Cannot download/save .xpi Topic is solved

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2356
Joined: 2012-06-28, 01:20

Re: Cannot download/save .xpi

Post by ron_1 » 2020-09-05, 16:22

Since the temperature of this thread seems to be rising, I just want to state that for me, the reason for downloading and saving the .xpi file was simply for backing it up in case one day it disappears forever from the internet.

User avatar
athenian200
Contributing developer
Contributing developer
Posts: 381
Joined: 2018-10-28, 19:56
Location: Texas
Contact:

Re: Cannot download/save .xpi

Post by athenian200 » 2020-09-05, 16:25

RealityRipple wrote:
2020-09-05, 15:58
By "know", I meant "read the source code and make sure there aren't any packaged EXEs or random JS that bundles up all your passwords and sends them to a third-party website".
Well, the code is audited for stuff like that before it's placed on the site in the first place, an extension like that wouldn't be allowed.

At best, I would say you've made a case for adding a code viewer so you can review the contents of the XPI in the browser. Maybe something that pulls up a text panel/window that's updated via JS every time you click on a different file within the viewer, sort of like a GitHub experience. This would allow code review without making it easy to grab the raw XPI file or even download the individual files contained within it. I don't think there's a lot of people seriously interested in that feature, and it's probably too much work to implement, but if you're serious about that then that's the avenue I'd pursue.

Personally, I think it would just be easier to reassure people by listing out all the checks that specific add-on has passed and a certificate of them. Like if it's been run through an anti-virus program, we could note that on the page, etc.
"The rising sun will eventually set / A newborn's life will fade. / From sun to moon, moon to sun... / Give peaceful rest to the living dead." — The Legend of Zelda: Ocarina of Time

Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 28806
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Cannot download/save .xpi

Post by Moonchild » 2020-09-05, 16:28

athenian200 wrote:
2020-09-05, 16:25
I think it would just be easier to reassure people by listing out all the checks that specific add-on has passed
Automatic checks are no guarantee of anything.
Every extension on the site has been inspected by a human being. Is that certification enough?
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
athenian200
Contributing developer
Contributing developer
Posts: 381
Joined: 2018-10-28, 19:56
Location: Texas
Contact:

Re: Cannot download/save .xpi

Post by athenian200 » 2020-09-05, 16:52

Moonchild wrote:
2020-09-05, 16:28
Automatic checks are no guarantee of anything.
Every extension on the site has been inspected by a human being. Is that certification enough?
Ah, that's actually pretty cool, not many sites do manual inspection of that sort anymore.

Maybe we could emphasize that by having a green checkmark somewhere on the page with a note like "[extension] has been reviewed and approved as safe by [reviewer(s)]," to create a clear sense of people being held accountable for quality control. It's a minor touch, but little things like that can go a surprisingly long way in establishing trust. As for me, I personally already trust the extensions and the add-ons team, but if you look at the extension download page, there's nothing on the page to give someone unfamiliar with the community that sense of reassurance that it was duly reviewed and has gone through an inspection process.
"The rising sun will eventually set / A newborn's life will fade. / From sun to moon, moon to sun... / Give peaceful rest to the living dead." — The Legend of Zelda: Ocarina of Time

Image

User avatar
Andrew Herbert
Fanatic
Fanatic
Posts: 165
Joined: 2019-11-25, 21:46

Re: Cannot download/save .xpi

Post by Andrew Herbert » 2020-09-05, 16:59

Well, at least the repository of the software used by the Add-ons Site shouldn't be private, since some people may want to host another site. :|

GStathops
Hobby Astronomer
Hobby Astronomer
Posts: 28
Joined: 2015-06-14, 08:08
Location: Greece

Re: Cannot download/save .xpi

Post by GStathops » 2020-09-05, 17:04

ron_1 wrote:
2020-09-05, 16:22
I just want to state that for me, the reason for downloading and saving the .xpi file was simply for backing it up in case one day it disappears forever from the internet.
My thoughts exactly
moonbat wrote:
2020-09-05, 13:11
Why would you not save the extension from your profile folder for backing up .....
Thank you for that info .. found them in profile's extensions folder ...
New Tobin Paradigm wrote:
2020-09-05, 14:50
... There simply is no reason not to do this for new installation of add-ons as well. Simply linking to xpi files was a bad call and InstallTrigger is the correct method and had been since add-ons were a thing even way back in the XPInstall days.
Well i guess, better late than never ...
So, any other questions or attempts to justify the reasoning of downloading you want to make?
As far it concerns me , this is not some kind of rant post, just pointing out a function that ceased to exist ... and i have to ask
Nothing more or less.

At the end of the day i'm fine with team's decision for the underlying technical/security issues ....


Cheers

User avatar
RealityRipple
Lunatic
Lunatic
Posts: 253
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Cannot download/save .xpi

Post by RealityRipple » 2020-09-05, 17:38

I'm not so worried about the submission process as I am about the overall security of any given webserver. Your archives got a few files replaced before, after all. I'm not blaming you. Every website is reliant of the security of every program running on every server involved in the hosting of every file on that site. One means a single point of failure. Many means a huge surface to attack. There is no total solution, there's only the constant struggle to improve, same as with anything. Reading the source for every extension is just my solution for covering that one possible attack vector. Always has been. Always will be. Same as I keep a task manager and a drive access list open pretty regularly. And yeah, most the software I use on a regular basis is software I wrote myself.

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 8545
Joined: 2012-10-09, 19:37
Location: Skaro

Re: Cannot download/save .xpi

Post by New Tobin Paradigm » 2020-09-05, 18:35

I see where this is all going and it stops here, now.
return NS_OK;
Image

User avatar
athenian200
Contributing developer
Contributing developer
Posts: 381
Joined: 2018-10-28, 19:56
Location: Texas
Contact:

Re: Cannot download/save .xpi

Post by athenian200 » 2020-09-05, 18:43

RealityRipple wrote:
2020-09-05, 17:38
I'm not so worried about the submission process as I am about the overall security of any given webserver. Your archives got a few files replaced before, after all. I'm not blaming you. Every website is reliant of the security of every program running on every server involved in the hosting of every file on that site. One means a single point of failure. Many means a huge surface to attack. There is no total solution, there's only the constant struggle to improve, same as with anything. Reading the source for every extension is just my solution for covering that one possible attack vector. Always has been. Always will be. Same as I keep a task manager and a drive access list open pretty regularly. And yeah, most the software I use on a regular basis is software I wrote myself.
Well, that's the purpose of the checksums that are already being worked on. To make sure the files downloaded are the files they're supposed to be.

Honestly, it seems like the point you're missing is that we're taking a lot of these measures in large part to make extension delivery more secure. Something like that would be detected and dealt with immediately. So that doesn't really seem like a valid concern.
"The rising sun will eventually set / A newborn's life will fade. / From sun to moon, moon to sun... / Give peaceful rest to the living dead." — The Legend of Zelda: Ocarina of Time

Image

Locked