• chicken@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      2
      ·
      6 months ago

      I know it says the extension is not available from the Firefox addon site if using Russian IPs, but I wonder if they have also gone so far as to make the browser itself not be able to install them in other ways. I would guess they have not, since that would mean a complicated setup in terms of the signatures, like they would have to have a separate FF version and set of signatures per country, or use a central server to authenticate things rather than client validation of signatures. In that case it would be easier to find the addon file somewhere other than the store and install it, since using unsigned addons requires installing a whole separate version of Firefox.

      Even if that’s how it is this whole thing still illustrates that prohibiting unsigned addons from being installed is user-hostile, because on an ideological level Mozilla probably would use that power to advance state censorship if it came down to it.

      • Ephera
        link
        fedilink
        arrow-up
        2
        ·
        6 months ago

        Ah yeah, true, getting just the signed XPI should work as well.

        And well, it is tricky. The signing requirement allows them to block malicious add-ons, which could also be used for state censorship.
        I think, offering a separate path for people to install unsigned extensions, if they need it, while blocking them for the majority and therefore making them inviable for malware to target, that’s in principle a smart compromise.

        Also, side-note: Folks who are on Linux likely don’t need to install a separate version of Firefox. Linux distros tend to compile with the unsigned extension support enabled (just need to toggle the flag in about:config).

        • chicken@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          3
          ·
          6 months ago

          I guess in this case the malware angle means it’s probably better to require signing, since maybe Russia could successfully distribute malicious fake versions of these extensions otherwise. Still, the centralization here is worrying.