Closed Bug 245198 Opened 16 years ago Closed 14 years ago

Add-ons policy needs to be defined and published

Categories

(addons.mozilla.org Graveyard :: Policy, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Bugzilla-alanjstrBugs, Assigned: shaver)

References

()

Details

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040518 Firefox/0.8.0+ (Darkstar)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040518 Firefox/0.8.0+ (Darkstar)

u.m.o needs a policy document explaining what themes/extensions/plugins can be
listed, the licenses they can come with

Reproducible: Always
Steps to Reproduce:
The items listed on this site are NOT supported by mozilla.org unless
specifically listed as such.  All are free for use and should be considered
copywritten unless other license is provided.  

Website errors should be reported using <a
href="http://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&format=guided">bugzilla</a>.
 Extension and theme requests, as well as support requests can be made on <a
href="http://forums.mozillazine.org">MozillaZine</a>.  
Regarding the discussion on licensing, may be it is good 
to let the authors/submitters explicitely name the license(s) 
valid for the submitted material?
*** Bug 247321 has been marked as a duplicate of this bug. ***
Updating summary, since there was a dupe... Also, who at the Mozilla Foundation
handles stuff like this? we need to work with them on this one.
Summary: Terms of Usage Document → Terms of Usage and licensing policies Document
See Bug 252680 and Bug 252679, this'll likely become a dupe of one of those.
*** Bug 252680 has been marked as a duplicate of this bug. ***
Updating Summary to be clear what this bug is about.

From Bug 252680 Comment #0:

------- Comment #0 From Ben Goodger  2004-07-22 13:37 PDT -------

Independently of when we come up with a solution for extension signing, we need
some kind of disclaimer for umo that states effectively:

"Extensions, themes  are distributed by mozilla.org but the content is not
necessarily verified or waranteed by us etc" We are working on getting a set of
EULAs - I suspect this text can be attached when we get it. See bug 252679 for
details. 

If we get signing working this needs to be extended to say that "Signing means
that the extensions are provided by us, but not necessarily verified by us etc"
Assignee: nobody → psychoticwolf
Summary: Terms of Usage and licensing policies Document → Licensing policies and Disclaimer for Update.mozilla.org
Depends on: 252679
Rafael: I haven't heard anything on this particular document. Ben G. filed Bug
252680 (his comments are quoted in Comment #7 here.) This is supposed to be
related to the work on Bug 252679 for the Firefox EULA. I have a placeholder in
update-beta for this info when its finalized, but I can't personally act on this
bug, it needs the blessing of somebody from the Foundation. Can you or somebody
else official take over with this one?
Whiteboard: Need MF Help Here
Assignee: psychoticwolf → rebron
Whiteboard: Need MF Help Here
*** Bug 271380 has been marked as a duplicate of this bug. ***
Moving more bugs to new component.
Component: Update → Administration
Product: mozilla.org → Update
Version: other → unspecified
Target Milestone: --- → 1.0
Status on this? 1.0 is close and this is not likely to make it.
Changing target milestone to 1.1. Though as soon as we get this, I'll post it,
regardless. :-)
Target Milestone: 1.0 → 1.1
Blocks: 276467
Taking ownership and escalating to get legal engagement and review ASAP.
Assignee: rebron → cbeard
Summary: Licensing policies and Disclaimer for Update.mozilla.org → [Policy] Licensing policies and Disclaimer for Update.mozilla.org
Severity: normal → critical
Blocks: 281902
Blocks: 294292
Attached file policy 0.1
Assignee: cbeard → rebron
> All hosted software must function as described, without additional behaviour 
> and/or side effects, intentional or not.

I'm a little unclear on that one.  To me it is saying that the description
provided to us must enumerate all functionality.  



(In reply to comment #14)
> Created an attachment (id=193070)

Even if both a software and its description
are fine, reviewers might not be able to read it.

Then, ... 
 - The description should be written in English,
   or at least, include English translation part.
 - The title should be ascii.



> 8. We may refuse ... , poorly written, ...

By "poorly", it implys the software code sucks,
but reviewers should also reject apps such as...
 - its title/desc includes words which sound
   dirty, insulting, etc.

In short, improperly written softwares.
Blocks: 298444
Comment on attachment 193070 [details]
policy 0.1

> 1. [...] It does not have to be open source, but code must be licensed
> such that it can be viewed and read by [...] potential end-users.

This precludes hosting any with proprietary binary components? There are useful
tools out there that I would be willing to host in theory (assuming
non-evilness of installers, etc) like the Netcraft or Yahoo toolbars. Sure,
they advertise or tie to a service, but it's a useful service for some number
of users. Is there a line we could draw, like willingness to let umo-admins
review the code under NDA, or a signed contract of non-evilness in situations
like this.

>  6. All hosted software must not interfere with the normal operation of any
>  third-party services in such a way as to be considered malicious or damaging.

AdBlock/FlashBlock/Greasemonkey/etc ? Considered damaging by whom?
(In reply to comment #17)
> This precludes hosting any with proprietary binary components? There are useful
> tools out there that I would be willing to host

If we just link to their site (like Yahoo wants us to), where does that fall in
there?
*** Bug 310154 has been marked as a duplicate of this bug. ***
Hi,

I've just joined you from 310154 (sorry I didn't spot this one earlier - I did
search for duplicates but missed this), and my request is slightly different.
I'm more interested in a having a message on the extensions download page
clarifying whether the extensions are vetted in any way, and, if not, what duff
extensions can do to your computer. (Last bit may be obvious, but it will be
very important to prevent stupid people we're attempting to herd from Internet
Explorer blaming everything going wrong on Firefox. I'm not so keen on only
putting it in the EULA because I, like probably most people, usually accept it
without reading it.)

Now that there seems to be a policy for extension developers in the pipeline,
here's my suggestion for what to put on the front extensions page (just a
starter, tinker as you please):

"All extensions hosted by mozilla.org are expected to conform to a policy
setting standards of security, privacy and stability. [Link to policy.] However,
mozilla.org does not necessarily verify extensions, and all extensions are
installed at the user's own risk."

And I suggest with following it with one link to a user guide in layman's terms
explaining what can happen when you install extensions (in short, what's the
worst that could happen), plus another link to a page should anyone wish to
complain about an extension not conforming to the policy.

Finally, if you've got time, could mozilla.org create a "seal of approval" or
something for extensions they have vetted and found to conform to policy.
Obviously, you couldn't vet all of them, but, say, vetting the 50 most popular
extensions would increase my confidence a bit.
See also bug 275197
shaver is going to help combine feedback and solidify the draft (with everyone else helping of course) -- reassigning.
Assignee: rebron → shaver
Target Milestone: 1.1 → 2.0
*** Bug 317647 has been marked as a duplicate of this bug. ***
Summary: [Policy] Licensing policies and Disclaimer for Update.mozilla.org → Add-ons policy needs to be defined and published
*** Bug 291565 has been marked as a duplicate of this bug. ***
*** Bug 275197 has been marked as a duplicate of this bug. ***
*** Bug 271466 has been marked as a duplicate of this bug. ***
Component: Administration → Policy
AMO bugspam. Correcting QA contacts on OLD bugs (mozilla.update@update.bugs)

-> Correct QA contact (policy@add-ons.bugs)

Filtermeplzkthx
QA Contact: mozilla.update → policy
http://wiki.mozilla.org/User:Shaver/AMO_Extension_Policy is what I've been slowly concocting, I'm pretty happy with it now, though it needs some wordsmithing before it's published and linked from AMO proper.  Comments welcome here on on the talk page.
Status: NEW → ASSIGNED
Target Milestone: 2.0 → 2.1
Yes it clearly begins to take shape nicely. 2 thoughts:
1. "Creator responsiveness: We expect that add-ons on AMO will be maintained to ensure compatibility with new stable/security releases"
Not that I disagree but it seems inconsistent with the fact that maxVersion was capped with 2.0.0.a3 yesterday. If they maintain their addons then why not let them continue to declare 3.0?
2. Perhaps add something against bypassing restrictions set by AMO. I know 2 extensions that check for updates on custom servers although there's no updateURL in install.rdf as AMO demands.
(In reply to comment #30)
> Yes it clearly begins to take shape nicely. 2 thoughts:
> 1. "Creator responsiveness: We expect that add-ons on AMO will be maintained to
> ensure compatibility with new stable/security releases"
> Not that I disagree but it seems inconsistent with the fact that maxVersion was
> capped with 2.0.0.a3 yesterday. If they maintain their addons then why not let
> them continue to declare 3.0?
Maxversion stuff is being tossed around and worked on atm I believe.

> 2. Perhaps add something against bypassing restrictions set by AMO. I know 2
> extensions that check for updates on custom servers although there's no
> updateURL in install.rdf as AMO demands.
Report them. As Shaver said, it's about spirit, not letter.
Spirit's a fine thing but if I commented about on here it's because I did report one about 3 days ago on IRC and no action has been taken yet, possibly because it's not mentioned in the policy :)
Mmm, I didn't notice such a report; my bad.  Mail me the details?  Sorry!
(In reply to comment #30)
> Yes it clearly begins to take shape nicely. 2 thoughts:
> 1. "Creator responsiveness: We expect that add-ons on AMO will be maintained to
> ensure compatibility with new stable/security releases"
> Not that I disagree but it seems inconsistent with the fact that maxVersion was
> capped with 2.0.0.a3 yesterday. If they maintain their addons then why not let
> them continue to declare 3.0?

We'll be adding 2.0b1 and 3.0a1 as "hidden" values in a day or two, once we fix some issues on the server side (bug 342998).  They can't declare 3.0 meaningfully, because it's impossible for them to know that their extension will work with 3.0 when a Firefox with that version number ships.  We're going to have the released alphas/betas as public versions, and the next one as "hidden", but I don't want a bunch of old extensions in the field that claim 3.0 compatibility when that day comes.

And though we might well take abandoned extensions off the site, that doesn't help people who have them installed, and should get them disabled upon upgrade. Also, I'm more concerned about authors keeping their extensions working with updates to a stable release they were compatible against than keeping people to predictive promises that we shouldn't be letting them make in the first place. :)

> 2. Perhaps add something against bypassing restrictions set by AMO. I know 2
> extensions that check for updates on custom servers although there's no
> updateURL in install.rdf as AMO demands.

Please report these to umo-reviewer@, or via the IRC channel, or something.  I'll add something about that, though, in the overview section.  (I know of one extension that has a bogus updateURL because it's been in there for ages, and we didn't notice until just before I got sick, but I'm "on that", as I say.)
Priority: -- → P1
Blocks: 350857
(In reply to comment #29)
> http://wiki.mozilla.org/User:Shaver/AMO_Extension_Policy is what I've been
> slowly concocting, I'm pretty happy with it now, though it needs some
> wordsmithing before it's published and linked from AMO proper.  Comments
> welcome here on on the talk page.
> 

I like it. The things I would like to see different in the listed draft are:

"Categorization") Only allow listing in one category. Pick the most appropriate category to list your extension in.

"Categorization") Add a Multiple Function Category and/or Toolbar category.

"Categorization") Allow site admins to move an extension to a different category if they feel it is improperly listed.

"Rating systems") Allow uses to only rate an extension once. 

"Rating systems")Do not allow ratings/comments to be deleted. Allow the extension author (and only him) to have 1 reply to each rating if he chooses to debate any comment (such as Ebay's feedback system). Only allow a rating/comment to be deleted if "both" the author and the person making the comment agree to it. Ordinary users are smart enough to sift through comments and make an informed decision.
Just added some comments at the talk page. I'm amazed that this necessity was found more than two years ago and it's still not satisfied. When released it should be mailed to all existing extension/themes developers for acknowledge of the "new" rules.
(In reply to comment #35)
> "Categorization") Only allow listing in one category. Pick the most appropriate
> category to list your extension in.

I think many add-ons should have more than one tag. eg. del.icio.us clearly belongs in Website integration and Bookmarks.

> "Categorization") Add a Multiple Function Category and/or Toolbar category.

What would go in a "toolbar" category? Anything that ads a toolbar to the browser? How does this category help the user? It doesn't really as far as I can see, unless you combine it with only allowing things to be in one category.. but most conduit toolbars belong in "website integration" too...

> "Categorization") Allow site admins to move an extension to a different
> category if they feel it is improperly listed.

We already can.

> "Rating systems") Allow uses to only rate an extension once. 

Sounds practical.

> "Rating systems")Do not allow ratings/comments to be deleted. Allow the
> extension author (and only him) to have 1 reply to each rating if he chooses to
> debate any comment (such as Ebay's feedback system). Only allow a
> rating/comment to be deleted if "both" the author and the person making the
> comment agree to it. Ordinary users are smart enough to sift through comments
> and make an informed decision.
> 
In remora we expect comments to be separated from reviews, and probably have ratings separated again. We still want to be able to delete comments and reviews which contain foul language, are lies, etc.
This isn't really a great place to debate the policy proposals back and forth -- it'll just end up being way too noisy.  Can people use the talk page instead?  Thanks!
Flags: blocking-remora-alpha+
Target Milestone: 2.1 → ---
https://addons.mozilla.org/en-US/firefox/pages/policy ftw.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
I don't see a link on the main page to the policy, where is it?

Should be on there imho https://addons.mozilla.org/en-US/firefox/
I eventually found there's a drop-down menu, it's in there, however IMO it should also be mentioned at https://addons.mozilla.org/en-US/developers/docs/getting-started
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.