Yes, @mozilla makes mistakes (same as the rest of us humans). And yes, their last one was ugly. But, still, they're the only ones in the browser business trying to do the right thing. So I'll keep using Firefox, Focus, Send, and the rest of cool software they produce.
@slp it gets the job done.
Mistakes are ok.
But then, the way they deploy the fix to that mistake shows that they're not making a web browser, they're making a botnet.
@Wolf480pl Hm... sorry, I'm a bit lost here, why do you think that?
As I've already said in another thread, I'm worried that Mozilla has more control of the browser than the user.
The fix was deployed through Shield Studies, and was automatically installed w/o the users' knowledge.
And if they can change intermediate certs through shields studies, who knows what else they can control remotely.
At the same time, there was no manual override the user could apply w/o Mozilla's fix.
@Wolf480pl I do see your point here. I guess they'll justify their actions as a way to get their non-power users to install the fix, but it's still a bit ugly.
@slp maybe there should just be a separate web browser for power users.
I can see how for some people, having someone else remotely manage the application they've installed would be not just acceptable, but also very convenient.
But not for everyone.
@Wolf480pl Well, there's IceCat fro GNU, and I personally use Fennec on Android and a flatpak build on GNU/Linux (with flatkvm), but of course none of them are officially supported by Mozilla.
Actually – if they had another way to push you code with studies disabled – *that* would be concerning…
So it's seriously the best they could do. They f*** up, but handled this very good afterwards…
see here for what this feature is intended to be used (except of hot fixes, where you could see in this example it was important): https://wiki.mozilla.org/Firefox/Shield/Shield_Studies
These studies also go through an approval process, are obviously FLOSS and users can view them via about:studies locally.
And again, this example demonstrated how useful it was…
I use a distro, and I want all installed software and all updates for it to come through distro repositories unless I say otherwise, and to come only when I explicitly tell my package manager to do an update.
The "no user action required" is precisely what I consider problematic.
@rugk On dev edition you can't disable shield studiers IIRC?
Also, if a piece of malware can change arbitrary about:config settings, can't the same piece of malware edit my .bashrc, i.e. I'm already pwned and there's no point trying to defend firefox extensions?
@Wolf480pl Yes, it's rather about adware that e.g. changes your home page. Think of the 80% (number guessed) of Windows Firefox users, for those this is a problem. Likely not for you.
And this was not about shield studies, you can always disable it. It was about requiring signatures for add-ons.
@rugk on windows that adware will just replace the Firefox shortcut on desktop and put an url as an argument.
I'm just asking for my software to obey me, is it that much?
@Wolf480pl yeah, no, adware has not yet gone soo far as far as I saw. That would be too malware-like. (also needs to install a whole clone/copy of Firefox then)
This would likely get it flagged by AVs or so…
No need for new copy of Firefox, just replace the .lnk file on the desktop.
I've seen that happen on my family's computer.
@Wolf480pl well but where should the link go to? It must open a browser or what?
Ah okay, just a website. Okay, that is easy and nefarious…
But could still be argued to be too much like malware if they try to spoof Firefox' identity. Could also get them into legal trouble (trademark law).
But well… we are talking about add-ons. Add-ons can do more than just changeing home pages. Search provider, toolbars/hijack [DNS] whatever…
Thing is... There's a point where enough is enough, and for me that was crossed for good. They can't keep messing up and then expect people to just go with it.