Regarding the future of my (JustOff) extensions for Pale Moon

[ron_1]

Off-topic:

EDIT: SHIT.. I went all year without saying the word moron on the forum. So much for my New Year's resolution.

Well 44 days ain't bad. That's probably a record for you.

[mr tribute]

Do you really believe that blocking an add-on using the block-list will coerce users into forking Fx add-ons ?

Kinda my attitude too.
Have I ever used Moon Tester Tool? No.
Would I use an (unmodified) Firefox extension in 2021? No, but I have one extension that has been modified.
Becoming an add-on maintainer is a different thing. License... Graphics... Maintenance... and should probably know what you are doing.
Do I think there is a lack of Pale Moon add-ons? No.

Do I think add-on maintainers have received sub-par treatment (one was called insect for example) on this forum? Yes, I can think of two.
In the case of JustOff and Moon Tester Tool it would have been easy to inform that this tool isn't wanted on the add-ons site and information regarding it isn't welcome on the forum. That would have been the end of MTT here. And as I suggested those seeking help could supply add-on info so then MTT would be banned from the help forum as well. But it could still be used by "outsiders" and that's kind of the beauty with the FLOSS concept.

Do even 1 % of PM users use MTT? I have been here quite a lot and I didn't know about its existence before it became "the root of all evil".

[Moonchild]

Let me make one thing clear: adding a warning level to MTT to require extra confirmation from the user because JustOff isn't doing so (and instead just throws a tantrum and leaves, and on top of that tells people who use MTT to disable all security measures in the browser just to avoid this extra confirmation of use for the extension!!) is not the same as blocking the extension. I have no sympathy for that kind of behaviour nor for the people who won't even (try to) understand what they are talking about and just assume that "adding to the blocklist" means "preventing use".
Just because it has "block" in the name does not mean everything on it is hard-blocked. That's the kind of reason I'd expect from a retard (an actual one, not name-calling here) who can't understand anything past single-term associations.

We have 3 levels of severity on the blocklist, and only #3 hard-blocks extensions for being unreasonably dangerous or malicious.

As for JustOff's conversationalism goes, I think Tobin is absolutely right: being polite in conversation about destroying something doesn't take away you are still destroying something. Actions are much more important than words here.

[Moonchild]

Do even 1 % of PM users use MTT? I have been here quite a lot and I didn't know about its existence before it became "the root of all evil".

I certainly think so. Probably more. But they are the quiet masses that just "want their extensions to work" and aren't active here.
Also, 1% in absolute numbers would be 10,000 people or so. You think that's negligible? I don't think so. If you do, please give me $1 for each of those people you discard.

[New Tobin Paradigm]

I can find out roughly how many if I really need to just put a temporary tap on AUS and count how many unique requests for for that specific Add-on ID.

But I would specifically have to add that code, test it, store it, let it go for a few days. Come back note the number, revert the changes, discard the data and then tell you only for a reasonable possibility of it being rejected as not significant, not accurate, or have the whole practice condemned under a handful of bullshit reasons.

This is btw, why I don't just keep this kind of data at all or just have a switch to flip handy.

As for JustOff, Moon Tester Tool is not being targeted in a vacuum nor is JustOff the root of all evil merely for it. It is a years long pattern of selfish and deceptive behavior that includes the extension and this carefully orcastrated seemingly over the top portrayal of a ragequit because enough is apparently too much. It is a dramatic performance to cast us collectively and Moonchild and myself specifically as the central villains. This is a tactic commonly seen from the likes of the Anti-Pale Moon Subreddit, MSFN Hackers, BSD Communists, and of course the Mozillazine Trolls. Not something I would expect from such a respected Pale Moon Add-on Developer and Contributor.

As for you, I was not speaking to you when another user was passive agressively taking a shot at us or me specifically. The applogy, however, was directed at you soley though I kind of regret making it now because you have shown you aren't really deserving of it. I know more about your intensions now so the probably of you being offered another one has dropped dramatically.

Good day, sir.

[Moonchild]

I honestly see no reason to keep this topic active at this point. It's already had everything said and already degraded to people just opinionatedly taking sides while not having the courtesy of making informed decisions.

[Moonchild]

Reopened by request of the OP

[WiseWolf]

Moderator note: please quote only relevant and use offtopic tags where applicable.

Off-topic:

This is a tactic commonly seen from the likes of the Anti-Pale Moon Subreddit, MSFN Hackers, BSD Communists, and of course the Mozillazine Trolls. Not something I would expect from such a respected Pale Moon Add-on Developer and Contributor.

BSD communists? Huh, I always thought people thought that about GNU more. Very odd...

That being said, can't we all just get along?

[WiseWolf]

Thank you for maintaining that ublock origin fork and for the other addons you maintain. That all being said, I wish for peace for you and Moonchild and Tobin. It would be nice if you guys weren't annoyed with each other and could make peace, but if not, oh well.

Just for the record, I appreciate your work and Moonchild's and Tobin's despite his crass behavior often. Though I am sure he is a good person and has his reasons.

Thanks to all three of you.

[JustOff]

Thank you for the opportunity to continue discussing this topic publicly.

Yesterday I started uploading transitional versions of my extensions to the Pale Moon add-ons site. As I originally stated, these transitional extensions have a single purpose: to allow existing users to receive new versions as they are released in a new location. The fact that this was exactly what was done can be easily verified by the commits in the corresponding repositories. By the end of the day, I had prepared and published transitional versions for the first five extensions and planned to complete everything today.

However, this morning I discovered that all my extensions on the Pale Moon add-ons site were deactivated (and yes, again without any notification). I'm completely at a loss as to how this fits with the earlier promise not to interfere with the transition to GitHub and would like to get some reasonable explanation for what happened. Have you decided to take your promise back?

[coffeebreak]

Indeed, all of JustOff's extemsions are returning 404s.

I hope this is reconsidered.
It would be best for everyone if this transition is allowed to go through without such interference.

[Moonchild]

First off, it wasn't a promise, it was a statement. But regardless of that, any transition, migration, or whatever you want to call it cannot bypass normal user preferences, choice or control of an update/installation process. These things are there for a reason and you can't just flaunt them!

Yes, I've personally investigated the "temporary migration" code after seeing the new versions published and have run it through a test setup with one of the submitted extensions to verify that it was indeed doing what I suspected (with disbelief at first, mind you, but verified). The way you did it completely ignores user preferences for extension updates, and does not provide the user with a notification or a choice, and happens at an arbitrary delay and completely stealthed in the background.
In fact, if a user would not think of checking the add-ons manager (for overlay extensions) to see that "an update is pending" they would just "suddenly" have a different version upon restart of the browser, even if they chose to not update extensions automatically. For restartless extensions it's even worse, as the only indication would be a brief flicker of UI elements (if any are present from the extension) after the arbitrary delay. What's more, after migration the new versions remove any indication of what happened or that a migration had occurred. It would go completely unnoticed by the end-user.

This kind of stealth behaviour hooking into the Add-on manager's internals and silently downloading and installing an extensions, completely bypassing normal update preferences, verification checks, update notifications and routines is unacceptable. That is black hat shit, JustOff. It's the kind of thing you'd expect from a trojan extension to install things without user consent. Of note, that kind of thing would not be tolerated from any submitted extension, and they would all be subject to the same response of immediate deactivation to protect our user base.
Since you were clearly intending to publish similar "updates" for your other extensions we decided to deactivate all of them to cut this short and stop publication of more extensions with the same method rather than doing it extension by extension. We didn't want to expose more users to this undesired behaviour than we have to.

I'm really disappointed that you attempted to do it this way without respect for user choice and the security measures in place for extension handling.

[Tohuwabohuix]

...It's the kind of thing you'd expect from a trojan extension to install things without user consent...
...we decided to deactivate all of them to cut this short and stop...
...We didn't want to expose more users to this undesired behaviour than we have to.
I'm really disappointed that you attempted to do it this way without respect for user choice...

Thank you Moonchild for protecting our add-on integrity!
I am also utterly disappointed with this behavior by a previously considered sincere add-on developer.
I can't believe it - the only thing he should have done would be to withdraw the "Moon Tester Tool" add-on that will no longer work for long anyway. Everything would have been fine and his, acknowledged, great skills in add-on development would have continued to benefit all Pale Moon users.
But now I've seen me forced to uninstall all of his add-ons - very, very unfortunate.

[Tohuwabohuix]

...But now I've seen me forced to uninstall all of his add-ons - very, very unfortunate.

I hope JustOff will reverse his dubious decision. He should remove the malware-like changes regarding updating in his add-ons. ... and come back without the counterproductive "Moon Tester Tool"!

[coffeebreak]

Personally, I still consider JustOff to be a "sincere add-on developer", with integrity as great as that of any developer in this project. I plan to defer forming an opinion until learning what HE has to say about Moonchild's post.

[Tohuwabohuix]

Personally, I still consider JustOff to be a "sincere add-on developer", with integrity ...

I do sure also assume that he is basically a serious developer with integrity.
But everyone can make a mistake and go wrong - and everyone can revise wrong decisions.

Therefore:

I hope JustOff will reverse his dubious decision. He should remove the malware-like changes regarding updating in his add-ons. ... and come back without the counterproductive "Moon Tester Tool"!

[JustOff]

I apologize for the long answer, but the accusations are too serious and I must state everything in detail.

Let's try to consider how the migration mechanism I have implemented works, leaving emotions aside.

- What does the user expect to receive when they install the extension for the first time?
- They expect to get a certain set of features, limited to those stated by the author.

- Does the temporary migration routine violate this rule?
- No, the user gets an extension with exactly the functionality as described.

- Did I announce, that temporary migration will occur and this will be part of the extension's functionality?
- Yes, I did it explicitly, openly and more than once, here in this thread and in the source code.

- How can the user control the update of the extension?
- They can either activate automatic updates or do it manually.

- Can a user get an update containing a temporary migration routine if they have disabled automatic updates?
- No, this is obviously not possible. Everything is under their control.

- What does it mean if the user has activated an automatic update or initiated a manual update?
- This means that they have expressed a clear will to get a new version of the extension, if one exists.

- Does the temporary migration routine change this logic?
- No, as a result, the user gets a new version of the extension, as they wanted.

- What then is the difference between extensions with a temporary migration routine and without it?
- The extension with a temporary migration routine will be installed and updated in two steps.

Thus, it is false to claim that the migration method I have used ignores user preferences and their choices to control the installation or upgrade process. Similarly, it is false to compare it to hacking techniques and other malicious activities. My actions are clean both in terms of intent and implementation, all steps have been taken publicly and are open to auditing for everyone.

[Kris_88]

Why did you even start this...?
Emotions must be kept in check, this applies to both sides ...

[EMH_Mark_I]

While fortunately this wasn't a malevolent act from the likes of handing over an extension to a bad actor (a common practice still observed in AMO and Chrome Web Store, despite their best efforts to clamp down on it), this is the sort of behaviour that has me paranoid of web browser extensions and why I keep auto updates disabled and manually apply and routinely monitor.

The update and distribution platform was moved away from Phoebus to a third party, which as stated in this thread would occur and did certainly occur as part of the migration effort, but there may be many people that will not be aware of this change.

There is only a minority of users that will ever bother to read the forum. If something were to occur in the future that resulted in your GitHub repository falling into the wrong hands and used for distributing malware, the install base of those extensions would pin the blame directly on Pale Moon for permitting such a scenario to unfold, unaware that the extensions may have been long since removed from the Pale Moon add-ons platform. They were not notified of the change.

When I leave auto-updates enabled for a particular extension, I expect those updates to be provided by the platform I installed it from (AMO, Chrome Web Store, Pale Moon add-ons, etc). If a major change such as this migration is to be orchestrated, then some prior notification would be expected. Is a nag notification not possible?

While you may accept the full responsibility of your extensions, the install base may not see it in this light and will expect Pale Moon to uphold some integrity for its own services. If something were to occur that seriously impacted the users of your extensions, their first response will likely be directed toward Pale Moon, harming its reputation.

As for the method in how this was deployed, I leave that for the operators of Pale Moon add-ons to judge. They may have some guidelines and expectations in how to carry out such a task, if it were possible.

The only live extensions I now keep are Alessio's “eMatrix” and Lootyhoof's “Stylem.” The small few rest I maintain for myself alone due to either potential licensing conflicts or my unfortunate lack in programming to properly maintain for an install base which could prohibit a clean fork.

[Lootyhoof]

JustOff,

Despite what you may think, your migration tactic IS a Trojan. You used your already installed (and privileged, trusted, ...) add-ons to download external code and run it. Without any consent from the user. To quote (emphasis mine),

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system.

...

A backdoor Trojan gives malicious users remote control over the infected computer. They enable the author to do anything they wish on the infected computer – including sending, receiving, launching and deleting files, displaying data and rebooting the computer. Backdoor Trojans are often used to unite a group of victim computers to form a botnet or zombie network that can be used for criminal purposes.

Yes, it does appear to actually update when you check for updates in the Add-ons Manager. However, it does NOT check if add-ons should install automatically or not. For example, look at the below:



With the option "Update Add-ons Automatically" disabled, you would expect available updates to show here. NOT for add-ons to update in any fashion.

Let's have a look at your responses too, shall we?

- No, the user gets an extension with exactly the functionality as described.

How do you check this? Do you perform any sort of error check? Your code would suggest otherwise, it just grabs an XPI from the Internet. The user is never aware of what is happening.

- Yes, I did it explicitly, openly and more than once, here in this thread and in the source code.

Do you expect all of your users to read this particular thread, or look at the source code? I need to repeat again: The user is never aware of what is happening. No notification from the extension to expect it, or anything.

- Can a user get an update containing a temporary migration routine if they have disabled automatic updates?
- No, this is obviously not possible. Everything is under their control.

See above. This is blatantly false.

- The extension with a temporary migration routine will be installed and updated in two steps.

But where is the consent for this? I need to repeat AGAIN: The user is never aware of what is happening. They may have opted to update their add-ons (with the caveat of the above) but they did not know it was coming from a source other than that which they originally installed it from.

it is false to compare it to hacking techniques and other malicious activities.

If you are installing and running privileged code from the Internet by abusing your add-on's status of already being present in the system, meddling with the Add-on Manager's internals in the process to do so, you most certainly ARE behaving exactly like a Trojan. Again, see above my definition of what a computer Trojan is.

A little user consent goes a long way. Even if you just opened the XPInstall dialog so people are aware of what is happening, as this does provide a URL people can visit and properly audit if they wish, given it is not from a trusted source (and especially since it is not from the same source they installed from originally).

Regardless, with actions like this I have lost trust for you. I am disappointed. While I wish you the best for your add-ons going forward, with such tactics being precedent I don't feel I would be able to recommend them going forward.