Closed Bug 375359 Opened 17 years ago Closed 17 years ago

Allow sandbox add-ons to get updates

Categories

(addons.mozilla.org Graveyard :: Administration, defect)

Product:
addons.mozilla.org Graveyard
Component:
Administration
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: clouserw, Unassigned)

References

Details

We discussed this in IRC a bit tonight, and decided to file a bug about it to at least get the discussion in one place.

Currently, when an add-on in the sandbox looks for an update, it's returned a blank rdf indicating no update is available.  

I think sandbox add-ons should be able to update themselves.  If an add-on is not public, it can still have a following, and those people should be able to get updates.

The worry here is, the sandbox is basically an unchecked arena, and a safe add-on one day could become a malicious one the next (through an automatic update).

Despite being a real concern, I don't think it warrants shutting off updates for these add-ons all together.  I'm, of course, open to hearing scenarios that I haven't thought of that makes this policy appropriate. :)
If we were to make an admin interface for the blocklist, I'd be more comfortable with this.
If I have a public add-on installed, and there's an update for it in the sandbox, should I get offered that update?

I think that this is a manifestation of the issue that the sandbox is two things:

- replacement for the review queue
- place for not-prime-time add-ons that would have survived the review process in v2 (not dangerous or malicious, just not polished or extremely niche)

The first set of add-ons I don't think should get updates.  The second set probably should.
Component: Add-ons → Administration
QA Contact: add-ons → administration
Right now, I think this is WONTFIX.  It basically amounts to unchecked installation of software on users' computers, since the sandbox is not screened at all.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Should be able to know that there is a new version at least even if it is the extension in the sandbox.
Mmm, so I don't want to reopen this bug, but there's an additional issue -- an addon that's in the sandbox also can't have its version compat numbers changed, even if no new code is actually submitted.  That should be a safe operation.
Vlad, I think version bumping in the sandbox should work, I've filed bug 435102 to help us track down and fix the issue.
I recognize that the adding on in the sand box is before a review basically.
 
If a user install the add-ons of the sand box, and a user uses it, I think that it is necessary for the new version of the add-ons to know what is released at least.
 
Because the user must know it quickly when some kind of bugs and a revision of the security matched.  

Otherwise the reason is because the user will continue using it with having had serious malfunction.

Even if the automatic update is unnecessary, however, I think that it is necessary that It is notified of whether a new version is released at least.
I fully support Alice's request to at least NOTIFY the user...
There is currently NO WAY for a user that has sandboxed extensions installed on his machine to perform a global check on updates, just to know which ones have evolved. It is a painful operation, extension after extension.
Or maybe, more than just notifying, add the sandboxed new version to the list of to-be-updated extensions in the extension manager, but by UNCHECKING this extension in the list by default. Then no automatic update would occur, but the user can choose to include a new sandbox version all the same.

Should a new bug be open for that simpler purpose? 
I agree with Alice's request, specifically there should be a marking on the Tools, add-ons listing perhaps "Experimental" in red italics in describption area of list, or perhaps a solid green circle with a white "E" in lower right corner of the icon in listing.   Would also like something that can be easily added to extensions such as InfoLister (https://addons.mozilla.org/firefox/447/)
I'm just going to quickly mention that the request to at least notify users of experimental addons of sandbox updates has been filed.

https://bugzilla.mozilla.org/show_bug.cgi?id=481893
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.