Cannot download/save .xpi Topic is solved
Moderators: FranklinDM, Lootyhoof
-
- Moon Magic practitioner
- Posts: 2861
- Joined: 2012-06-28, 01:20
Re: Cannot download/save .xpi
Since the temperature of this thread seems to be rising, I just want to state that for me, the reason for downloading and saving the .xpi file was simply for backing it up in case one day it disappears forever from the internet.
-
- Contributing developer
- Posts: 1537
- Joined: 2018-10-28, 19:56
- Location: Georgia
Re: Cannot download/save .xpi
Well, the code is audited for stuff like that before it's placed on the site in the first place, an extension like that wouldn't be allowed.RealityRipple wrote: ↑2020-09-05, 15:58By "know", I meant "read the source code and make sure there aren't any packaged EXEs or random JS that bundles up all your passwords and sends them to a third-party website".
At best, I would say you've made a case for adding a code viewer so you can review the contents of the XPI in the browser. Maybe something that pulls up a text panel/window that's updated via JS every time you click on a different file within the viewer, sort of like a GitHub experience. This would allow code review without making it easy to grab the raw XPI file or even download the individual files contained within it. I don't think there's a lot of people seriously interested in that feature, and it's probably too much work to implement, but if you're serious about that then that's the avenue I'd pursue.
Personally, I think it would just be easier to reassure people by listing out all the checks that specific add-on has passed and a certificate of them. Like if it's been run through an anti-virus program, we could note that on the page, etc.
"The Athenians, however, represent the unity of these opposites; in them, mind or spirit has emerged from the Theban subjectivity without losing itself in the Spartan objectivity of ethical life. With the Athenians, the rights of the State and of the individual found as perfect a union as was possible at all at the level of the Greek spirit." -- Hegel's philosophy of Mind
-
- Pale Moon guru
- Posts: 35652
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Cannot download/save .xpi
Automatic checks are no guarantee of anything.athenian200 wrote: ↑2020-09-05, 16:25I think it would just be easier to reassure people by listing out all the checks that specific add-on has passed
Every extension on the site has been inspected by a human being. Is that certification enough?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Contributing developer
- Posts: 1537
- Joined: 2018-10-28, 19:56
- Location: Georgia
Re: Cannot download/save .xpi
Ah, that's actually pretty cool, not many sites do manual inspection of that sort anymore.
Maybe we could emphasize that by having a green checkmark somewhere on the page with a note like "[extension] has been reviewed and approved as safe by [reviewer(s)]," to create a clear sense of people being held accountable for quality control. It's a minor touch, but little things like that can go a surprisingly long way in establishing trust. As for me, I personally already trust the extensions and the add-ons team, but if you look at the extension download page, there's nothing on the page to give someone unfamiliar with the community that sense of reassurance that it was duly reviewed and has gone through an inspection process.
"The Athenians, however, represent the unity of these opposites; in them, mind or spirit has emerged from the Theban subjectivity without losing itself in the Spartan objectivity of ethical life. With the Athenians, the rights of the State and of the individual found as perfect a union as was possible at all at the level of the Greek spirit." -- Hegel's philosophy of Mind
Re: Cannot download/save .xpi
Well, at least the repository of the software used by the Add-ons Site shouldn't be private, since some people may want to host another site.
-
- Apollo supporter
- Posts: 34
- Joined: 2015-06-14, 08:08
- Location: Greece
Re: Cannot download/save .xpi
My thoughts exactly
Thank you for that info .. found them in profile's extensions folder ...
Well i guess, better late than never ...New Tobin Paradigm wrote: ↑2020-09-05, 14:50... There simply is no reason not to do this for new installation of add-ons as well. Simply linking to xpi files was a bad call and InstallTrigger is the correct method and had been since add-ons were a thing even way back in the XPInstall days.
As far it concerns me , this is not some kind of rant post, just pointing out a function that ceased to exist ... and i have to askSo, any other questions or attempts to justify the reasoning of downloading you want to make?
Nothing more or less.
At the end of the day i'm fine with team's decision for the underlying technical/security issues ....
Cheers
-
- Astronaut
- Posts: 666
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
Re: Cannot download/save .xpi
I'm not so worried about the submission process as I am about the overall security of any given webserver. Your archives got a few files replaced before, after all. I'm not blaming you. Every website is reliant of the security of every program running on every server involved in the hosting of every file on that site. One means a single point of failure. Many means a huge surface to attack. There is no total solution, there's only the constant struggle to improve, same as with anything. Reading the source for every extension is just my solution for covering that one possible attack vector. Always has been. Always will be. Same as I keep a task manager and a drive access list open pretty regularly. And yeah, most the software I use on a regular basis is software I wrote myself.
Re: Cannot download/save .xpi
I see where this is all going and it stops here, now.
-
- Contributing developer
- Posts: 1537
- Joined: 2018-10-28, 19:56
- Location: Georgia
Re: Cannot download/save .xpi
Well, that's the purpose of the checksums that are already being worked on. To make sure the files downloaded are the files they're supposed to be.RealityRipple wrote: ↑2020-09-05, 17:38I'm not so worried about the submission process as I am about the overall security of any given webserver. Your archives got a few files replaced before, after all. I'm not blaming you. Every website is reliant of the security of every program running on every server involved in the hosting of every file on that site. One means a single point of failure. Many means a huge surface to attack. There is no total solution, there's only the constant struggle to improve, same as with anything. Reading the source for every extension is just my solution for covering that one possible attack vector. Always has been. Always will be. Same as I keep a task manager and a drive access list open pretty regularly. And yeah, most the software I use on a regular basis is software I wrote myself.
Honestly, it seems like the point you're missing is that we're taking a lot of these measures in large part to make extension delivery more secure. Something like that would be detected and dealt with immediately. So that doesn't really seem like a valid concern.
"The Athenians, however, represent the unity of these opposites; in them, mind or spirit has emerged from the Theban subjectivity without losing itself in the Spartan objectivity of ethical life. With the Athenians, the rights of the State and of the individual found as perfect a union as was possible at all at the level of the Greek spirit." -- Hegel's philosophy of Mind