New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tridactyl has been delisted from addons.mozilla.org #1800
Comments
As a user who prefers to do "weird" stuff with my machine with full knowledge that it means any issues I run into are my own to deal with, how can I (and others who feel the same) reach out and let whoever is behind this know that I support your position in not messing with my configurations without my explicit concent? |
There aren't any official channels. I'd rather not get into the business of directing an angry mob anywhere; on the contrary, I think the less time Mozilla has to spend supporting our weird use-cases, the more likely they'll be to continue to support them. Perhaps giving this issue a thumbs up might help? I guess that could be misconstrued... The policy on blocking is here - https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Blocking_Process - and makes it clear that it's totally at Mozilla's discretion. I posted this issue mostly as a courtesy to our users as it didn't seem right to keep this deadline a secret. I also wanted some feedback on whether people found the idea of changing files without consent as icky as I did. |
I agree changing As an anecdote, before v1.0.0, qutebrowser used to have a A |
I think icky is better than blocked :D |
I'm also of the opinion that icky is better than blocked. The suggested prominent note on the new-tab page could help people get the behavior they used to have back, while appeasing the Mozilla security team and keeping tridactyl around. There doesn't seem to be a solution which keeps the |
I do appreciate that sentiment - one of the core developers is also of that opinion. However, there is another snag: it quite clearly falls foul of the computer misuse act in the UK. Perhaps if I mention that to the reviewers they will be more willing to find another solution. |
I don't like that they are (ab-)using their monopoly position on plugin distribution to try to strongarm you here. That's exactly why a lot of the community disliked the lockdown of the plugin ecosystem. Everything you did was in good faith, and you immediately reacted to their complaint. No reason to start threatening you, especially with such a short deadline. Regarding a solution: Maybe an active prompt ("Mozilla asked us to remove the |
Although this is a shitty situation with no perfect solution, I agree on the sentiment that an icky Tridactyl is better than a blocked one. Good luck on your thesis and thanks for doing this outstanding work! |
I would say silently changing user.js is very bad. But in the end the users will notice and activate again. Better alternative would be a big visible red box/banner, on new tab, after the next update. With a shortcut to unfixamo. |
Is it possible to backup user.js before resetting it? If so, than it's possible to notify user where his backup file is and what is the recommended change to it. At least this way users won't loose their files. As far as I can see, it also complies with Mozilla demands. Yes users will be a little annoyed by that but it's a lot better than have tridactyl blocked completely. |
It's a good idea, but I'd be worried about how long it would take to implement that. Using Keeping a backup would be easy but wouldn't make it any less illegal. |
You might want to take the angle with the AMO reviewer that the security impacts of Because I don't think the reviewer quite gets this. Anyway, if they do remove it, seems like someone could just "fork" (wink wink) Tridactyl (is "Petradactyl" taken yet?) with an explicit stated goal and description of being like Tridactyl, but with all features that Mozilla considers security-weakening either removed or behind clear warnings. |
What about: Opening a new tab (like many extensions do on upgrades to show changelogs/project news) and:
or
Both ways would need explicit action from the user, so it would not be illegal anymore. |
I repled to the reviewer just now:
We also hit the front page of hacker news, which is unfortunate. https://news.ycombinator.com/item?id=20716963 I made the following summarising comment there:
|
Somebody linked this bugzilla bug in the HN thread too, which is the most complete description of the potential issues arising from disabling restrictedDomains that I know of. https://bugzilla.mozilla.org/show_bug.cgi?id=1415644 |
We've just had a reply from the reviewer to cmcaine's "forced choice" suggestion mentioned above. I'll quote the reply in full:
|
What if someone did not use Anyway – for another solution, convoluted, I know. But maybe Tridactyl could check if the offending settings are present (and there's no Tridactyl OK setting set too – see below), and refuse to work unless:
That puts a lot of work in users' hands, but we are power-users and I think we can manage doing it, for the sake of having Tridactyl still running on our browsers. I believe that the userbase having the settings present is not 100% and doing nothing will punish the whole userbase, not only these ones who have this offensive stuff set on. |
Based on their latest response, it seems that the only real option that keeps tridactyl in the AMO is to automatically remove the lines from the As a user of tridactyl, I'd much rather keep tridactyl in the AMO and hand-roll my user.js file over having it taken out of the AMO and then doing...who knows what. I am really happy that tridactyl exists and that I get to use firefox with it, so doing a little manual editing of a file to get advanced functionality is far preferable to not having tridactyl at all. I defer to the devs, though, for what they are comfortable doing, and have time for. |
What does "blocking affected versions of your add-on" mean? The current version does not add anything to |
What about removing/resetting the setting from the file unless there is a comment in the file matching a specific magic string, like |
If they disable Tridactyl, there's a good possibility I'll be reverting to pre-Quantum and using Vimperator. I feel like Mozilla forcing me to do that is causing a much bigger security vulnerability than fixamo ever could have. |
Unsigned extensions can be installed in a variety of ways which we'll be sure to enumerate if it comes to it. |
I’m sorry that you are having so much trouble with the mozilla guys. Tridactyl is honestly the best part about firefox and I wouldn’t be using firefox without it. If there is anything we can do to help, please let us know. |
I found this issue because Firefox wanted to update and my first reaction was, "I wonder how they're breaking Tridactyl this time." Edit: ...was Tridactyl disabled or broken? So far I'm putting off updating. |
Tridactyl may be delisted at the end of Friday this week. Probably central european time. If Tridactyl is delisted you will notice because it will be disabled (but not uninstalled) in about:addons. As an existing user you will probably just need to re-enable it. They might completely blacklist my AMO key from Firefox, in which case you will need to tell Firefox to accept unsigned addons to keep using Tridactyl (there's a shell script that does this by extracting omni.ja and modifying a line or you can use dev or nightly) or wait for a Mozilla-acceptable fork or revision to emerge on AMO. Updating Tridactyl should be safe whenever. Mozilla will block it by pushing a new blocklist to your browser, which is a different thing to addon updates. |
Ah, thanks. (It was Firefox that I was afraid of updating, not Tridactyl.)
Accepting unsigned addons through use of somebody's sketchy shell script -- what a wonderful security practice Mozilla is driving me towards! (◔_◔) Thanks again for the update, as well as for the addon, even if it is so very dangerous for all the tech-illiterate elderly folk who habitually install vim emulators for their browsers. |
I'm new to Tridacityl, so forgive my ignorance. I don't really get the rc file part. Is/was that file automatically executed? Did it automatically call fixamo? What was the fixamo even used for? To enable hjkl keys and the rest of the extension on addons.mozilla.org? And in the mean time it enabled any extension to do what it wants. The severity of the security implication is debatable, but I guess it is >0 (i.e. it does introduce some insecurity), and if that is the case, I really don't see why you have/had the fixamo function - or am I the only person who uses addons.mozilla.org 1 every 100 years? As I said, forgive my ignorance, but as a new user I don't feel I understand the situation 100%. |
Also, isn't accepting the address bar popup of installing an addon beyond the control of any addon? |
Only if you installed Tridactyl's native messenger (an external executable you can install with
No, you had to manually add a call to the
To enable running Tridactyl and any other extension you might have installed on Mozilla's websites. Some of these websites are listed here: https://bugzilla.mozilla.org/show_bug.cgi?id=1445663
Different people, different needs, different security requirements.
I think so yeah. |
1.17.0 containing code to fiddle with user.js without user interaction as Mozillians wished has been submitted to AMO for review. Thanks to glacambre and cmcaine for arranging it - it couldn't have happened without them. 1.17.0 also removes |
Thank you for moving forward. |
how long do you expect it to take for the extension to return to AMO? it still doesn't show up in the search... |
We didn't pass the first review. I'm waiting for a reply to a query - it appears they want us to remove the resistFingerprinting setting too and I wanted to make sure they were aware of any security implications of that. From past experience that will take a couple of days. Then it'll be another few working days before we are reviewed again. In total, probably a week or two from now if all goes well. You are able to install the AMO version of Tridactyl outside of the AMO if you so desire in the meantime - just look back up in this thread. |
I think you meant |
@depressed-pho what makes you say that? Line 778 in 9cf7d9c
|
@bovine3dom Oh... I think I saw an old diff. Sorry for the confusion. |
Hmm still not on amo yet sadly. |
Welp... guess I'm going back to Chrome (ick!) which at least has half-baked add-ons that can do some of Vimperator's functionality. Mozilla forced me to leave Firefox when they broke Vimperator and now Tridactyl is gone... so thanks for stepping on users and developers, Mozilla. |
Took me a bit but I figured out how to install the tridactyl beta. Firefox and Mozilla drive me insane. |
Unfixamo2 blew away some manual changes I'd made to users.js. It's pretty clear your hands are tied on this one, but it would be nice to offer a backup option. Edit: I'm on the beta, which is why this ran a second time for me; ironic, in that I was running the beta to avoid this issue. |
I am really sorry about that. Mozilla repeatedly said that we weren't allowed to provide any options that left the settings intact. I'm not sure commenting them out would have satisfied them. Could you confirm that it was just block_mozAddonManager and restrictedDomains? Anything else is a serious bug. Beta was always going to have to have had Unfixamo running: Mozilla would block it from Firefox if we didn't. We could have ignored their demands for the Arch unsigned build but I didn't want yet another permutation of Tridactyl to maintain. I suppose in future we could use AMO signing as a switch to provide Mozilla-compliant code. |
@bovine3dom I'm reasonably sure it was just those settings, and if it wasn't, they weren't memorable enough that I'm super concerned. Just wanted to give you a heads-up that the previously-set "I've Already Run Unfixamo" setting was getting overridden, which I presume is already known. |
It's finally been added back 🎉 |
Yep! I submitted a new version late last week. It was accepted this afternoon. Most of the delay was our fault. The manual reviews from the AMO reviewers only take 2-3 working days. |
The update blew away some manually edited things for me too. Mozilla seems to have forgotten what motivated me to use Firefox in the first place: being in control of my own browser. |
This information in the README is outdated: Line 23 in 30fb7cb
|
I'm reading this years after the fact after coming up on it in the documentation, and I already like Tridactyl even more for having read this. Have used Qutebrowser on and off as a secondary browser for a few years now and can't believe I just discovered Tridactyl. Your accountability is very, very refreshing...firefox, not so much. Still never sure how to feel about Mozilla...but it's the lesser of two evils currently... |
@hrfried Well put, extremely well put. Firefox is the lesser of two evils. Tridactyl is the only way to experience the web. Been using it for years, and it continually gets better. I cannot imagine life without it. Well... intelligent life anyway. |
edit by glacambre on october 22 2019: Steps have been taken to reinstate Tridactyl on Mozilla's addon store. In the meantime, you can still install Tridactyl by following these instructions.
--
An addons.mozilla.org (AMO) reviewer has demanded that we edit every user's user.js to revert any changes they might have possibly made via
fixamo
. The reviewer has also ordered me to removefixamo
from my RC file.My position is this:
user.js
without the user's consent is a large breach of trust. The filename alone strongly hints who owns it.user.js
is a good way of keeping your Firefox settings stored under version control and keeping them synchronised between machines).fixamo
are so minor (in my understanding, it could potentially allow extensions to install other extensions and make changes to a user's Firefox profile; i.e. nothing that any old-style extension couldn't do) that it does not warrant this breach of trust.fixamo
would have to be really huge before it was worth the browser being very hard to use on addons.mozilla.org.fixamo
settings still running myself!).Mozilla's position appears to be:
fixamo
introduced a severe security issue.If I can find the time, I'll push an update that mentions this issue on the new tab page so at least some users get some prior warning.
I'll include the full transcript of the discussion with the reviewer below:
Related: #1773.
The text was updated successfully, but these errors were encountered: