Hi, 
Guest
Pic
Sign In

maildev@lists.thunderbird.net

Thunderbird email developers

View all threads

Addons no longer maintained.

BB
Ben Bucksch
Fri, Feb 8, 2019 8:27 PM

Josiah Bruner wrote on 06.02.19 22:06:

*automatically* trust arbitrary Author B.

It's not automatic. There is an addon review.

Yes, hopefully, but it's hard to guarantee that. What if the "backdoor" is a minor crypto bug?

There is no guarantee, ever. Thunderbird itself had crypto bugs. Did you code review Thunderbird to ensure that it's all fine? If so, I'd be happy. But I don't think anybody does.

Users are not in a position to review addon source code for trustworthyness. That's what we have the review for.

I understand your theoretical case, but it's not the reality.

In the case we're talking about: You have 3 options: 1) a broken addon 2) a disabled addon 3) a fixed addon from somebody else.

Reality is that many users will hold off on a TB upgrade, if addon ABC doesn't work. And then they are exposed to known security bugs. And the addon authors we're talking about are benevolent and not malicious.

The cases you talk about were from addon stores that have no code review.

As an example, here's what I do not want to see happen:

Here's what I don't want to see happen:

  • Users with broken addons that they depend on
  • Users who don't install security updates - for years - because their addons are broken

That is unacceptable for most people. That affects 20 million people. The people who can manually trust a specific addon author are a few dozen.

Ben

BB
Ben Bucksch
Fri, Feb 8, 2019 8:27 PM

Jonathan Kamens wrote on 07.02.19 04:03:

The add-on review process, not "trust" in any particular author, is
what is supposed to keep users safe.

Exactly

Jonathan Kamens wrote on 07.02.19 04:03: > > The add-on review process, not "trust" in any particular author, is > what is supposed to keep users safe. Exactly
BB
Ben Bucksch
Fri, Feb 8, 2019 8:29 PM

Magnus Melin wrote on 07.02.19 08:52:

Agreed first option is always to first get involved with the original
author and work something out.

I think we all agree on that.

However, in reality, most addons have been unmaintained for years. And
they kept working. And they broke recently. And users depends on them.

So, we cannot just ignore that reality.

Magnus Melin wrote on 07.02.19 08:52: > Agreed first option is always to first get involved with the original > author and work something out. I think we all agree on that. However, in reality, most addons have been unmaintained for years. And they kept working. And they broke recently. And users depends on them. So, we cannot just ignore that reality.
Empathy v1.0   2025 ©Harmonylists.com