Closed Bug 1224520 Opened 9 years ago Closed 9 years ago

Upload "AMO Browsing for SeaMonkey" to AMO

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox45 affected)

Status:
RESOLVED FIXED
Milestone:
seamonkey2.40
Tracking Flags:
Tracking Status
firefox45 --- affected

People

(Reporter: RainerBielefeldNG, Assigned: RainerBielefeldNG)

References

(Blocks 2 open bugs,
URL
)

Details

I think a useful fix for "Bug 1151227 - Add-on Manager discovery pane: add Banner with link to Add-on-converter" will need "AMO Browsing for SeaMonkey" on AMO.
See Also: → 1145026
Blocks: 1151227
I'm in favour of this, but actually it is for lemon_juice to decide. In any case the "AMO Browsing for SeaMonkey" extension is not (yet) part of Mozilla code, using bugzilla.mozilla.org for it is abusing the system. By not resolving this bug INVALID ("not a Mozilla bug"), I'm making myself an accessory after the fact to the misdemeanor.
Also Chatzilla also is available on AMO, and currently I would like to find some more testers before we bundle the add-on to SeaMonkey. Chance that some stumbles upon the AMO browser is much bigger at AMO. We will see whether it will be useful to have the latest versions on AMO in parallel when we have it bundled.
But what does the "AMO Browsing for SeaMonkey" has to do with the Add-on Manager discovery pane? We might have the extension on AMO, it wouldn't hurt. However, I wouldn't count on an influx of testers and I don't think we should postpone the bundling due to that. This is a pretty simple extension and it doesn't need some huge amounts of testing. PS. I have also considered making some useful add-on discovery pane as a feature of this extension. This might be an easier route as we wouldn't need any python coders needing to access some Mozilla stuff. So this is possible but I'm not implementing the feature right now because in the first place we need to get the extension shipped with SM (I don't want to add features only to find out the bundling never happens...).
(In reply to lemon_juice from comment #3) > But what does the "AMO Browsing for SeaMonkey" has to do with the Add-on > Manager discovery pane? [...] The idea is to have it mentioned as recommended when someone clicks "Get Add-ons" in the SeaMonkey add-ons manager. Probably not as the only recommended add-on, but at the moment there are none.
(In reply to lemon_juice from comment #3) > We might have the extension on AMO, it wouldn't hurt. However, I wouldn't > count on an influx of testers and I don't think we should postpone the > bundling due to that. Yes, of course. unfortunately there is no activity for "Bug 1230722 - Include "AMO Browsing for SeaMonkey"-add-on into SeaMonkey release bundle"
(In reply to Rainer Bielefeld from comment #5) > (In reply to lemon_juice from comment #3) > > > We might have the extension on AMO, it wouldn't hurt. However, I wouldn't > > count on an influx of testers and I don't think we should postpone the > > bundling due to that. > > Yes, of course. unfortunately there is no activity for "Bug 1230722 - > Include "AMO Browsing for SeaMonkey"-add-on into SeaMonkey release bundle" I might be wrong, but I think the SeaMonkey Release-Engineering developers have more pressing matters to attend to, and also that they are waiting for the add-on to be uploaded at AMO by its developer before they do anything towards including it as an integral part of SeaMonkey. The extension's author is indeed the only person who may (a) decide whether he allows the extension to be available at AMO, and (b) if he does, perform the upload and request full review. For this reason, I am nominating Lemon Juice as assignee (i.e. because only he can do it) but I am not setting the bug as ASSIGNED. I'm leaving it to Lemon Juice himself to take the bug if he is willing to do it and has the time for it. It is perfectly all right for LJ to decide that he prefers _not_ to have his add-on at AMO; but such a decision might be counterproductive in convincing the RelEng team that it is a worthy part of the browser. (Rainer and I believe that is is, but neither of us is on the SeaMonkey Council.)
Assignee: nobody → michal-ok
OS: Unspecified → All
Hardware: Unspecified → All
I will proceed due to permission <https://bugzilla.mozilla.org/show_bug.cgi?id=1230722#c6>
Assignee: michal-ok → RainerBielefeldNG
Status: NEW → ASSIGNED
Target Milestone: --- → seamonkey2.40
done! Tests and suggestions how to improve AMO download page apreciated (please file separate Bugs)
URL: https://addons.mozilla.org/de/seamonk...
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Add-On has been rejected, copy of message I received: Your add-on, AMO Browsing for SeaMonkey 0.9.9.1, has been reviewed and did not meet the criteria for being hosted in our gallery. Reviewer: Leszek Życzkowski Comments: This version didn't pass review because of the following problems: 1. This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk. For more information, see https://developer.mozilla.org/en/XUL_School/DOM_Building_and_HTML_Insertion . Here are some examples that were discovered: This version of your add-on has been disabled. You may re-request review by addressing the reviewer's comments and uploading a new version at https://addons.mozilla.org/en-US/developers/addon/amo-browsing-for-seamonkey/versions If you want to respond to this review, or have any questions about it, please reply to this email or join #amo-editors on irc.mozilla.org. To learn more about the review process, please visit https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews -- Mozilla Add-ons Team https://addons.mozilla.org
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Well, of course, this extension is using innerHTML to create content to inject into the web page - this is its main purpose. AMO reviewers don't have time nor willingness (or are simply instructed so) to check if the particular innerHTML usages are safe or not - they simply reject them by default. I suggest skipping AMO altogether because this might mean a series of additional attempts to get the extension reviewed plus having to alter the code to be accepted by their robots and humans and in effect make the code a bit more complicated and slightly less efficient (yes - contrary to what the AMO report says). IMO not worth the trouble. Just simply let a SM dev look through the code's innerHTML occurrences to verify if they inject anything malicious or not.
Because I think more users should have access to this tool even before we have a bundled solution I uploaded an installable Version of the add-on at sourceforge.net. Minimum manual, download link and warnings see here: <https://unofficialseamonkeynews.wordpress.com/2016/03/19/amo-browsing-add-on-eases-conversion-and-installation-of-ff-and-tb-add-ons/>
(In reply to Rainer Bielefeld from comment #11) > Because I think more users should have access to this tool even before we > have a bundled solution I uploaded an installable Version of the add-on at > sourceforge.net. I don't know why I didn't put up the installation file on github in the beginning, I think I must have been too ignorant if github features and didn't know if/how it can be done. Anyway, for completeness sake I have uploaded the release there: https://github.com/lemon-juice/AMO-Browsing-for-SeaMonkey/releases. Of course, it can remain at sourceforge, too.
If you're still interested in getting this on AMO, here's a pull request on GitHub I made that might help (removes all uses of innerHTML.) https://github.com/lemon-juice/AMO-Browsing-for-SeaMonkey/pull/6
Success: the extension is now fully reviewed after I applied a workaround that gets rid of innerHTML: https://addons.mozilla.org/addon/amo-browsing-for-seamonkey/
.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.