But this is not about a high profile plugin. The high profile plugin is "uBlock Origin", and this is about "uBlock Origin Lite", which is a big thing for Chrome, but not for Firefox. Why would anyone want to use uBOL, when they have the option to use uBO?
Perhaps Mozilla does have a higher tier of review, but it's for specific plugins, not for specific authors.
Generally, anything published by the guy who maintains your most-installed plugin is by definition high profile. That’s why we’re talking about this case on HN.
If Mozilla is providing tiered support by plugin rather than publisher, this latest kerfuffle is evidence that they should reconsider the approach. But if I were betting, I’d guess there’s no one at Mozilla whose job responsibilities include keeping their marquee plugin authors happy.
And, in contrast, that job (or parallel jobs for different 'online stores') definitely exist at Google and Microsoft. At Google, there's a whole army of open-secret glad-handlers for liaising between high-profile or high-relevance Cloud customers and the development teams inside Google that work on Cloud (because sometimes a customer comes up with a novel way to use the tool that exposes the cracks in the abstraction and lets the underlying implementation leak out undesirably). Customers don't get to choose to be handled that way (though they can, of course, indirectly signal it by how much money they spend); it's Google's decision to maximize company value / security.
If it is, indeed, the case that they don't bump the entire account to a higher tier of service if one of their products justifies it, they've fundamentally conflated the technology with the humanity of the system and this is a predictable consequence.
They're the browser with 2% market share.
They're lucky he didn't also pull uBlock Origin because he felt insulted and let users figure it out. He doesn't owe Mozilla their tent-pole of "We make it harder for third-parties to track you", the tent-pole he set up for them for free.
We all agree that this case is a very bad outcome for Mozilla.
What I don't agree with, is that a system that is based on higher tiers for entire accounts, is necessarily better. If such a tier exists, then all the big players will apply pressure to be put in that tier. Suppose Amazon tries for that - surely they'll get it. And then they'll use it, not just for "the Amazon app", but for every crappy outsourced app they make for any purpose. Placing a huge burden on Mozilla, who now will have to spend extra resources to hand-check a lot of crap that could have been auto-rejected, just in case, because effectively the burden of proof has been shifted.
I'd like you all to try to abstract from this case for a second, and think about the strategic choice: Which is the better rule, evaluating apps, or evaluating accounts. Sure, now you're all thinking that you'll make a super-duper amalgam system that looks at both in some combination. That's the benefit of hindsight. But suppose you're making version 1, and you're keeping it simple. What would you start with?
> Which is the better rule, evaluating apps, or evaluating accounts
For now, evaluating apps.
... but only because gorhill decided not to go nuclear (and good on 'em for doing so). The unequal power dynamic you're painting of Amazon exists today, whether or not Amazon attempts to pressure Mozilla right now; they're at their discretion to decide that they'll only support a Firefox extension if Mozilla plays ball with a bunch of other crappy apps too (and then Mozilla can tell them to go pound sand, and then the users can't get to the Amazon app easily, and then someone writes a workaround... The human system is far, far squishier and more complicated than the technical system).
> But suppose you're making version 1, and you're keeping it simple.
Sadly, Mozilla does not have that luxury because they exist in an ecosystem of other corporations with web-store presences and it's incumbent upon them to be competitive if they want to survive in that configuration. If Google and Amazon can glad-hand high-value customers, Mozilla needs to learn how to do so also or risk those customers deciding the Mozilla ecosystem is more trouble than it's worth to participate in (because what do you get? 2% market share?).
But it's the same dev who's been active for over a decade and has a solid reputation. Users rely on these extensions. Removing a popular, well established extension without warning or apparently even making sure it was in violation of said policies to begin with is irresponsible.
And the specific extension in question being a popular ad/tracker blocker while Mozilla has been cozying up to the adtech industry lately and selling access to Firefox user data isn't a good look for Mozilla. Maybe Mozilla is just being grossly mismanaged but this is all getting noticeably suspicious.
> But this is not about a high profile plugin. The high profile plugin is "uBlock Origin", and this is about "uBlock Origin Lite", which is a big thing for Chrome, but not for Firefox. Why would anyone want to use uBOL, when they have the option to use uBO?
uBlock Origin requires giving the extension full read and write permissions on every site you visit, which is a huge liability, security-wise.
uBlock Origin Lite uses Manifest V3, which doesn't require providing those permissions to the extension.
Perhaps you trust gorhill with that power, but it's pretty understandable why others might not want to give that power to a third party.
To have a reviewer under your employ that doesn’t know what UBO is or it’s dev, makes me feel pretty confident in siding with gorilla on this, but I hope that he does calm down a bit and put the extension back up.
> To have a reviewer under your employ that doesn’t know what UBO is or it’s dev, makes me feel pretty confident in siding with gorilla on this, but I hope that he does calm down a bit and put the extension back up.
FYI, it's UBlock Origin Lite that is affected here, not UBlock Origin. Same developer account, but a tiny fraction of the installation base. I think I still have an extension that has more users than UBlock Origin Lite did on Firefox (only 5000 installations at the time it was taken down).
To be honest, neither party looks good here. It reflects poorly on Mozilla that they don't have guardrails in place to prevent adverse action on the developer account that publishes their most popular extension. Gorhill's reaction (particularly his most recent comment from an hour ago) comes off as petty and vindictive. Yes, it's his prerogative to spend his unpaid time how he wants, but expressing that sort of aggression and directing it at your users doesn't win over many allies in the long run.
> Perhaps you trust gorhill with that power, but it's pretty understandable why others might not want to give that power to a third party.
I have been using the extension, now called ublock origin, for longer than I have been using the Firefox browser. Mozilla is the third party in this relationship.
In all those years, the extension project's principles were very strict, and the authors never disappointed. Mozilla, meanwhile, is just a constant stream of disappointments.
It's so many things, really. Magic opt-out tracking here and there, ads in new tab windows, nuking almost the entire extension ecosystem on Android for a couple of years just to grind down the user base, etc. It never ends.
You can also communicate with gorhill like a real person. Mozilla press communication is always a psychopathic mess of corporate speak. There is hardly anything in there.
I'm not even sure which project, ublock origin or Firefox, has more users by now.
My loyalties are pretty well sorted at this point.
> It's a lot easier to just accuse Google of acting in bad faith, and Mozilla of being their lapdogs, and ignore any possible evidence to the contrary.
There are two issues at play here.
Manifest V3 is, undeniably, a security improvement over Manifest V2. Providing full read/write access to all websites is a huge security risk, and the fact that we're willing to do it is really a testament to how bad the state of the web is without adblockers.
However, the final standardized version of Manifest V3 limited the size of content filters - essentially, limiting the number of ad sources that you could filter. This severely limits the utility of adblocking extensions.
Mozilla responded to this by promising not to implement the cap in their implemention of Manifest V3 - ie, ignoring that part of the spec and allowing extensions to filter an unlimited number of sources in Firefox. Chrome and other browsers are sticking to the spec, though, including the cap on sources.
I believe UBlock Origin Lite is a downgrade feature-wise from UBlock Origin, but that's because it's targeting both Firefox and non-Firefox browsers. In theory, a Manifest V3 version of UBlock Origin Lite designed for Firefox could provide the same functionality as the Manifest V2 UBlock Origin.
Honestly, I hope someone (whether gorhill or someone else) takes up the mantle and does that, because there's no reason that Firefox users should have to use an adblocker with a less secure design, just because other browsers don't support it.
> Providing full read/write access to all websites is a huge security risk, and the fact that we're willing to do it is really a testament to how bad the state of the web is without adblockers.
That seems to be completely ignoring that extensions aren't just independent self-contained programs. They're intended to extend and modify the capabilities of your user agent to better suit the needs of the user. Trusting the user agent with full read/write access to the data it's fetching is fundamental to the purpose of a user agent. Sure, it's nice when you can sandbox a helper, but it's irresponsible to suggest there's anything wrong or unusual about having the kind of powerful extensions that Google doesn't want you to have.
> Sure, it's nice when you can sandbox a helper, but it's irresponsible to suggest there's anything wrong or unusual about having the kind of powerful extensions that Google doesn't want you to have.
What's inaccurate? Do you really want to claim that Google isn't actively reducing the scope of what browser extensions can do on behalf of end users? Having security as a justification does nothing to erase the fact that they are locking down the browser platform and making some useful categories of extensions impossible.
It's not just the size of content filters. V2 had the ability to run code to block a web request before it was downloaded. V3 only gives you a (size-limited) set of declarative filters. If you want to block anything else, you'll have to do it after it has been downloaded already.
Last I checked google didn't remove the read-only access to network requests in v3, so an extension that wants to track everything can still do that. It just can't block anything with custom code.
Perhaps Mozilla does have a higher tier of review, but it's for specific plugins, not for specific authors.