Ubuntu
firefox package

Don't warn about unsigned extension installed via Debian packages

Bug #1532484 reported by Benjamin Drung on 2016-01-09

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	firefox (Debian)	Fix Released	Unknown	debbugs #800150
	firefox (Ubuntu)	Confirmed	High	Unassigned

Bug Description

"Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we
already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1]

Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification.

So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it.

This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44).

[1] https://bugs.debian.org/800150

Tags:

Benjamin Drung (bdrung) on 2016-01-09

Changed in firefox (Ubuntu):
importance:	Undecided → High

Revision history for this message

Chris Coulson (chrisccoulson) wrote on 2016-01-09:

This isn't something that we're going to be changing in Ubuntu

Changed in firefox (Ubuntu):
status:	New → Opinion

Revision history for this message

Benjamin Drung (bdrung) wrote on 2016-01-09:

Allow-unsigned-addons-in-usr-lib-share-mozilla-exten.patch Edit (918 bytes, text/plain)

Revision history for this message

Benjamin Drung (bdrung) wrote on 2016-01-09:

Why?

Firefox introduces Tivoization for all extensions (like ubufox) and does not provide more security. Everyone who can write to /usr/{lib,share}/mozilla/extensions can probably also modify the system files of Firefox to introduce malicious code there.

Bug Watch Updater (bug-watch-updater) on 2016-01-10

Changed in iceweasel (Debian):
status:	Unknown → Fix Released

Revision history for this message

Alkis Georgopoulos (alkisg) wrote on 2016-02-17:

This is fixed in Debian, why can't we apply the patch in Ubuntu?
@chrisccoulson, could you please provide some reasoning behind "This isn't something that we're going to be changing in Ubuntu"?

@bdrung, I have the following xul extensions installed:
xul-ext-adblock-plus 2.7.1+dfsg-1~ubuntu
xul-ext-ubufox 3.2-0ubuntu1
...why is xul-ext-ubufox trusted by firefox, while adblock isn't?
Does Canonical send <email address hidden> to be signed by Mozilla?

Thanks!

Revision history for this message

Mantas Kriaučiūnas (mantas) wrote on 2016-03-15:

Please accept patch from Debian - there are lots of cases, when system administrators must install firefox extension for all users, for example flashblock and adblock are widely used in schools and other educational institutions, also this is a regression, because all Ubuntu LTS versions allowed to use extensions from deb packages, see bug #1507494 (Extensions stopped working (Ubuntu 12.04 LTS)

Changed in firefox (Ubuntu):
status:	Opinion → Confirmed

Ubuntu Foundations Team Bug Bot (crichton) on 2016-03-15

tags:

added: patch

Revision history for this message

Olaf Meeuwissen (olaf.meeuwissen) wrote on 2016-05-10:

This bug potentially makes about a dozen extensions packaged for Xenial completely useless. Of the four I have installed, only the ubufox one is enabled. The other three are disabled without any means of enabling them (system-wide).

If this isn't going to be fixed in Ubuntu, I think at least the maintainers of these, now utterly useless, packages deserve an explanation.

For the record, I installed ublock-origin, y-u-no-validate and https-finder to make our browsing a more pleasant and safer activity. So far, no such luck. And without so much as a warning. :-(

Revision history for this message

Mantas Kriaučiūnas (mantas) wrote on 2016-08-30:

This bug was fixed in Debian 10 months ago, in Firefox 43, why Ubuntu developers doesn't accept 2 lines patch, which is accepted in Debian since December 2015?

iceweasel (43.0-1) experimental; urgency=medium
  * New upstream release.
[...]
  * toolkit/mozapps/extensions/internal/XPIProvider.jsm: Allow unsigned
     addons in /usr/{lib,share}/mozilla/extensions. Closes: #800150.

There are lots of cases, when system administrators must install firefox extension for all users, for example flashblock and adblock are widely used in schools and other educational institutions, also this is a regression, because Ubuntu 14.04 and 12.04 LTS versions allowed to use extensions from deb packages, see bug #1507494 - Extensions stopped working (Ubuntu 12.04 LTS)

affects:

iceweasel (Debian) → firefox (Debian)

Revision history for this message

Mantas Kriaučiūnas (mantas) wrote on 2016-10-20:

What could I do to help Ubuntu developers accept this 2 lines patch from Debian?
Now there are no way to install Firefox extensions for all users, but this is critical for schools, other educational institutions and enterprise use, please, accept 2 lines patch from Debian.