Firefox Add-on Certificate Expiration
The recent Mozilla hiccup with an expired add-on signing certificate was revealing. In one respect this episode was little more than simple human fallibility. Conversely, the event exposed some glaring problems with Firefox development and attitude.
- A bunch of developers and engineers had not implemented any kind of auto-renewal or reminder.
- Apparently all Mozilla-sanctioned add-ons are packaged with the certificate.
- A certificate expiration disables all add-ons without user consent or knowledge.
- User were not warned or given any options after the certificate expired.
- The certificate means all add-ons have an expiration date.
- Disabling add-ons affected containers.
- Without necessarily being fully informed, the shield study program can be used to push anything to all users with that option enabled.
- Many users who depend solely on add-ons to block ads saw web sites infested with energy sucking idiotic ads.
- The unannounced loss of privacy-protecting add-ons might have exposed some users in a detrimental way.
- A temporary hotfix opened a huge can of privacy related worms.
- Users on an ESR version who had add-on signing disabled through
xpinstall.signatures.requireddid not have any add-ons disabled.
Signed add-ons is a sane idea. Not letting users disable signing is a bad idea. The spirit of free/libre software implies users have the final say. Most if not all users who install add-ons are not clueless lowest common denominator type users. A GUI control is not required — just allow users to decide through