If I understand the timeline correctly here, it seems that gorhill overreacted, and I say that as someone who is usually harshly critical of everything Mozilla has done in the past 5+ years. It's hardly practical for Mozilla to manually review every add-on revision for safety in a timely manner, so they had the choice between automation and delays that would make add-on development a slog; automation though inevitably will cause false positives.
What's the alternative? No pre-release review at all? As a user I would hope that this will not be the case, especially now that we have confirmation that flashy supply chain attacks are being executed in the wild. In fact the review policy protects gorhill himself too, since it makes him a bit less attractive as a target for a rubberhose attack (no point in blackmailing him to put in spyware if the spyware would be caught before release).
I think it’s reasonable to expect that one of Firefox’s most popular extension publishers gets a higher tier of review service. Gorhill (and other top extension devs) are providing real value to Firefox, and have demonstrated good behavior for years.
This doesn’t mean they should get to publish whatever they want, but if a reviewer is about to reject a high profile plugin, they should get a second set of eyes on it. Which would have obviously caught the mistake here.
Feels like another “Firefox is underinvested in developer relations” story, which is surprising given how much they rely on them.
Edit: honestly the idea that gorhill doesn’t have a dedicated rep at Mozilla is baffling to me. According to their stats the extension has 8.4 million users. They should call him on the phone to let him know there’s a problem with his extension.
I'd go as far as to say it's my lifeline for a smartphone. Outside of sleep-or-shitposting like this, I don't use the thing.
I live as if it were a couple decades ago, working on a desktop computer. I've bought several laptops and failed to modernize. My entire life depends on the Internet and all of that, I'd prefer more distance to be honest.
you mean, this isn't about uBlock Origin though. Just uBlock Origin Lite.
plain old uBlock is another add-on which may no longer exist. (uBlock was the original original, but the same developer, gorhill, mistakenly let it slip into the wrong hands and it became a pay-to-play leaky ad blocker)
But this is not about a high profile plugin. The high profile plugin is "uBlock Origin", and this is about "uBlock Origin Lite", which is a big thing for Chrome, but not for Firefox. Why would anyone want to use uBOL, when they have the option to use uBO?
Perhaps Mozilla does have a higher tier of review, but it's for specific plugins, not for specific authors.
Generally, anything published by the guy who maintains your most-installed plugin is by definition high profile. That’s why we’re talking about this case on HN.
If Mozilla is providing tiered support by plugin rather than publisher, this latest kerfuffle is evidence that they should reconsider the approach. But if I were betting, I’d guess there’s no one at Mozilla whose job responsibilities include keeping their marquee plugin authors happy.
And, in contrast, that job (or parallel jobs for different 'online stores') definitely exist at Google and Microsoft. At Google, there's a whole army of open-secret glad-handlers for liaising between high-profile or high-relevance Cloud customers and the development teams inside Google that work on Cloud (because sometimes a customer comes up with a novel way to use the tool that exposes the cracks in the abstraction and lets the underlying implementation leak out undesirably). Customers don't get to choose to be handled that way (though they can, of course, indirectly signal it by how much money they spend); it's Google's decision to maximize company value / security.
If it is, indeed, the case that they don't bump the entire account to a higher tier of service if one of their products justifies it, they've fundamentally conflated the technology with the humanity of the system and this is a predictable consequence.
They're the browser with 2% market share.
They're lucky he didn't also pull uBlock Origin because he felt insulted and let users figure it out. He doesn't owe Mozilla their tent-pole of "We make it harder for third-parties to track you", the tent-pole he set up for them for free.
We all agree that this case is a very bad outcome for Mozilla.
What I don't agree with, is that a system that is based on higher tiers for entire accounts, is necessarily better. If such a tier exists, then all the big players will apply pressure to be put in that tier. Suppose Amazon tries for that - surely they'll get it. And then they'll use it, not just for "the Amazon app", but for every crappy outsourced app they make for any purpose. Placing a huge burden on Mozilla, who now will have to spend extra resources to hand-check a lot of crap that could have been auto-rejected, just in case, because effectively the burden of proof has been shifted.
I'd like you all to try to abstract from this case for a second, and think about the strategic choice: Which is the better rule, evaluating apps, or evaluating accounts. Sure, now you're all thinking that you'll make a super-duper amalgam system that looks at both in some combination. That's the benefit of hindsight. But suppose you're making version 1, and you're keeping it simple. What would you start with?
> Which is the better rule, evaluating apps, or evaluating accounts
For now, evaluating apps.
... but only because gorhill decided not to go nuclear (and good on 'em for doing so). The unequal power dynamic you're painting of Amazon exists today, whether or not Amazon attempts to pressure Mozilla right now; they're at their discretion to decide that they'll only support a Firefox extension if Mozilla plays ball with a bunch of other crappy apps too (and then Mozilla can tell them to go pound sand, and then the users can't get to the Amazon app easily, and then someone writes a workaround... The human system is far, far squishier and more complicated than the technical system).
> But suppose you're making version 1, and you're keeping it simple.
Sadly, Mozilla does not have that luxury because they exist in an ecosystem of other corporations with web-store presences and it's incumbent upon them to be competitive if they want to survive in that configuration. If Google and Amazon can glad-hand high-value customers, Mozilla needs to learn how to do so also or risk those customers deciding the Mozilla ecosystem is more trouble than it's worth to participate in (because what do you get? 2% market share?).
But it's the same dev who's been active for over a decade and has a solid reputation. Users rely on these extensions. Removing a popular, well established extension without warning or apparently even making sure it was in violation of said policies to begin with is irresponsible.
And the specific extension in question being a popular ad/tracker blocker while Mozilla has been cozying up to the adtech industry lately and selling access to Firefox user data isn't a good look for Mozilla. Maybe Mozilla is just being grossly mismanaged but this is all getting noticeably suspicious.
> But this is not about a high profile plugin. The high profile plugin is "uBlock Origin", and this is about "uBlock Origin Lite", which is a big thing for Chrome, but not for Firefox. Why would anyone want to use uBOL, when they have the option to use uBO?
uBlock Origin requires giving the extension full read and write permissions on every site you visit, which is a huge liability, security-wise.
uBlock Origin Lite uses Manifest V3, which doesn't require providing those permissions to the extension.
Perhaps you trust gorhill with that power, but it's pretty understandable why others might not want to give that power to a third party.
To have a reviewer under your employ that doesn’t know what UBO is or it’s dev, makes me feel pretty confident in siding with gorilla on this, but I hope that he does calm down a bit and put the extension back up.
> To have a reviewer under your employ that doesn’t know what UBO is or it’s dev, makes me feel pretty confident in siding with gorilla on this, but I hope that he does calm down a bit and put the extension back up.
FYI, it's UBlock Origin Lite that is affected here, not UBlock Origin. Same developer account, but a tiny fraction of the installation base. I think I still have an extension that has more users than UBlock Origin Lite did on Firefox (only 5000 installations at the time it was taken down).
To be honest, neither party looks good here. It reflects poorly on Mozilla that they don't have guardrails in place to prevent adverse action on the developer account that publishes their most popular extension. Gorhill's reaction (particularly his most recent comment from an hour ago) comes off as petty and vindictive. Yes, it's his prerogative to spend his unpaid time how he wants, but expressing that sort of aggression and directing it at your users doesn't win over many allies in the long run.
> Perhaps you trust gorhill with that power, but it's pretty understandable why others might not want to give that power to a third party.
I have been using the extension, now called ublock origin, for longer than I have been using the Firefox browser. Mozilla is the third party in this relationship.
In all those years, the extension project's principles were very strict, and the authors never disappointed. Mozilla, meanwhile, is just a constant stream of disappointments.
It's so many things, really. Magic opt-out tracking here and there, ads in new tab windows, nuking almost the entire extension ecosystem on Android for a couple of years just to grind down the user base, etc. It never ends.
You can also communicate with gorhill like a real person. Mozilla press communication is always a psychopathic mess of corporate speak. There is hardly anything in there.
I'm not even sure which project, ublock origin or Firefox, has more users by now.
My loyalties are pretty well sorted at this point.
> It's a lot easier to just accuse Google of acting in bad faith, and Mozilla of being their lapdogs, and ignore any possible evidence to the contrary.
There are two issues at play here.
Manifest V3 is, undeniably, a security improvement over Manifest V2. Providing full read/write access to all websites is a huge security risk, and the fact that we're willing to do it is really a testament to how bad the state of the web is without adblockers.
However, the final standardized version of Manifest V3 limited the size of content filters - essentially, limiting the number of ad sources that you could filter. This severely limits the utility of adblocking extensions.
Mozilla responded to this by promising not to implement the cap in their implemention of Manifest V3 - ie, ignoring that part of the spec and allowing extensions to filter an unlimited number of sources in Firefox. Chrome and other browsers are sticking to the spec, though, including the cap on sources.
I believe UBlock Origin Lite is a downgrade feature-wise from UBlock Origin, but that's because it's targeting both Firefox and non-Firefox browsers. In theory, a Manifest V3 version of UBlock Origin Lite designed for Firefox could provide the same functionality as the Manifest V2 UBlock Origin.
Honestly, I hope someone (whether gorhill or someone else) takes up the mantle and does that, because there's no reason that Firefox users should have to use an adblocker with a less secure design, just because other browsers don't support it.
> Providing full read/write access to all websites is a huge security risk, and the fact that we're willing to do it is really a testament to how bad the state of the web is without adblockers.
That seems to be completely ignoring that extensions aren't just independent self-contained programs. They're intended to extend and modify the capabilities of your user agent to better suit the needs of the user. Trusting the user agent with full read/write access to the data it's fetching is fundamental to the purpose of a user agent. Sure, it's nice when you can sandbox a helper, but it's irresponsible to suggest there's anything wrong or unusual about having the kind of powerful extensions that Google doesn't want you to have.
> Sure, it's nice when you can sandbox a helper, but it's irresponsible to suggest there's anything wrong or unusual about having the kind of powerful extensions that Google doesn't want you to have.
What's inaccurate? Do you really want to claim that Google isn't actively reducing the scope of what browser extensions can do on behalf of end users? Having security as a justification does nothing to erase the fact that they are locking down the browser platform and making some useful categories of extensions impossible.
It's not just the size of content filters. V2 had the ability to run code to block a web request before it was downloaded. V3 only gives you a (size-limited) set of declarative filters. If you want to block anything else, you'll have to do it after it has been downloaded already.
Last I checked google didn't remove the read-only access to network requests in v3, so an extension that wants to track everything can still do that. It just can't block anything with custom code.
Good point, they should be on the phone "Mr G how can our developers help you getting this extension approved"
This developer one of the main reasons for many people to use Firefox, especially in this current chrome controversy manifestV2 vs V3
And ironically this uBOL success should be of very interest to Mozilla because if it had gained more success than the main one uBO then it would be one less reason for the company to invest resources into maintaining manifestV2
Mozilla knows that. Which is why they excempted Ublock Origin from their user hostile all but that one extension ban on mobile. (In practice it was a ban. I think they called it something else.)
I'm not even surprised the addon got flagged. The linked files in the Github issue all had file names insinuating a direct connection to known trackers (which, of course, uBOL is blocking). Whatever automated scanning tool Mozilla uses probably latched on to "oh this is Google Tag Manager" and issued the warning that is normally handed out to addons that do include sketchy scripts like these.
HOWEVER: the email clearly states:
> Your Extension uBlock Origin Lite was manually reviewed by the Mozilla Add-ons team in an assessment performed on our own initiative of content that was submitted to Mozilla Add-ons
Either that is a lie, or the manual reviewer that did the "review" doesn't understand that the automated tool they ran is capable of false positives.
Nothing wrong with automated abuse assessments on a platform like Mozilla's, but don't lie in your communications about it (or hire people who know what they're doing when it comes to blocking addons).
"The burden is that even as a self-hosted extension, it fails to pass review at submission time, which leads to having to wait an arbitrary amount of time (time is an important factor when all the filtering rules are packaged into the extension), and once I finally receive a notification that the review cleared, I have to manually download the extension's file, rename it, then upload it to GitHub, then manually patch the update_url to point to the new version. It took 5 days after I submitted version 2024.9.12.1004 to finally be notified that the version was approved for self-hosting. As of writing, version 2024.9.22.986 has still not been approved."
Doesn't sound like something I'd enjoy as a hobby.
I agree with what you say about the tradeoffs of a review process, but strongly disagree that Raymond Hill overreacted. He's a solo dev working on uBlock as a hobby who doesn't even take donations; he doesn't owe us anything. He gets to decide if the review process frictionless enough for him to contribute his time and energy, and even though he decided it's not in this case, he made his extension open source, so anyone else is free to publish uBlock Origin Lite in his stead.
I don't think the author has overreacted, but your first paragraph doesn't seem to match the timeline, so maybe the article didn't portray it correctly. For a better understanding have a look at the Github issue: https://github.com/uBlockOrigin/uBOL-home/issues/197
It was not an automated review, it was a manual review, poorly done.
The author then explains that they don't want to deal with the stress (there are also some extra explanations of what's involved in the AMO review process), and also that they left a somewhat harmful version of the plugin up.
Not wanting to deal with stress is a perfectly understandable reaction.
> manually review every add-on revision for safety in a timely manner
Sure, but uBlock Origin, lite or not, is one of the most important browser add-on, if not the single most important one. This may not justify to give it a pass without looking, but it should certainly be reason enough to jump it in front of the queue and review it manually every time.
No he did not. Mozilla is in situation where they should bend backwards with very popular extensions, which I believe both uBlock Origin versions must be. Ensure anything you do with them is absolutely correct.
In general quite many extensions are done for passion. And any chance of destroying that passion will make your product less desirable to work with and thus in long run less popular.
Mozilla is not a single person in a basement with a 20 year old second hand computer. They spend hundreds of millions $ per year. uBlock origin has 8+ million installs. The second extension by install count has 4 (four) times less. If if anything to do with gorhill and their extensions is not priority one in their review system, then something is really wrong at Mozilla.
If they piss off a dev they risk losing all the plugins of that dev. So they must not look at uBOL, the subject of the review, but at uBO, the most popular plugin of that dev. And it turns out that it's Firefox's most popular plugin among all its plugins. They should immediately escalate the review even if gorhill submitted a plugin to log Hello World in the console.
> This was for uBlock lite, a much lesser used plugin
Sure, but it's published by the same developer and has existed for a while. It's not a brand new extension under his account, or published on a different developer account.
I've built review systems before, and you typically have safeguards in place to prevent mistakes that impact your biggest users. No matter how you cut it, this isn't a good look for Mozilla.
Most of which coming from Google, whose web enshittification created the need for Ublock Origin and later Ublock Origin Lite. If Mozilla, which takes boatloads of money from Google, does something absurd that would please nobody else but Google, how could one not assume something fishy is going on?
...and the extension this article is about had about 5000 (five thousand) installs before being taken down. That doesn't really scream "priority" to me.
It may be true, but your point of view isn't the sole possible. Many people have to use more than one browser and for them, the Google decision (effectively forcing the creation of uBOL) was really painful so Hill's new product is of big value. Also, there are people who don't know anything about uBO since they never used Firefox but they probably will start to use uBOL as other blockers for Chromium-based browsers are incomparable to it.
Thus 5k downloads of uBOL are no measure of its importance.
Can we build a better sandbox? exfiltrating data is the issue, but if the extensions just weren't able to reach out arbtrarily but could only download a specified url, then that would eliminate the problem for plugins that could adapt to only using a specific permission and then not need manual review.
Meh, it's perfectly reasonable to decide that you don't want to deal with this kind of bullshit and pull the extension from problematic stores. There's probably a miniscule amount of people using uBO Lite on Firefox anyway.
I think that the alternative is some form of "per review", where the effort of performing reviews is spread out among a volunteer f with reasonable "reputation" management and in which a party can accelerate their own review by contributing to the reviews for others.
Exactly. And this is why we need paid browsers. If the ad-supported/donation-supported browsers like Firefox need to apply low-quality automated solutions to approving/rejecting even their most popular addons, then clearly the business model isn't working.
I think not everyone thinks that money solves all things. Look at the $8 blue check “verified” accounts on Twitter that are easily identified as CCP/Russian spam bots. We’ve had free browsers for nearly 30 years, so I’d say we don’t need paid browsers just yet. There are of course some out there for those who like the idea, but overall it’s not a solution. n=1 failure doesn’t mean flushing the whole enterprise down the toilet. There is an easy policy change for this. Fire one high level executive and get 10 more quality reviewers so that the more experienced reviewers can get high traffic items like those from gorhill
You jump immediately to money. But less crappy automation in this case is almost certainly a question of configuration and then thoughtfulness on the part of follow up reviewers, not just throwing money at the problem. It feels like you are shoehorning your own agenda in the conversation a bit.
Wow, stirred up a latent hornet's nest with this one. I should have known, people love "free" stuff (even if it's obvious to everyone, even themselves, that it is not at all "free"). Anyway, I think a paid browser would help solve this problem. If you don't agree, please, keep using Firefox or Chrome or whatever "free" browser you prefer.
However gorhill is quite a high tier extension dev which should get him more attention and at least a second set of eyes on any drastic action like cutting his extensions.
...except there is no evidence that paid, manual review works. Closest thing we have is Apple's App Store, which infamously has manual review cycles worse than an automated malware checker: https://www.pcmag.com/news/beware-theres-a-fake-lastpass-app...
This is why you should be happy that you don't pay for a browser.
When you blatantly violate the IP of a well-trusted dev, posing as a third-party and successfully tricking Apple, yeah, you are a pretty big data point. You can't call CloudStrike an anecdote.
My bigger intention is to fight the idea that automated solutions are necessarily better than inept human-reliant ones. Firefox doesn't even have remotely Apple's scale or revenue to work with - who seriously expects Mozilla to do better than them?
I'm not sure, if moz revenue is something like 600 m and the ceo makes 7 m while apples revenue is something like 400 b and the ceo made 63 m. You get something like 7/600 vs 63/400000 ?
Then Mozilla should do at least 1000 times better even if it is just a forgotten side project like Firefox?
uhhh what were we talking about again... ah right extension reviews.
Well, just let the developer pay for 50 different tiers of review with prices scaling with the size of the code base or upgrade. Display the level of scrutiny on the extension page, have a donate to the cause button so that funds contribute only to reviews.
If you've installed any extensions you should regularly be made aware of the security risk and have a nice overview of the level of hazard and fund raising efforts.
If you've reached a high level of security further upgrades will either be expensive or install should be discouraged.
In the same place the developer can explain how urgent or useful the upgrade is and users can donate to bring the patch up to the desired level.
Code changes can be displayed with public discussion. This will be useful for doing the different reviews as cheaply as possible. Let there be bidding wars.
In addition there should be an extremely granular permission system that triggers dialogs in an amount sensible for the review level. Developers should be allowed to buy reviews for tiny functions that accurately define permission requests.
For example: Rather than full access to all pages I want access to all links pointing at example.com and I want to fetch the title of the pages on example.com Or say: I don't want access to the entire internet but only to things in valid RSS or Atom format.
Seems a sensible solution to me and I don't even know anything.
So? Mozilla inserted themselves as middlemen into addon delivery. Even for the so-called selfhosted addons. They can just not do that if doing it properly and without undue delays means more work than they can handle.
What's the alternative? No pre-release review at all? As a user I would hope that this will not be the case, especially now that we have confirmation that flashy supply chain attacks are being executed in the wild. In fact the review policy protects gorhill himself too, since it makes him a bit less attractive as a target for a rubberhose attack (no point in blackmailing him to put in spyware if the spyware would be caught before release).