Don't warn about unsigned extension installed via Debian packages

Bug #1532484 reported by Benjamin Drung on 2016-01-09
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
firefox (Debian)
Fix Released
Unknown
firefox (Ubuntu)
High
Unassigned

Bug Description

"Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we
already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1]

Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification.

So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it.

This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44).

[1] https://bugs.debian.org/800150

Benjamin Drung (bdrung) on 2016-01-09
Changed in firefox (Ubuntu):
importance: Undecided → High
Chris Coulson (chrisccoulson) wrote :

This isn't something that we're going to be changing in Ubuntu

Changed in firefox (Ubuntu):
status: New → Opinion
Benjamin Drung (bdrung) wrote :

Why?

Firefox introduces Tivoization for all extensions (like ubufox) and does not provide more security. Everyone who can write to /usr/{lib,share}/mozilla/extensions can probably also modify the system files of Firefox to introduce malicious code there.

Changed in iceweasel (Debian):
status: Unknown → Fix Released
Alkis Georgopoulos (alkisg) wrote :

This is fixed in Debian, why can't we apply the patch in Ubuntu?
@chrisccoulson, could you please provide some reasoning behind "This isn't something that we're going to be changing in Ubuntu"?

@bdrung, I have the following xul extensions installed:
xul-ext-adblock-plus 2.7.1+dfsg-1~ubuntu
xul-ext-ubufox 3.2-0ubuntu1
...why is xul-ext-ubufox trusted by firefox, while adblock isn't?
Does Canonical send <email address hidden> to be signed by Mozilla?

Thanks!

Mantas Kriaučiūnas (mantas) wrote :

Please accept patch from Debian - there are lots of cases, when system administrators must install firefox extension for all users, for example flashblock and adblock are widely used in schools and other educational institutions, also this is a regression, because all Ubuntu LTS versions allowed to use extensions from deb packages, see bug #1507494 (Extensions stopped working (Ubuntu 12.04 LTS)

Changed in firefox (Ubuntu):
status: Opinion → Confirmed
tags: added: patch

This bug potentially makes about a dozen extensions packaged for Xenial completely useless. Of the four I have installed, only the ubufox one is enabled. The other three are disabled without any means of enabling them (system-wide).

If this isn't going to be fixed in Ubuntu, I think at least the maintainers of these, now utterly useless, packages deserve an explanation.

For the record, I installed ublock-origin, y-u-no-validate and https-finder to make our browsing a more pleasant and safer activity. So far, no such luck. And without so much as a warning. :-(

Mantas Kriaučiūnas (mantas) wrote :

This bug was fixed in Debian 10 months ago, in Firefox 43, why Ubuntu developers doesn't accept 2 lines patch, which is accepted in Debian since December 2015?

 iceweasel (43.0-1) experimental; urgency=medium
  * New upstream release.
[...]
  * toolkit/mozapps/extensions/internal/XPIProvider.jsm: Allow unsigned
     addons in /usr/{lib,share}/mozilla/extensions. Closes: #800150.

There are lots of cases, when system administrators must install firefox extension for all users, for example flashblock and adblock are widely used in schools and other educational institutions, also this is a regression, because Ubuntu 14.04 and 12.04 LTS versions allowed to use extensions from deb packages, see bug #1507494 - Extensions stopped working (Ubuntu 12.04 LTS)

affects: iceweasel (Debian) → firefox (Debian)
Mantas Kriaučiūnas (mantas) wrote :

What could I do to help Ubuntu developers accept this 2 lines patch from Debian?
Now there are no way to install Firefox extensions for all users, but this is critical for schools, other educational institutions and enterprise use, please, accept 2 lines patch from Debian.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.