Web lists-archives.com

Re: ping Walt, bug about add-on verification override

My bloviated meandering follows what Disaster Master graced us with on 2/9/2017 4:54 AM:
On 2/8/2017, 6:29:20 PM, Sailfish
<NIXCAPSsailfish@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
My bloviated meandering follows what Disaster Master graced us with on 2/8/2017 10:56 AM:
On 2/8/2017, 1:19:08 PM, Sailfish
<NIXCAPSsailfish@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
My bloviated meandering follows what Caver1 graced us with on 2/7/2017 4:32 PM:
One, if known and Mozilla allowed it, they could be held culpable if a non-verified add-on compromised the browser and user's system.
That is the most ridiculous thing I ever heard.
Truly? You have been quite prolific on this newsgroup for a while now and yet you claim THIS to be the ridiculous thing you've ever heard?

I'm not participating in a newsgroup, I'm participating in an email list

It sounds like you are on a listserv? In either event, your responses are being posted to the mozilla.general newsgroup.


Yeah, I guess I could have clarified 'in the last 2.57 days' to be more
accurate. I do hear a lot of really ridiculous things on a regular basis
fro a small number of vocal people.


Anyway, the liability issue is real, even if somewhat remote. Mozilla.com is a corporation and, as such, has a fiduciary responsibility to protect investors interests. Knowingly allowing a mechanism that can cause harm to users such as what was mentioned in comment 13 leaves them exposed.

The user has to jump through considerable hoops to do this. There is no
way that Mozilla could be held accountable for what that user decided to
do on their own.

For most who have been involved with Mozilla, the instructions provide in the bug (and ghacks link) are fairly easy-peasy.

But they are very specific steps that the individual user must first
fine, then decide to take themselves.

No way Mozilla could even remotely be considered liable for said users
actions, and I think even the 9th curcus judges would laugh that out of
court and probably even sanction any lawyer stupid enough to file such a

IANAL but it seems to me that since Mozilla took the overt step to protect themselves by implementing the add-on verification system in the first place, leaving a back door there that would allow someone to subvert the process leaves them open. I'm not familiar with the code involved and how deeply it could compromise the system but there has been cases where malicious code has been able to infect other users. Since the bug is only labeled "sec-moderate" it may not present a serious problem as yet known; however, I can still understand why they wouldn't want to leave it easily exploitable by adware-type add-ons.

Also, comment 13 pretty much explains why there's a problem with having the hole open.

That is a totally separate question from whether Mozilla could be held

We disagree.

alt>Help>Restart With Add-ons Disabled...

Still doesn't explain what PD means.

Then you should have made it clear as to what was unclear to you to begin with. It seemed unlikely that you were mystified over PD since I had defined it in the previous sentence.

"Two, from a problem determination (PD) POV..."

Just to ensure there's not another point of confusion, POV = Point Of View.

Rare Mozilla Stuff: http://tinyurl.com/lcey2ex
general mailing list