A Tale of Woe, Updating NoScript in Firefox

[RxDDude]

Here is an account, as full and clear as I could make it, of what went down when this latest NOScript patch arrived, yesterday. Please look through this, and see if you experts can either find a "health" issue that I have missed, or can recognize any infection of malware. I will be having a hot cup of cocoa after a while.

... ... Firefox Help|About = v37.0.2 > Firefox Add-ons Manager offered to install update titled "NoScript 2.6.9.22.1-signed" to replace v2.6.9.22 > clkd Install Updates softbutton > instead of installing, result was a red-colored line: "There was an error downloading NoScript." [ Try again ] > clkd the [Try again] softbutton > no go, same message > multiple repeated tries, same results, no go > .. > later, ~8:00 PM - opened Firefox again > opened Add-ons Manager > Plugins are perhaps OK, same as usual > Extensions have 2 items > updates are proposed for "NoScript 2.6.9.22.1-signed" was 2.6.9.22, and Ghostery v5.4.5 Update was 5.4.4 > Extensions list shows Ghostery v5.4.5 installed, but NoScript unchanged > consulted FAQs and Forum and found some suggestions > the first was, to clear the browser's cache and try again > cleared Cache and ALL other items in the Clear History dialog, Everything, not only Cache > tried the Update in Extensions again > it showed, No updates found > restarted Firefox > the Informaction and NoSript sites do not show me anything after v2.6.9.22, that I have already installed > 2nd advice was, if the first didn't work, to open the about:config and set the Preference named xpinstall.enabled to the Boolean value of true > did open about:config and there was no such Preference in about:config > entering xpinstall into the Search slot produced four (4) Preference Names> two (2) of those were services.sync.prefs.sync.xpinstall.whitelist.required both with Status = default > the other two (2) were xpinstall.whitelist.add and xpinstall.whitelist.add.180, both with Status = user set > (am wondering - are these both good items?)> I entered a new Preference named xpinstall.enabled, and set the Type to Boolean and set the Value to true > then, returned to the list of Extensions and tried Installing the update to NoScript > same old result > at that point, tried UNINSTALLING NoScript v2.6.9.22, i.e., clkd on the stylized X at right end of NoScript's line > it opened a popup d-box that allowed for a choice to "remove all protections" > restarted Firefox > line in Extensions labelled NoScript 2.6.9.22 showed it to have been disabled > looked around and found something that offered the option to Remove > clkd that, to remove the NoScript line, and the line vanished from the list of Extensions > maybe it didn't vanish immediately, maybe because it needed to be restarted > whatever, I did exit Ffx, and then started it again from the Desktop QL bar > it came up with all its tabs loaded as at time of closing, but without any line named NoScript in the Add-on Manager's list of Extensions > in the tab set to show the FAQs, found the direct download link for the latest stable version and L-clkd on that link > a d-box popped up that offered to Install (without option to Save) the update > L-clkd to Install > restarted > updated to "NoScript v2.6.9.22.1-signed" was 2.6.9.22 > what a razzoo to have to go through!! >

Please give me any helpful advice you can find.

R and D Dude

[therube]

Seems to be teething problems on the AMO end.
(Expect more .)

The ".180", I'm assuming, relates to a specific extension?
Which, I wouldn't know?

[barbaz]

AMO problem, they're gonna force addon signing in Firefox soon so they're trying to update you to signed versions of the addons now already but some addons can't download from the updater for whatever reason so you have to go to each of those addons' AMO pages to download them and you should be good

(Jeez, that is one hard-to-read huge wall of text you posted there! )

[Giorgio Maone]

It also seems Mozilla is (temporarily) reverting to unsigned because of compatibility problems with ESR
It's quite a mess...

[vasymedoisa]

hi, what means noscript signed?

[barbaz]

It means that stuff has been added to the NoScript xpi such that it's now possible to verify whether the contents of the NoScript xpi has been tampered

also see https://hackademix.net/2013/07/20/noscr ... -unsigned/ , where 2 years ago things were such that Giorgio had decided to remove the signing that was previously there

[vasymedoisa]

It seems good, also more trustworthy, deeply verified.

[barbaz]

It seems good, also more trustworthy, deeply verified.

Sure.. that's the good side... but this isn't all good... http://forums.mozillazine.org/viewtopic ... &t=2907359

[Latest Dev User]

Would Giorgio clarify:

Having been persuaded for many years that the latest is a better cover than the AMO release, we get our NS for all new and repaired installs here:

Code: Select all

https://secure.informaction.com/download/betas/noscript-x.x.x.x.xpi

How will the new signing regime affect this way of installing/updating?
We hope NS users won't have to jump through even more hoops to continue to support Firefox outside the grip of Moz Corp.
We also hope that Giorgio won't have to jump through similar hoops to continue to provide trusted beta access.

[Latest Dev User]

If we didn't make it clear in the above post:

We prefer to go to the site of NS's dev for the new install because past experience has AMO's dev channel link being more likely to be slow, not up to date, down.
Will we be forced to use only the AMO site for getting the signed extension now?

[barbaz]

(You can also use the unbranded Firefox builds where signing enforcement can be disabled)

[Latest Dev User]

(You can also use the unbranded Firefox builds where signing enforcement can be disabled)

We'll be pleased if that becomes a reliable Official Channel.
We could build our own from source. But I'm not that kind of user. I participate and learn because the Firefox system's made it easy to do so with enthusiasm and a little guidance. Until now.
We will most likely move to SM in the meanwhile... If AMO gets its signing act together - which seems a little unlikely so far.

Not wishing to be too cynical, but we understand that Moz Corp wants this move to control extensions in-house to be understood as being for primarily altruistic motives - Moz Corp protecting the little user, with its own User Agreement with extension devs, from rapacious and exploitative greyware toolbar and similar vendors who use their own User Agreement to claim that users have agreed to their extension installations; the Moz blog post from Veditz:
The Case for Extension Signing | Mozilla Add-ons Blog

Code: Select all

https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/

we have many documented cases of add-ons disabling the mechanisms through which we inform users and give them control over their add-ons. By baking the signing requirement into the executable these programs will either have to submit to our review process or take the blatant malware step of replacing or altering Firefox. We are sure some will take that step, but it won’t be an attractive option for a Fortune 500 plugin vendor

my emphasis (I think he includes extensions when he uses 'plugin')

makes it pretty clear that the push for signing is to make the Fortune 500 players, that is to say the ones who actually do have more than million users for their extensions - like AV companies, News sites, who mostly bundle their extensions with their own wares - shape up to the Moz user-inform ethos... so as to reduce drive-by installs and similar confusing runtime changes made possible in those adware vendors' sloppy monkey patching. In other words, Moz Corp is going the lawyers path. The adware can still get installed, Moz is simply covering its tiny bum. Has it been told by lawyers? Who knows.

So...Moz Corp couldn't really care less about the old phalanx of Fx users who're comfortable with Fx and know what flags and processes to watch out for in their enjoyment of the informal addons ecosystem that they have participated in and made their own secure kind of informal network for years .... those of us who kind of know that if it's got 'toolbar' in the name, it's not an extension for them. There's a reason that Fx addons have flourished and it's because testing is made so easy for users. Not even the introduction of the Addons Compatibility extension scared us off completely.
Nor could Moz Corp really care much about users who don't get addons either from AMO or through "respected" Fortune 500 vendors...Veditz says as much:

[...]the blatant malware step of replacing or altering Firefox. We are sure some will take that step,

(unspoken, but understood - "we have no intention of doing more than maybe blacklisting for those poor idiots")

Now, if an extension adopter wants to be an early adopter/tester for a dev, they have 2 choices - Buckley's and None; either they go round the houses to find the unbranded 'official' build - pssst, what are you going to call it chaps? will you need to get downloaders to sign waivers? - and go ahead with testing outside the recognised AMO channels, or they desert the devs for 'easier' install of Fx compatibility and signed extensions.

Not many devs will get enough testers after this to avoid release disaster we reckon. There already aren't that many AMO hosted extensions with enough users to test properly. The whole ecosystem may implode to the advantage of Corporate vendors. Hope it doesn't go that way, but there is a finite risk that it will. DRM figures in there too, and we don't doubt that Moz Corp lawyers have advised how to prepare AMO to manage that as well.
Or maybe Moz Corp knows that Firefox is really popular with the big Corporate extensions and is backing that horse now. Good luck to them if that's their bag. It might pay the wages for a few years.