User talk:Mconnor/Past/PluginBlocklisting

From MozillaWiki
Jump to: navigation, search

I know that dveditz was talking about ways to enable certain items that had been blocklisted when they weren't that severe, presumably that option fits in ok with this scheme.

For the blocklist severity I am concerned that we are mixing two different reasons for blocklisting, stability and security. I'm not sure that combining the two is ideal, though it is easier, and if so then I'm not sure if the values you have listed are necessarily the right balance.

I disagree that we should just set existing blocks to 3, instead I believe we should choose appropriate severities for all of them (they should likely apply to multiple Firefox versions after all), and then use 1 as the default value in Firefox 3.0.x if we really do want to block them all there (assuming the lowest value in the current items we have is 1, but I suspect it is). Either that or we stop blocking a couple of things that weren't that critical anyway and go straight to the default of 2.

Mossop 15:53, 29 August 2008 (UTC)

Ok so 3 as a default for the pref in Firefox 3.0 seems right after all, but I still think setting reasonable values for severity for the existing items is sensible.

Do we have privacy and security issues with using a webpage to notify about warnings. We will after all have to transmit to the site exactly what known bad plugins the user has installed but are still enabled. Presumably SSL wins us but still worth thinking about.

Does all this apply to extensions as well? I would like to avoid fragmenting the notification and behaviour for plugins and extensions.

Mossop 09:39, 2 September 2008 (UTC)

Regarding "Need a way of forcing a plugin refresh that external installers can trigger".

We can launch the installer on a new thread and use its exit value to determine whether plugins should be refreshed.

--Robert Strong 19:17, 8 September 2008 (UTC)

We must consider where to set the severity of the block. Using extensions as the easiest example we could (from least flexible to most):

1. Block a given extension ID always at the same severity (regardless of version and application) 2. Block a version of an extension at the same severity (regardless of application) 3. Block a version of an extension for a given version range in an application for a set severity.

The same set roughly maps for plugins. I suspect 2 is the right choice, though we may find 3 useful.

Mossop 21:21, 10 September 2008 (UTC)