LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Mozilla ponders policy change after Firefox extension battle (ars technica)

Mozilla ponders policy change after Firefox extension battle (ars technica)

Posted May 4, 2009 22:09 UTC (Mon) by joey (subscriber, #328)
In reply to: Mozilla ponders policy change after Firefox extension battle (ars technica) by socket
Parent article: Mozilla ponders policy change after Firefox extension battle (ars technica)

> I use lots of plug-ins, and this is the first time I've really felt that I > should be auditing the code when it asks me to upgrade a plugin

This is a good reason to put plugins in distributions. Then the distro maintainers can do whatever code auditing is required, and in a case such as this fiasco, bugs can be filed on the distribution to get it fixed there.

I'm happy to be able to install packages from my distro (Debian) for adblock plus, firebug, and several other popular browser plugins. (There's also a package for noscript, though I don't use it.)

(Log in to post comments)

Mozilla ponders policy change after Firefox extension battle (ars technica)

Posted May 4, 2009 22:28 UTC (Mon) by joey (subscriber, #328) [Link]

After posting that, I took a look at the changelog for mozilla-noscript in Debian and found this amusing bit:

> * Does not redirect on upstream author page after upgrade. closes: #433032
>
> -- Arnaud Renevier <arenevier@fdn.fr> Sat, 14 Jul 2007 11:29:30 +0200

That sets noscript.firstRunRedirection to false, disabling noscript's behavior of opening the ad-laden noscript.net page after being upgraded, which AIUI was the main original behavior the adblock guys objected to.

Does not work.

Posted May 5, 2009 6:30 UTC (Tue) by khim (guest, #9252) [Link]

This is a good reason to put plugins in distributions. Then the distro maintainers can do whatever code auditing is required, and in a case such as this fiasco, bugs can be filed on the distribution to get it fixed there.

Does not work. Remember mICQ fiasco?

Does not work.

Posted May 6, 2009 17:20 UTC (Wed) by branden (subscriber, #7029) [Link]

Upstream authors putting trojans in the software is not a problem unique
to packaged web plugins. It can (and has) happened to other software:

http://cm.bell-labs.com/who/ken/trust.html

The remedies in situations like the mICQ fiasco are social, not
technological. I submit that in that case, the author didn't really want
a free software license on his code, but wanted to take advantage of (some
of) the distribution channels a free software license would have opened to
him. Instead of being mature and thoughtful by deciding to take his code
proprietary, he lashed out with a Trojan Horse.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds