MozillaZine

Mozilla Firefox Extension Update Screenshots

Sunday April 25th, 2004

Percy Cabello wrote in to tell us that Ben Goodger has posted some screenshots of Mozilla Firefox's forthcoming Extension update feature. While some of this UI is in the latest Firefox nightly builds, none of it really works yet, so don't get too excited.

Update: Another Extension update screenshot is now available.


#1 repository

by Racer

Sunday April 25th, 2004 1:24 PM

Reply to this message

Question: "When it searches for an update, is that always in a central repository or is the update path held by the extension?" - squadron76

If it is a central repository, is it mozdev.org or somewhere else?

#2 Re: repository

by Racer

Sunday April 25th, 2004 1:30 PM

Reply to this message

I guess I'll answer my own question. From the 2004-04-05 mozilla.org staff meeting:

"- For the server side, Ben is writing a Java web service based on Tomcat, with MySQL back end" "- DNS name will be update.mozilla.org"

As long as the end-user has the ability to add to or change the default update URL (from update.mozilla.org to e.g. mysite.com), then this makes sense. A system needs to be in place to allow companies to implement their own internal update servers, which could mirror existing updates and/or add company-specific updates if necessary.

#3 Re: Re: repository

by Ben_Goodger

Sunday April 25th, 2004 4:54 PM

Reply to this message

The default server URL exists in region.properties as a localizable pref.

Individual extensions can provide their own update URLs (basically a link to an update.rdf file) if they are not hosted in UMO that they can use to specify updates.

#4 Re: repository

by Racer

Sunday April 25th, 2004 5:45 PM

Reply to this message

Interesting. So is joe-spammer going to be allowed to upload his spyware XPI to the update server or is there going to be some kind of test or rating system to weed out malicious extensions?

#5 Re: Re: repository

by Ben_Goodger

Sunday April 25th, 2004 6:33 PM

Reply to this message

No, and yes.

#6 Re: Re: repository

by Mook

Sunday April 25th, 2004 8:47 PM

Reply to this message

While the actual update spec pages are there yet, this example looks interesting: <http://www.mozilla.org/pr…/extensions/manifest.html> See the <!-- Update Info --> bit - it's got an update URL of somewhere on banditsoft.com (not a real link) So joe-spammer wouldn't need to upload his spyware to the update server; he would maintain his own server.

(Ben: there actually seems to be a site at that URL - just that I can't seem to find RSS Bandit on there :p)

#7 What if a trojan changes to update url?

by tseelee

Sunday April 25th, 2004 9:17 PM

Reply to this message

A program can write a custom config file to the FF user profile folder and subsequent attempts to update FF could result in destructive downloads? THis may be easy to shut down but the damage would've been done.

#8 Re: What if a trojan changes to update url?

by tseelee

Sunday April 25th, 2004 9:18 PM

Reply to this message

While this may not be exactly a Moz-only issue, it would prove bad publicity for the project.

#10 Re: What if a trojan changes to update url?

by Zpottr

Sunday April 25th, 2004 11:38 PM

Reply to this message

If this malicious software is running on your PC, you are f0cked anyway. And any rogue program today could go through the trouble of turning your Firefox into a man eating, spam sending, DDOS performing zombie, but would probably prefer to do this directly. I don't see the problem here. Unapproved software running on your box is bad.

#15 Re: Re: What if a trojan changes to update url?

by tseelee

Saturday May 1st, 2004 1:44 PM

Reply to this message

I can imagine trojans piggy-backing on FF to get through security programs.

#9 Where does this leave mozdev.org ?

by bugs4hj <bugs4hj@netscape.net>

Sunday April 25th, 2004 10:59 PM

Reply to this message

Ben, I have some questions for you. First, where does this leave mozdev.org? Are you perhaps working towards a sort of official, approved extensions, list and are you guys going to block all other extensions that are not on your list? Will theme installations also be part of this update window?

Btw, nice work done so far Ben. Darn, I wish I had more time for MultiZilla 2.0 (Mozilla FireFox version). Also, please keep in mind that "The Best Has Yet To Come". The best of MultiZilla that is... Oh well, better late and feature complete without bugs ;)

P.s is David Hyatt still working on Mozilla FireFox? I don;t see or hear a lot from him, but I can be totally wrong.

/HJ

#11 Re: Where does this leave mozdev.org ?

by Ben_Goodger

Monday April 26th, 2004 12:29 AM

Reply to this message

Dave Hyatt is no longer contributing regularly to Firefox.

#12 Re: Re: Where does this leave mozdev.org ?

by bugs4hj <bugs4hj@netscape.net>

Monday April 26th, 2004 8:33 AM

Reply to this message

Thanks for the info Ben but I rather wished you answered all my questions. I'm sure there are a lots of questions asked about this on mozdev.org. So do you mind adding the answers soon.

Thanks for your time and energy. Keep up the good work ;)

#13 Re: Re: Re: Where does this leave mozdev.org ?

by Grauw

Monday April 26th, 2004 12:48 PM

Reply to this message

I could imagine there being some quality control... If you want 'dummy users' to use this, to ensure that they don't install buggy extensions which mess up their Firefox installation. On the other hand, it would be much more difficult to maintain, takes much time to test all extensions, etc. In practice, I think there is a little control to avoid things like the earlier mentioned spy/adware extensions (btw, I encountered my first onLoad XPI yesterday!), but not much more than that. Also, I think if some kind of selection were to take place, it would not be on the updates server, but on for example in a mozilla.org (or texturizer.net) extensions listing.

~Grauw

#14 XPI -> Active-X ????

by rtvkuijk

Friday April 30th, 2004 6:12 AM

Reply to this message

I just hope this will not become the 'active-x' of Mozilla...... in the press I mean. That would realy hurt the 'security status' of Mozilla