Comment 7 for bug 1937343

It's not like setting MOZ_REQUIRE_SIGNING to false would allow running unsigned extensions outright. There is also about:config setting xpinstall.signatures.required, that is true by default and needs to be set false by the user before unsigned extensions can be installed.

The about:config setting is behind a grave warning about security ramifications if tampered with. Still, if user attempts to install unsigned extension, they are met with another warning dialog and even after accepting that the extension is marked with big warning label about being unverified in the add-ons manager. There is no way user could install unsigned extension by mistake.

And indeed this "security hole" has been around for the last 5 years, yet there appears to be no related exploits. The bug certainly does not mention of any.

As mentioned, the official way around this is to install one of the Firefox versions that has MOZ_REQUIRE_SIGNING set to false on default. On Windows that might be reasonable. However, none of these are available in Ubuntus repositories. It is not big hassle to install them from Mozillas own sources, but those installations will be user specific, are not covered by the usual update system and are missing any distribution specific patches. The options left for Ubuntu users (or Linux distro users in general) are not reasonable.

So that's my take on the reasonability of this. I was really hoping more balanced approach could be taken.