Mozilla Firefox Extension Update Screenshots
Sunday April 25th, 2004
Percy Cabello wrote in to tell us that Ben Goodger has posted some screenshots of Mozilla Firefox's forthcoming Extension update feature. While some of this UI is in the latest Firefox nightly builds, none of it really works yet, so don't get too excited.
Update: Another Extension update screenshot is now available.
Question: "When it searches for an update, is that always in a central repository or is the update path held by the extension?" - squadron76
If it is a central repository, is it mozdev.org or somewhere else?
I guess I'll answer my own question. From the 2004-04-05 mozilla.org staff meeting:
"- For the server side, Ben is writing a Java web service based on Tomcat, with MySQL back end" "- DNS name will be update.mozilla.org"
As long as the end-user has the ability to add to or change the default update URL (from update.mozilla.org to e.g. mysite.com), then this makes sense. A system needs to be in place to allow companies to implement their own internal update servers, which could mirror existing updates and/or add company-specific updates if necessary.
The default server URL exists in region.properties as a localizable pref.
Individual extensions can provide their own update URLs (basically a link to an update.rdf file) if they are not hosted in UMO that they can use to specify updates.
Interesting. So is joe-spammer going to be allowed to upload his spyware XPI to the update server or is there going to be some kind of test or rating system to weed out malicious extensions?
No, and yes.
While the actual update spec pages are there yet, this example looks interesting: <http://www.mozilla.org/pr…/extensions/manifest.html> See the <!-- Update Info --> bit - it's got an update URL of somewhere on banditsoft.com (not a real link) So joe-spammer wouldn't need to upload his spyware to the update server; he would maintain his own server.
(Ben: there actually seems to be a site at that URL - just that I can't seem to find RSS Bandit on there :p)
#7 What if a trojan changes to update url?
Sunday April 25th, 2004 9:17 PM
A program can write a custom config file to the FF user profile folder and subsequent attempts to update FF could result in destructive downloads? THis may be easy to shut down but the damage would've been done.
#8 Re: What if a trojan changes to update url?
Sunday April 25th, 2004 9:18 PM
While this may not be exactly a Moz-only issue, it would prove bad publicity for the project.
#10 Re: What if a trojan changes to update url?
Sunday April 25th, 2004 11:38 PM
If this malicious software is running on your PC, you are f0cked anyway. And any rogue program today could go through the trouble of turning your Firefox into a man eating, spam sending, DDOS performing zombie, but would probably prefer to do this directly. I don't see the problem here. Unapproved software running on your box is bad.
#9 Where does this leave mozdev.org ?
Sunday April 25th, 2004 10:59 PM
Ben, I have some questions for you. First, where does this leave mozdev.org? Are you perhaps working towards a sort of official, approved extensions, list and are you guys going to block all other extensions that are not on your list? Will theme installations also be part of this update window?
Btw, nice work done so far Ben. Darn, I wish I had more time for MultiZilla 2.0 (Mozilla FireFox version). Also, please keep in mind that "The Best Has Yet To Come". The best of MultiZilla that is... Oh well, better late and feature complete without bugs ;)
P.s is David Hyatt still working on Mozilla FireFox? I don;t see or hear a lot from him, but I can be totally wrong.
#11 Re: Where does this leave mozdev.org ?
Monday April 26th, 2004 12:29 AM
Dave Hyatt is no longer contributing regularly to Firefox.
#12 Re: Re: Where does this leave mozdev.org ?
Monday April 26th, 2004 8:33 AM
Thanks for the info Ben but I rather wished you answered all my questions. I'm sure there are a lots of questions asked about this on mozdev.org. So do you mind adding the answers soon.
Thanks for your time and energy. Keep up the good work ;)
#13 Re: Re: Re: Where does this leave mozdev.org ?
Monday April 26th, 2004 12:48 PM
I could imagine there being some quality control... If you want 'dummy users' to use this, to ensure that they don't install buggy extensions which mess up their Firefox installation. On the other hand, it would be much more difficult to maintain, takes much time to test all extensions, etc. In practice, I think there is a little control to avoid things like the earlier mentioned spy/adware extensions (btw, I encountered my first onLoad XPI yesterday!), but not much more than that. Also, I think if some kind of selection were to take place, it would not be on the updates server, but on for example in a mozilla.org (or texturizer.net) extensions listing.
I just hope this will not become the 'active-x' of Mozilla...... in the press I mean. That would realy hurt the 'security status' of Mozilla