After appealing the first reviewer's decision, we appealed to the amo-admins who basically said "we agree with reviewer 1 and will reject affected versions of the addon".
Apparently they have decided that all of our addon versions ever are affected (which is not really true) and have delisted the entire addon.
Further, they have asked us to also remove another opt-in feature that disables some CSP protections so that Tridactyl can insert its own UI into e.g. raw.githubusercontent.com. This is required because webextension content can still be blocked by a site's CSP setting, supposedly this is fixed in Firefox 69, but our testing is inconclusive and the new Firefox ESR is 68 anyway.
Our intention is to make tridactyl compatible with the AMO reviewers' requests for the sake of our users, but we're all very busy and none of us really wants to make these (in our opinion) overly invasive and unnecessary changes.
Our understanding is that users who have already installed Tridactyl will continue to have it installed and that new users will not be able to install it or find it on the AMO (where it has been removed with no explanatory text), but they can follow instructions on our github repo to install it fairly easily.
We believe that the AMO reviewers' choices do not serve the community and that a more suitable response would be to ask us to display prominent warnings over these features for our users and ask for their re-informed consent for their continued use.
We also note that loads of other extensions (including Mozilla-recommended addons) talk about the very same config settings that we have been delisted for on their AMO pages![2]
Just deleting the features and undoing the changes for all users (as Mozilla has asked us to do) means that Mozilla is forcing our users to adopt a risk model and level of risk aversion that I think is not actually appropriate for the majority of our users. If we want to trade a little security for functionality we should be able to do that.
Another fun thing to note is that because they have delisted the addon users may also struggle to work out what is going on, which really goes against the whole "let's update this critical security preference" thing.
If they had left us listed but only with older versions we could have at least left a message in the addon description telling people about the issue and how to manually revert the preference for people who care. And obviously we would have done so if asked.
I'm just annoyed that my fears of losing the ability to implement and use powerful Firefox extensions, ever since Mozilla instituted the extension walled garden, are slowly but surely coming true.
Just to stave off any possible confusion: the title of this submission talks about the possibility of existing installations getting forcefully removed from users' browsers. This has so far not happened. What happened is that Tridactyl disappeared from https://addons.mozilla.org.
I think the three comments from this one[1] down summarise the overall issue well.
[1]: https://github.com/tridactyl/tridactyl/issues/1800#issuecomm...
After appealing the first reviewer's decision, we appealed to the amo-admins who basically said "we agree with reviewer 1 and will reject affected versions of the addon".
Apparently they have decided that all of our addon versions ever are affected (which is not really true) and have delisted the entire addon.
Further, they have asked us to also remove another opt-in feature that disables some CSP protections so that Tridactyl can insert its own UI into e.g. raw.githubusercontent.com. This is required because webextension content can still be blocked by a site's CSP setting, supposedly this is fixed in Firefox 69, but our testing is inconclusive and the new Firefox ESR is 68 anyway.
Our intention is to make tridactyl compatible with the AMO reviewers' requests for the sake of our users, but we're all very busy and none of us really wants to make these (in our opinion) overly invasive and unnecessary changes.
Our understanding is that users who have already installed Tridactyl will continue to have it installed and that new users will not be able to install it or find it on the AMO (where it has been removed with no explanatory text), but they can follow instructions on our github repo to install it fairly easily.
We believe that the AMO reviewers' choices do not serve the community and that a more suitable response would be to ask us to display prominent warnings over these features for our users and ask for their re-informed consent for their continued use.
We also note that loads of other extensions (including Mozilla-recommended addons) talk about the very same config settings that we have been delisted for on their AMO pages![2]
[2]: https://www.google.com/search?q=site:addons.mozilla.org+exte...
Just deleting the features and undoing the changes for all users (as Mozilla has asked us to do) means that Mozilla is forcing our users to adopt a risk model and level of risk aversion that I think is not actually appropriate for the majority of our users. If we want to trade a little security for functionality we should be able to do that.