Page 1 of 2

How is it possible for add-ons to be proprietary

Posted: Sat Feb 17, 2018 11:08 am
by rehash
As is explained here https://forums.informaction.com/viewtopic.php?p=9212 the XPI format for Firefox add-ons contains in a ZIP archive the source code of the add-on. One would therefore expect that all add-ons distributed with XPI files (as on https://addons.mozilla.org/en-US/firefox/ ) would be open source, since their source code is compelled to be released in this format. However that is not the case. A good example is the well-known Ghostery add-on https://addons.mozilla.org/en-US/firefo ... /ghostery/. This rant https://www.linux.com/news/annoyances-p ... extensions about proprietary add-ons makes it clear add-ons can be and some are proprietary. In fact under point 6 of the Firefox Add-on Distribution Agreement https://developer.mozilla.org/en-US/Add ... /Agreement Mozilla only encourages developers to make add-ons available under open source licenses.

So what's the deal here? If an add-on's source code is released with an XPI file, as it must be in order for any user to be able to install the add-on, how can some add-ons be proprietary?

Re: How is it possible for add-ons to be proprietary

Posted: Sat Feb 17, 2018 8:04 pm
by barbaz
We don't make proprietary addons. Why ask here?

Re: How is it possible for add-ons to be proprietary

Posted: Sun Feb 18, 2018 7:11 am
by GµårÐïåñ
Might be best for you to understand what you are talking about first. It is not the addon that is necessarily proprietary but rather parts of their codes, or libraries they rely on that might be and it is perfectly valid. The open source of the addon is the part that does the job, if it calls a piece of code that belongs to a closed library, then it might be necessary enough for them to use it and that part is not open. Everything you see inside an XPI is the source of the addon. Now, just because an addon is open source doesn't mean you are free to take it and rip it off and do what you want with it, because the concept, architecture, design and so on are very much the property of the person who developed it and in that essence, yes, proprietary. Unless an open source is published under a license that allows you to "fork it", then just because you can see and contribute to the code doesn't mean you are welcome to use it, it is therefore proprietary.

Re: How is it possible for add-ons to be proprietary

Posted: Thu Feb 22, 2018 9:52 pm
by rehash
I know you don't make proprietary add-ons here and did not suggest otherwise. I asked, because from the first thread it was apparent that a number of people don't fully understand how the add-on system works. I also wasn't trying to make any statements and I'm not sure where you see them, everything has a reference. I was just hoping to find some answers, because I haven't found any resources that would explain this in a way that non-developers would understand. I asked here, because the first thread touched upon the subject already. My thread is in Web Tech, not associated with a specific add-on. I don't see any harm in a discussion and clarification of these matters, but if you feel that this brings the wrong kind of attention you're free to lock and delete this thread, I can cope with that and it's not my forum. The response to the first thread seems to me overly defensive and I'm sensing some of the same sentiment here. Not everyone understands this stuff, so why complain and tell them to go somewhere else, if you have a general-themed part of the forum for this type of question :| ? If anyone understands this better or knows of any resources that would shed some more light on it I'd be grateful to know. Thank you :D

Re: How is it possible for add-ons to be proprietary

Posted: Fri Feb 23, 2018 12:48 am
by barbaz
rehash wrote:I know you don't make proprietary add-ons here and did not suggest otherwise. I asked, because from the first thread it was apparent that a number of people don't fully understand how the add-on system works. I also wasn't trying to make any statements and I'm not sure where you see them, everything has a reference. I was just hoping to find some answers, because I haven't found any resources that would explain this in a way that non-developers would understand. I asked here, because the first thread touched upon the subject already. My thread is in Web Tech, not associated with a specific add-on. I don't see any harm in a discussion and clarification of these matters, but if you feel that this brings the wrong kind of attention you're free to lock and delete this thread, I can cope with that and it's not my forum. The response to the first thread seems to me overly defensive and I'm sensing some of the same sentiment here.
Seems the only overly defensive person here is you.
rehash wrote: If anyone understands this better or knows of any resources that would shed some more light on it I'd be grateful to know. Thank you :D
See https://forums.informaction.com/viewtop ... 942#p95942

Re: How is it possible for add-ons to be proprietary

Posted: Fri Feb 23, 2018 1:14 am
by GµårÐïåñ
rehash wrote:... I was just hoping to find some answers, because I haven't found any resources that would explain this in a way that non-developers would understand. ... If anyone understands this better or knows of any resources that would shed some more light on it I'd be grateful to know. Thank you :D
My entire response was to explain this to you.

Re: How is it possible for add-ons to be proprietary

Posted: Tue Mar 13, 2018 6:34 pm
by rehash
@GµårÐïåñ: Your post has been edited and in it there was talk of me making statements without due dilligence. But thank you for answering me. EDIT: testing if edit notification is appended to post

You say an add-on may rely on proprietary code or libraries, but where could they be located in the Mozilla ecosystem? XPI files are open source, as is Firefox. Must any proprietary code then be openly released in an XPI file and only licensed under a proprietary license in order for it to be able to become a part of any add-on for Firefox? Or can add-ons just fetch proprietary code online somewhere?

Re: How is it possible for add-ons to be proprietary

Posted: Tue Mar 13, 2018 6:52 pm
by GµårÐïåñ
rehash wrote:You say an add-on may rely on proprietary code or libraries, but where could they be located in the Mozilla ecosystem? XPI files are open source, as is Firefox. Must any proprietary code then be openly released in an XPI file and only licensed under a proprietary license in order for it to be able to become a part of any add-on for Firefox? Or can add-ons just fetch proprietary code online somewhere?
The XPI and the delivery system on Mozilla is open sourced, as is usually the driver code for each add-on (what makes it do what it does often contained in .js files). However, sometimes they rely on COMPILED embedded libraries or code that come from outside repositories that are NOT open source (although many are, and can be viewed on their own GIT) which are either open or specifically licensed to be included in another project. That is the proprietary portion of it. For example when you find things like .com .exe .dll etc files within an XPI package, it means the source is either closed, external or proprietary. So yes, the compiled component is openly released as part of the package, but the source of it is not. That doesn't make the add-on itself not open source, just any external library that it might be using to deliver their functionality.

Re: How is it possible for add-ons to be proprietary

Posted: Sat Mar 24, 2018 9:01 am
by rehash
That makes it really tricky to know if by using an add-on you're running closed source code, doesn't it? You can't even tell by looking at the add-on's license! How can a layman tell if an add-on makes use of closed source code? Is it enough to just look at the file extensions inside the XPI? If that's the case you need a whitelist. Where could I find a list of common file extensions used in XPI add-ons that can be relied on to contain only open source code? Your example with exe or dll files inside XPI files doesn't actually happen, because Firefox can't run Windows executables and doesn't use OS-specific extensions, right?

Re: How is it possible for add-ons to be proprietary

Posted: Sat Mar 24, 2018 3:00 pm
by barbaz
rehash wrote: Your example with exe or dll files inside XPI files doesn't actually happen, because Firefox can't run Windows executables and doesn't use OS-specific extensions, right?
Legacy addons definitely can do that. Not sure about WebExtensions.

Re: How is it possible for add-ons to be proprietary

Posted: Sat Mar 24, 2018 8:55 pm
by GµårÐïåñ
rehash wrote:That makes it really tricky to know if by using an add-on you're running closed source code, doesn't it? You can't even tell by looking at the add-on's license! How can a layman tell if an add-on makes use of closed source code? Is it enough to just look at the file extensions inside the XPI? If that's the case you need a whitelist. Where could I find a list of common file extensions used in XPI add-ons that can be relied on to contain only open source code? Your example with exe or dll files inside XPI files doesn't actually happen, because Firefox can't run Windows executables and doesn't use OS-specific extensions, right?
Yes indeed. As @barbaz already stated, many of the old XUL/NPAPI/JetPack based addons did infact do that and it was considered a user benefit in many cases, as they could accomplish things within the browser that was not within the capability of the browser itself. Of course overtime, it became evident that such things could provide an attack vector that was decided ultimately to not be acceptable. The first attempt was to deprecate JP mostly, then to neuter XUL a bit, and ultimately to shut off access to NPAPI altogether. The new iteration in this is to make everything WebExt so they are basically glorified GM scripts running within a browser sandbox and act within a restricted environment with no more access to the broader environment, which has made things like DTA and potential even FlashGot difficult to replicate in parity to their original iteration, effectively leading to them slowly all dying off, unless something can be achieved with newer API to replace those functionality. That all being said, there is really no way to be sure that an addon is 100% open source (as in it uses no other library whatsoever) short of checking each one yourself.

Re: How is it possible for add-ons to be proprietary

Posted: Wed Mar 28, 2018 11:43 am
by rehash
What about platforms other than Windows? Running exe files wouldn't work and I've never heard of add-ons limited to an operating system.

Is it enough to check the list of files contained in an XPI file to get an indication that proprietary code may be included? Or is the only sure way to read all the code in each file?
What I'd like to be sure of is what places proprietary code could be hidden at. As I understand all readable code in an XPI file is open. So in what forms can proprietary code (executables, libraries, etc.) be included? Can it only come in stand-alone files? Or can an add-on source file contain open source and proprietary code at the same time? Can proprietary code be fetched online somewhere, the command to do so being given transparently in the open source code of the add-on? In some other form?

Re: How is it possible for add-ons to be proprietary

Posted: Wed Mar 28, 2018 3:22 pm
by barbaz
rehash wrote: I've never heard of add-ons limited to an operating system.
They can be, for example https://addons.mozilla.org/addon/ie-tab/ and https://addons.mozilla.org/addon/minimizetotray/ are Windows-only.
rehash wrote:is the only sure way to read all the code in each file?
Even that wouldn't be enough. You'd also have to read the licenses. And for non-human-readable components where the source code isn't bundled with the XPI, you'd have to look for the source code.
rehash wrote:can an add-on source file contain open source and proprietary code at the same time? Can proprietary code be fetched online somewhere, the command to do so being given transparently in the open source code of the add-on? In some other form?
All of this is possible, yes.

Re: How is it possible for add-ons to be proprietary

Posted: Wed Mar 28, 2018 7:29 pm
by GµårÐïåñ
I refer you to what @barbaz so elegantly stated.

Re: How is it possible for add-ons to be proprietary

Posted: Sun Apr 01, 2018 6:43 pm
by rehash
So in conclusion the only way to be sure that by using an add-on you're running only free open software is to check:
  • its license
  • that all files in its XPI are source files and not binary files
  • every last line of its source code, because in one line it can fetch proprietary unknown code and execute it
This is a security and privacy nightmare. Is there any control over add-ons that are offered on addons.mozilla.org and over what they really do? Who checks this and how - for each new version? How can a user know which add-ons are trustworthy?