Mozilla signing vetted add-ons as thoughts turn to security
Fox ready to bite bad developers
Mozilla developer Jorge Villalobos claims the web king has begun signing vetted add-ons in a bid to improve security.
The move means Mozilla-signed add-ons hosted on its servers will be maintained through automatic updates, while those lacking the signature of approval will be jettisoned into the internet ether.
Villalobos says add-ons do not need to be hosted on Mozilla's AMO service where users shop for the tools.
"The automatic signing process will run this week, in batches, and we will notify you when your add-on is signed," Villalobos said.
"When this is done, all extension developers will be able to have their extensions signed, with enough time to update their users before signing becomes a requirement in release versions of Firefox."
Villalobos said the Mozilla Add-on Distribution Developer Agreement has been gutted and upgraded to cover those add-ons not hosted on Mozilla's web property.
The plugin pundit announced the extension clobbering in February, noting that Mozilla wants to avoid the walled-garden Chrome and Safari models to allow users to install add-ons from unknown sources.
"We’re responsible for our add-ons ecosystem and we can't sit idle as our users suffer due to bad add-ons," Villalobos said at the time. "An easy solution would be to [do what] Google does for Chrome extensions; however, we believe that forcing all installs through our distribution channel is an unnecessary constraint."
Tracking down lazy and unscrupulous developers who reside "almost exclusively" outside of the official store became impractical for the Fox, he said. ®