← Back to context

Comment by Yaina

20 days ago

Hm, not sure about that. I know from browser add-ons that markets like Brazil do suffer from increased scams, especially banking scams. I could see that this is also an issue for scam apps.

Firefox for instance does not allow you to install unsigned extensions. You don't need to list them on their storefront, but they want to perform automated tests and have the ability to block extensions through this signing requirement.

So in principle I can see them wanting to address a legitimate issue, but the way they are going about this is way to centralized. IMO they should do something like we have for web certificates, where vendors can add more root authorities than just the one from Google, and users should be able to add their own root certificates if they want to side load apps.

3 comments

Yaina

Reply
godelski  19 days ago 

  > I could see that this is also an issue for scam apps.

I don't deny that it can be used to reduce scams, but I think there are far better ways to solve this that don't give authoritarian countries extra powers. Thing is, signing doesn't actually address the problem. It is a way to track the problem, not prevent the problem. Don't confuse the two.

  > Firefox for instance does not allow you to install unsigned extensions.

That's absolutely not true[0]. You need to sign the extension to publish it to their app store but you don't need it to install. Btw, the Playstore already does this too. Which I'm totally okay with!

[0] https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

  For other people to use your extension, you need ***to package it and submit it to Mozilla*** for signing.

  • Yaina  19 days ago

    It is true, and what you quoted does not contradict this.

    https://extensionworkshop.com/documentation/publish/signing-...

    You can temporarily install extensions in about:debugging, but everything permanent needs to be signed.

    > Add-ons need to be signed before they can be installed into release and beta versions of Firefox. This signing process takes place through addons.mozilla.org (AMO), whether you choose to distribute your add-on through AMO or to do it yourself.

    • godelski  19 days ago

      What you are saying now is different than what you said before. This exact distinction is identical to the conversation of Google too.

      I mean test it out. Write that short example extension in Firefox. Doesn't matter if you need to open up about:debugging (just as you need to do extra things on your android). It'll stay.

      The signing is for distribution.