite providing them with access on a pre-configured account, or offering to give a review account access according to Mozilla "It's too hard to use external accounts during review".
Honestly - having to interact with the browser review team is a BIG reason I no longer recommend Firefox. They're incompetent at best, and I'm fairly convinced they're just milking the google search deal income for as a much as it's worth - I don't think they really want to provide an alternative and secure browser anymore.
Reproducible builds and open source sounds like a good thing.
I wouldn’t expect the reviewers to deal with every add-ons bespoke snowflake build. Even less so if it requires access to a private module. Mozilla should provide a baseline of how a build is intended to be done, then extensions just have to follow this template. Though yes, you would expect them to have some familiarity with basic stuff like yarn and that the baseline supports a few of the most popular builders.
> I'm fairly convinced they're just milking the google search deal income for as a much as it's worth
That's exactly what the ex-McKinsey C-suite are doing. Regular employee talent suffers because of it, as you've found.
This is exactly what the review process for the Play Store is like, even worse for Google TV apps. Often times just re-submitting multiple times without changing anything at all will get it pushed through.
This sounds super frustrating, as someone who has an idea or two for browser extensions I'm not looking forward to all the bureaucracy. I actually love the idea of requiring and validating reproducible builds but they really should invest in reviewers competent enough to manage that.
I do have half an idea to deal with it that I plan to try, thought it might be helpful to suggest: implement a Fisher-Price build system that checks and automates every single step and cannot go wrong. Ideally if the reviewers can run Docker, do it all in a container. Wrap package.json scripts with functions to validate the build environment before proceeding and either fix it automatically or fail and print clear instructions to the console. A preinstall hook could verify they have proper NPM auth and prompt for it if needed.
Annoying to have to do that at all though. I'm starting to come to similar conclusions on Firefox, using it currently but I've been thinking about jumping ship for a while. What browser would you recommend now? I wanted to get away from Google but I'm considering just Chromium since any remotely comparable options I've found are poorly thought out wrappers of it.
They should switch to an fdroid like model that does public builds on cloud infra.
It sounds like they are doing their job attempting to review random code from strangers to be honest.
Honestly I have to side with Mozilla team here. Kudos to them for trying to actually care about security and privacy. I can imagine the nightmare that people are submitting and trying to recheck everything and build those random extensions with private npm repos and whatnot.
It’s funny to think of Mozilla like landed gentry where they have captured serfs (their users) and get a payout from the king (Google) for their loyalty and support.
On the flip side, having to interact with addon review has raised by confidence in the browser. The steps they take to review, while not perfect, seem like they could weed out a lot of potential garbage and malware. I was expecting a much more minimal review process, which would have raised my fear about the extensions I use and set to auto-update.