User:Jorge.villalobos/WorkWeek2012Q2/ReviewSignatures

From MozillaWiki
Jump to: navigation, search

Add-on Review Signatures

Summary

All add-on files that pass review by our Review Team would be digitally signed by Mozilla. Non-AMO developers would have the possibility to submit their files for review so that they are also signed.

It may or may not be required for add-ons to be digitally signed (by Mozilla) so they are easily installable in Firefox.

Details

Submission

  • AMO will have a page where non-AMO add-on developers upload their add-on files in order to get them reviewed and signed.
  • Just like with the File Registration System, we can keep track of add-on metadata, files, and offer perks like usage stats.
  • Add-ons submitted for review would be queued in a similar fashion as AMO add-ons. Review times would vary between a few days to a few weeks.
  • Once the add-on is reviewed and approved, the signed file would be sent back to the developer, along with any review notes that the Review Team has.
  • The add-on ID will be linked to the account that uploaded the file, and no other accounts will be able to upload a file with the same ID (although we might want to allow multiple account ownership like with AMO add-ons).
  • When installing a signed add-on, the UI would indicate it has been reviewed by Mozilla.
  • It should be possible to have 2 signatures, so that large vendors can have a Mozilla signature and their own.

Mandatory signatures

If this were implemented, it would go like this:

  • Add-ons that haven't been signed by Mozilla will show a strong warning when installed.
  • If the add-on has a review signature by a different entity (McAfee, a competing marketplace), the user should have the option to whitelist that entity for future installs.

Open questions

  • AMO has Full Review and Preliminary Review, which mean different things in terms of quality and trust. Should we have different signatures for those 2 types of review? Should there be a separate signature for non-AMO add-ons that pass review but don't match those 2 levels? Note that there are some restrictions that only apply to AMO and might not apply to non-AMO add-ons.
  • Should we drop the signature-as-ownership system that we currently have? This has been a hurdle on AMO when talking about repackaging and dynamically altering add-ons, so it's likely to be a problem if we implement this other signature system.
  • Signing old add-ons would be a major challenge. Automatic repackaging on AMO is challenging, and the Review Team would not have the manpower to deal with old non-AMO add-ons.

Overrides

  • Firefox should include a preference that allows users to install unsigned files, using an add-on ID whitelist. When the preference is enabled, the warning page displays a checkbox allowing you to remove that warning for all future installed files for that add-on. This is necessary for developers, testers, etc.

Pros

  • Malicious add-ons won't be able to be installed without getting strong warnings.
  • Malicious add-on developers will have additional hurdles to pass before getting installed into user's profiles. Going through review means they are very unlikely to be signed.
  • We will have much better information about existing add-ons, specially contact information to their maintainers.
  • Verifying a signature doesn't require an Internet connection.

If mandatory

  • Non-AMO add-ons will be better aligned with our policies.

Cons

  • Automatic XPI repackaging has been a long-standing challenge on AMO.
  • There are very conflicting views within Mozilla of what an appropriate policy is for non-AMO (and even AMO) add-ons. Deciding what is appropriate for everyone and being consistent about it is a very hard problem. A more general policy is being worked on.
  • AMO generally rejects for-profit add-ons. Applying this policy externally would eliminate whole class of add-on development. This is somewhat mitigated with the Marketplace, but it'll take a long time before add-ons can be sold in it.

If mandatory

  • Non-AMO add-ons would need to go through the slow review process, which is one of the main reasons add-ons aren't listed on AMO.
  • This centralizes control and distribution on Mozilla, which will have a negative effect on the developer community and our image as an open organization.
Retrieved from "https://wiki.mozilla.org/index.php?title=User:Jorge.villalobos/WorkWeek2012Q2/ReviewSignatures&oldid=436737"