Regarding the future of my (JustOff) extensions for Pale Moon Topic is solved

[New Tobin Paradigm]

From a certain point on, I stopped paying any attention to the comments of one person who constantly and with impunity insults people on the forum, and also spreads lies about me here and there. So I only learned about the proposed compromise from other comments today. Well, some might be happy, the trap worked great and now my previous comment looks pretty ridiculous.

........ riiiight. Moving on.

Anyway, the only thing that really matters is to provide users with continuous updates and if the compromise is still on the table, then I'm ready to accept it. I hope that by the end of the week I will find the time to prepare a revised migration procedure so that it includes an explicit confirmation step by the user. Let me know if this is accepted or if we need to agree on something further.

Sounds good to me. When you do get that time please give us a heads up on your revised solution.

Thank you for being reasonable and respecting AUS integrity and informed user consent in the end.

[WiseWolf]

Anyway, the only thing that really matters is to provide users with continuous updates

Cool man, I appreciate this, thank you!

[jobbautista9]

Anyway, the only thing that really matters is to provide users with continuous updates and if the compromise is still on the table, then I'm ready to accept it. I hope that by the end of the week I will find the time to prepare a revised migration procedure so that it includes an explicit confirmation step by the user. Let me know if this is accepted or if we need to agree on something further.

Thanks JustOff. I hope both you and Tobin are able to reach to a solution to this long-standing matter, for the sake of UXP.

[New Tobin Paradigm]

I mean if he is going to do exactly what he says he is gonna do to resolve this it should go smoothly. I am hopeful.

[Kris_88]

Several people at once wrote that they feel significant not only what the extensions do, but also the distribution channel through which these extensions are distributed and updated. This still seems a bit strange to me, since from my point of view, you either trust the author of the extension (given the reputation, availability of sources, etc.) or not.

JustOff, you are oversimplifying the situation.
When a person downloads an extension from the official Pale Moon site, he assumes that this extension has been reviewed and approved by the browser development team. And, as I understand, it really is. There is a group here that checks extensions for malicious code. That is, not only the author is responsible for the extension, but also the browser developers. This lends particular credibility to such extensions. And taking the extension out of the control of the browser developers changes this status, but does not relieve them of responsibility. Precisely because users are not notified. Of course, the Pale Moon team doesn't like this.

Personally, I can install an extension without looking at its code if this extension is downloaded from the official website of the browser, but I will carefully review the extension downloaded from the author's personal page. Simply because 1) a browser is a more serious product than an extension, 2) who knows what one person can do without any control.

On the other hand, you complicate the situation where it is simple. You just need not to leave the official website of the browser. It will be beneficial to you and the Pale Moon team and users. What prevents you from doing so?
If you want to do well, just do it...

[Nightbird]

This still seems a bit strange to me, since from my point of view, you either trust the author of the extension (given the reputation, availability of sources, etc.) or not.

Completely agree with you. You have no need to apologize for anything.

Also, pondering what was happening, I received further confirmation that the migration from the Pale Moon add-on site was the right decision.

Again I agree with you. If nothing else, this has certainly proved to be a cautionary tale for future extension developers on this platform. Very sad.

Never forget that any admin has a power of "life and death" on you : you can be banned, you account removed...without any notification, explanation. His/her power can be fully discretionary.

[Moonchild]

Never forget that any admin has a power of "life and death" on you

This isn't some hobby project run by a moody teenager who will format the drive when he feels butthurt.

[JustOff]

When you do get that time please give us a heads up on your revised solution.

I came up with a solution that uses a web page to notify changes in extension distribution and an optional helper extension to automate the migration. The idea behind this is that the user will receive only one notification, regardless of the number of extensions requiring an intermediate update, and then can choose how to proceed.

I've put all the components online and have released interim and final releases on GitHub for the first five extensions that were affected by a previous failed migration attempt so you can check everything out.

If there is no objection, I will prepare updates for all other extensions so that they can be pushed to the Pale Moon Add-on Site all at once. The latter is preferred because of the single notification and how the automatic migration agent works.

[New Tobin Paradigm]

Yeah except that will create a massive headache for users.

Dude, come on.. Don't punish end users because of your decisions. Just use your timer with nsIPromptService to say what it is gonna do THEN issue a command to amIInstallTrigger supplying it the URL and hash if it is cancelled then set an migration optout pref that WOULD be cleared if they later grabbed github version manually.

That way the user is notified, given a choice, and it is nice and secure.
https://udn.realityripple.com/docs/Mozilla/Tech/XPCOM/Reference/Interface/amIInstallTrigger

[JustOff]

Yeah except no one will know anything about it unless they come here?

Sorry, but you don't seem to fully understand how my solution works. As soon as the interim version is received from the AUS, the user will receive a notification with instructions in a new tab.

Why don't you JUST something similar to what you did before with a conformation box and supply a hash for the XPI to check. Why are you trying to over-complicate things?

As I said, I want to avoid multiple notifications if the user has more than one extension that needs migration.

PS: I see you have edited your comment, but the gist of my answer remains the same. And I use InstallTrigger, but from the instruction page, to get an update of all extensions at once in just a couple of clicks.

[New Tobin Paradigm]

No. No way in hell. You're not going to be allowed to compound your bullshit with a NEW extension that intercepts AUS requests and rewrites them. Please consider what I said as it is almost identical to what you did originally except secure.

[JustOff]

Sigh ... What's wrong again if the user installs this extension of their choice? And by the way, in the helper extension I use a method that until recently did not raise any objections when it was applied in uBlock Origin Updater, distributed through the Pale Moon Add-ons Site.

[New Tobin Paradigm]

You know for a FACT that extension was HIGHLY objected to by my self. The Gorhill toadies overruled that objection with their bitching and I let it slide. I am not going to argue with you. Modifying requests to AUS on the fly is not acceptable.

What is wrong with a modification to the procedure you yourself decided to do in the first place? It would take all of 10 minutes.

[Moonchild]

JustOff, what you had in your initial 5 extensions ONLY had as a problem that the user was neither informed nor given a choice.
As stated both of those things can simply be solved by using the prompter service to present the user with a dialog box with an explanation and depending on the user's response either go ahead or set a flag to "do nothing and don't notify again".

This convoluted "solution" involving an external web page and an extra (also external) extension that intercepts and rewrites requests is neither needed nor clear to the user, and it also doesn't provide a clear and safe path to migrate. You want them to be confused?...

[New Tobin Paradigm]

Additionally, your migration extension still violates security because rewriting AUS requests to an update rdf file externally COULD be impersonated by MiTM. Using InstallTrigger IN the extension assures the hash is from a trusted resource and is used to verify the external XPI file from the external resource.

[JustOff]

Can you imagine what would happen if a user suddenly received multiple modal requests to update extensions at the same time? Personally, I would be very angry if this happened to me during my daily browsing session. This is why I used a solution with a single notification page opening in the background.

Well, I updated the migration page to avoid using a helper extension (although this was the most user-friendly way). Currently, this page contains installation links for the first five extensions only, please check.

[New Tobin Paradigm]

Your solution is race-y though and I think contains an error in the preference code and you risk having multiple tabs open up in the background for a userbase who likes to keep hundreds of tabs open. How is this superior?

Don't like the model dialog on a timer? Overlay the Add-ons Manager with a message (something like "This Extension will no longer receive updates from &brandShortName;'s Add-ons Site") with a More info link and have THAT popup your prompt and they say ok then do the InstallTrigger.

How does that sound?

[JustOff]

Your solution is race-y though and I think contains an error in the preference code and you risk having multiple tabs open up in the background for userbase who likes to keep hundreds of tabs open. How is this superior?

I have done extensive testing of various scenarios, in none of which I have been able to get multiple openings of the notification page.

Don't like the model dialog on a timer? Overlay the Add-ons Manager with a message (something like "This Extension is no longer being updated from &brandShortName;'s Add-ons Site) with a More info link and have THAT popup your prompt then do the InstallTrigger.

How does that sound?

I don't like the idea of flooding the Add-ons Manager from many extensions at the same time, this will inevitably affect at least the browser launch time.

[New Tobin Paradigm]

Non-sense.. MAYBE the time to open the Add-ons Manager by a few milliseconds.

[JustOff]

You forget that almost all of my extensions are restartless. Let's stick to the strategy of not overcomplicating things, as discussed above.