Closed Bug 1451618 Opened 7 years ago Closed 7 years ago

TLS 1.3 roll-out SAO visible in addon manager with unclear description

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1367800

People

(Reporter: fb+mozdev, Unassigned)

References

Details

For a brief time today after booting from hibernate, I was able to see the "TLS 1.3 roll-out" system add-on in the Addon Manager. I know what is supposed to be, but from the description it's not clear (1) where it comes from, (2) why it's there, and (3) what it gives me. Even if the Add-On is not supposed to be visible, at least for long, I strongly suggest adding meaningful descriptions to System Add-Ons so laymen don't see it as a threat. In this case, I propose something like the following: "Firefox-internal System Addon for the initial rollout of the TLS 1.3 security feature." (This template sentence can easily be adapted to any kind of SOA-driven feature roll-out.) The Read More link shall then show a few more words: - What the feature is/does (1-2 sentences). - Method used to select installations and how to see whether you were elected (if possible/applicable). - How to report problems and how to opt out of the feature (may include security warnings that the user should not, in fact, opt out unless they experience issues). - How to opt out of all features studies (if possible/applicable). It should also point to a help article with further information. All of that information should be short and most can be re-used for other SOAs. The information should IMHO be part of the regular approval process for SOAs anyway, so no need to invent too much new stuff. I'd actually prefer if SOAs would be listed in a different section apart from the "user" addons (e.g. a "Features" section) with users being able to see what SOAs are installed and see more information -- but that's a different issue ...
I believe this is a duplicate of bug 1367800. Here are a few thoughts I have on the other things you're proposing: (In reply to Florian Bender from comment #0) > For a brief time today after booting from hibernate, I was able to see the > "TLS 1.3 roll-out" system add-on in the Addon Manager. I know what is > supposed to be, but from the description it's not clear (1) where it comes > from, (2) why it's there, and (3) what it gives me. > > Even if the Add-On is not supposed to be visible, at least for long, I > strongly suggest adding meaningful descriptions to System Add-Ons so laymen > don't see it as a threat. > > In this case, I propose something like the following: > > "Firefox-internal System Addon for the initial rollout of the TLS 1.3 > security feature." > > (This template sentence can easily be adapted to any kind of SOA-driven > feature roll-out.) > > The Read More link shall then show a few more words: > > - What the feature is/does (1-2 sentences). > - Method used to select installations and how to see whether you were > elected (if possible/applicable). > - How to report problems and how to opt out of the feature (may include > security warnings that the user should not, in fact, opt out unless they > experience issues). > - How to opt out of all features studies (if possible/applicable). > > It should also point to a help article with further information. These are all great ideas, thanks! Hopefully we won't need to use extensions for feature roll-outs in Firefox for more than a few more releases, in the meantime I will make sure we use clearer description. If you'd like, you can propose changes here for the TLS 1.3 roll-out extension specifically: https://github.com/mozilla/one-off-system-add-ons/tree/master/addons/tls13-rollout-bug1442042 I do like the idea of letting users know what feature roll-outs are happening and more information about what each change means, how to opt out if applicable etc. Would you mind distilling this part into a new bug and file on the Normandy client, which is what we're planning to replace SAO updates with, and cc: me? https://bugzilla.mozilla.org/enter_bug.cgi?product=Firefox&component=Normandy%20Client > All of that information should be short and most can be re-used for other > SOAs. The information should IMHO be part of the regular approval process > for SOAs anyway, so no need to invent too much new stuff. > > I'd actually prefer if SOAs would be listed in a different section apart > from the "user" addons (e.g. a "Features" section) with users being able to > see what SOAs are installed and see more information -- but that's a > different issue ... I think we should consider having something similar to about:studies but for hotfixes/feature roll-outs via Normandy as mentioned above. I think a similar template to what you're proposing could be useful for shield studies as well. We explored exposing system add-ons via about:addons in a new pane a while back, although that was more in the context of built-in features that happen to be developed as extensions, like Pocket and Screenshots that. I think for these as well as feature roll-outs and hotfixes, extensions happen to be the delivery mechanism but they don't really make sense in the context of that UI. In any case, I think there's room to have more informed user choice here. Thanks for filing! Please re-open if I'm wrong about this being a dupe.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.