Closed Bug 1418779 Opened 6 years ago Closed 6 years ago

option to install/update only to latest human-reviewed version of addons

Categories

(Firefox :: Untriaged, defect)

defect
Not set
major

Tracking

()

RESOLVED WONTFIX

People

(Reporter: tozzedd, Unassigned)

References

Details

The following blog post documents a change to Mozilla's addon review policy:
https://blog.mozilla.org/addons/2017/09/21/review-wait-times-get-shorter/

In short, addon's are no longer reviewed by a human prior to being published, but only some time after.

This may be good for users who don't care about security (admittedly, most), but for those that do care about security, without an option as suggested in this report, it's a disaster which requires all addons be removed from their installation in order to maintain safety.

Problem statement: the user now has no basis of trust for most addons listed on AMO. With the exception of a few addons offered by e.g. the Electronic Frontier Foundation, most addon's are maintained by individuals who the user doesn't know of and has no reason to trust. Under the prior policies, this issue was mitigated by the assurance that a human who Mozilla has assigned trust to has reviewed the addons before allowing them to be published. Under the old policies, the user's trust in Mozilla could easily transfer to addon's reviewed by humans trusted by Mozilla. That is no longer the case.

Suggested solution: a configuration option which allows the user to prevent Firefox from installing or updating to any version of an addon which has not yet been reviewed.

For updates, the implementation should be pretty simple; when Firefox checks for addon updates, it could simply include an extra parameter in the request URL which specifies the user's preference on this point -- the update list determined would reflect only the most recently reviewed version of addons. E.g., if the user is on Addon XYZ version 2.5, and the latest reviewed version of the addon is 2.6, the user will only be updated to version 2.6, even if version 3.0 has been released but hasn't yet been reviewed; once version 3.0 is reviewed, the user will be updated to that version at their next version check.

As for handling installs from AMO, the issue is slightly more complicated and is more likely to warrant discussion about different approaches. Generally speaking, the user's preference needs to be communicated to AMO as a first step. This could be done e.g. by adding a JavaScript property only visible to AMO, or an extra header, or some other method. Once AMO knows the user preference, the bigger question is how to handle it. Perhaps the simplest would be to simply output more information to users with this preference set ... i.e., on the main listing page, a notice would inform the user about whether the latest version of the addon has yet been reviewed; this notice would also appear for each version on the Version History page. This would allow the user to make their choice based upon the information that's relevant to them. More complicated options might include not even showing the not-yet-reviewed versions of addons, but this might cause issues with the addon description not matching the version the user is going to download, for example.
Blocks: 1418784
see also: bug 1418788
We have no plans to expose whether an add-on has been manually reviewed or not. The review status of an add-on is a complex thing to expose, since there can be multiple steps involved. Also, revealing that information can make it easier for attackers to determine how post-reviewing works and which add-ons are better targets for attack.

AMO bugs should be filed here: https://github.com/mozilla/addons/issues/new
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.