Open Bug 899173 Opened 11 years ago Updated 2 years ago

time for another round of disabling side-installed addons

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect

Tracking

()

People

(Reporter: mmc, Unassigned)

References

Details

During the Firefox 8 update cycle addons that were side-installed (as detected by extensions.autodisablescopes) were disabled by default. It is time for another round of this.

One outcome of the addons workweek (https://wiki.mozilla.org/Add-ons/WorkWeek2013) is that there are millions of unique addon ids, but the vast majority of those are installed by only one user. It is likely that these are addons installed without user intent or desire. Dashboards are at http://panorama.khan.mozilla.org/fisheye/ecosystem (requires MPT VPN access).

Showing a prompt with all installed addons listed, and the side-installed addons disabled by default, will likely improve the user experience. Blocking bugs are likely to be bug 596343 and possibly bug 775253.
We were told this wasn't going to be done again...
Hi Mike,

I filed this bug based on several conversations with AMO folks and security folks. I wasn't at Mozilla when Firefox 8 rolled around, so I don't know how that process went down. If there were severe problems last time, then we should alleviate those. It is pretty clear from that all is not well with the addons ecosystem, though, so we should do something about that, too.

Thanks,
Monica
The problem at the time was that the UI was very poor, particular leaving off descriptions. 

The bugs we reported were closed saying "it won't happen again"

See all of the dependent bugs for 596343, particular the WONTFIX and the open ones.
OK, understood. In that case, if people who are responsible for this decision (Gavin? Johnath? AMO team?) think it's a good idea to pursue this bug, then we should triage open bugs blocking bug 596343 and see which ones must be fixed, and make sure that the UI works with Australis, etc.
+1 Monica.  Make it happen!  We need to end side-installs.
Mike, the bugs that were closed will be fixed before we do this again. The initial plan was to only do it once, but there have been so many cases of add-ons bypassing the opt-in screen that it's become clear that doing it once was not sufficient.
My primary concern is that last time, the dialog was very poorly worded and targeted all add-ons.

I hope that this time around, we will truly focus on the side-loaded add-ons.
It tried to target only side-loaded add-ons. I don't think we're going to be able to narrow down the opt-in list any more than we could before. There's not much metadata available to us to determine how an add-on was installed.
(In reply to Kris Maglione [:kmag] from comment #8)
> It tried to target only side-loaded add-ons. I don't think we're going to be
> able to narrow down the opt-in list any more than we could before. There's
> not much metadata available to us to determine how an add-on was installed.

When we did the last round of stuff I added an entry to the database to record whether add-ons had been side-loaded. I don't know whether any of the methods of circumventing the opt-in screen get around that but we might at least have a record of add-ons that were definitely side-loaded.
Component: Untriaged → General
OS: Mac OS X → All
Hardware: x86 → All
Which field is that? I don't see anything that looks applicable.
Ah, I was looking at the wrong database.

In any case, we're going to have to do some testing to see how common that flag is with the kind of side installs we're looking to prevent before we decide if it does what we need.
No longer blocks: 899659
Depends on: 899659
There is a related discussion going on here, which I missed until today:
https://groups.google.com/forum/#!topic/mozilla.addons.user-experience/HG44n4ZWzhA
It's sort of related, but it shouldn't block this effort.
I chatted with Asa about this, he said to check back in 3 weeks to see about getting this on the Firefox roadmap.
+6, do it. I'll take the registration thing.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.