Ah yeah, true, getting just the signed XPI should work as well.
And well, it is tricky. The signing requirement allows them to block malicious add-ons, which could also be used for state censorship.
I think, offering a separate path for people to install unsigned extensions, if they need it, while blocking them for the majority and therefore making them inviable for malware to target, that’s in principle a smart compromise.
Also, side-note: Folks who are on Linux likely don’t need to install a separate version of Firefox. Linux distros tend to compile with the unsigned extension support enabled (just need to toggle the flag in about:config).
I guess in this case the malware angle means it’s probably better to require signing, since maybe Russia could successfully distribute malicious fake versions of these extensions otherwise. Still, the centralization here is worrying.
Ah yeah, true, getting just the signed XPI should work as well.
And well, it is tricky. The signing requirement allows them to block malicious add-ons, which could also be used for state censorship.
I think, offering a separate path for people to install unsigned extensions, if they need it, while blocking them for the majority and therefore making them inviable for malware to target, that’s in principle a smart compromise.
Also, side-note: Folks who are on Linux likely don’t need to install a separate version of Firefox. Linux distros tend to compile with the unsigned extension support enabled (just need to toggle the flag in about:config).
I guess in this case the malware angle means it’s probably better to require signing, since maybe Russia could successfully distribute malicious fake versions of these extensions otherwise. Still, the centralization here is worrying.