Cannot download/save .xpi Topic is solved

[ron_1]

Since the temperature of this thread seems to be rising, I just want to state that for me, the reason for downloading and saving the .xpi file was simply for backing it up in case one day it disappears forever from the internet.

[athenian200]

By "know", I meant "read the source code and make sure there aren't any packaged EXEs or random JS that bundles up all your passwords and sends them to a third-party website".

Well, the code is audited for stuff like that before it's placed on the site in the first place, an extension like that wouldn't be allowed.

At best, I would say you've made a case for adding a code viewer so you can review the contents of the XPI in the browser. Maybe something that pulls up a text panel/window that's updated via JS every time you click on a different file within the viewer, sort of like a GitHub experience. This would allow code review without making it easy to grab the raw XPI file or even download the individual files contained within it. I don't think there's a lot of people seriously interested in that feature, and it's probably too much work to implement, but if you're serious about that then that's the avenue I'd pursue.

Personally, I think it would just be easier to reassure people by listing out all the checks that specific add-on has passed and a certificate of them. Like if it's been run through an anti-virus program, we could note that on the page, etc.

[Moonchild]

I think it would just be easier to reassure people by listing out all the checks that specific add-on has passed

Automatic checks are no guarantee of anything.
Every extension on the site has been inspected by a human being. Is that certification enough?

[athenian200]

Automatic checks are no guarantee of anything.
Every extension on the site has been inspected by a human being. Is that certification enough?

Ah, that's actually pretty cool, not many sites do manual inspection of that sort anymore.

Maybe we could emphasize that by having a green checkmark somewhere on the page with a note like "[extension] has been reviewed and approved as safe by [reviewer(s)]," to create a clear sense of people being held accountable for quality control. It's a minor touch, but little things like that can go a surprisingly long way in establishing trust. As for me, I personally already trust the extensions and the add-ons team, but if you look at the extension download page, there's nothing on the page to give someone unfamiliar with the community that sense of reassurance that it was duly reviewed and has gone through an inspection process.

[Andrew Herbert]

Well, at least the repository of the software used by the Add-ons Site shouldn't be private, since some people may want to host another site.

[GStathops]

I just want to state that for me, the reason for downloading and saving the .xpi file was simply for backing it up in case one day it disappears forever from the internet.

My thoughts exactly

Why would you not save the extension from your profile folder for backing up .....

Thank you for that info .. found them in profile's extensions folder ...

... There simply is no reason not to do this for new installation of add-ons as well. Simply linking to xpi files was a bad call and InstallTrigger is the correct method and had been since add-ons were a thing even way back in the XPInstall days.

Well i guess, better late than never ...

So, any other questions or attempts to justify the reasoning of downloading you want to make?

As far it concerns me , this is not some kind of rant post, just pointing out a function that ceased to exist ... and i have to ask
Nothing more or less.

At the end of the day i'm fine with team's decision for the underlying technical/security issues ....


Cheers

[RealityRipple]

I'm not so worried about the submission process as I am about the overall security of any given webserver. Your archives got a few files replaced before, after all. I'm not blaming you. Every website is reliant of the security of every program running on every server involved in the hosting of every file on that site. One means a single point of failure. Many means a huge surface to attack. There is no total solution, there's only the constant struggle to improve, same as with anything. Reading the source for every extension is just my solution for covering that one possible attack vector. Always has been. Always will be. Same as I keep a task manager and a drive access list open pretty regularly. And yeah, most the software I use on a regular basis is software I wrote myself.

[New Tobin Paradigm]

I see where this is all going and it stops here, now.

[athenian200]

I'm not so worried about the submission process as I am about the overall security of any given webserver. Your archives got a few files replaced before, after all. I'm not blaming you. Every website is reliant of the security of every program running on every server involved in the hosting of every file on that site. One means a single point of failure. Many means a huge surface to attack. There is no total solution, there's only the constant struggle to improve, same as with anything. Reading the source for every extension is just my solution for covering that one possible attack vector. Always has been. Always will be. Same as I keep a task manager and a drive access list open pretty regularly. And yeah, most the software I use on a regular basis is software I wrote myself.

Well, that's the purpose of the checksums that are already being worked on. To make sure the files downloaded are the files they're supposed to be.

Honestly, it seems like the point you're missing is that we're taking a lot of these measures in large part to make extension delivery more secure. Something like that would be detected and dealt with immediately. So that doesn't really seem like a valid concern.