While I disagree with the 1-week review times that google imposes, doesn't the firefox approach defeat the purpose of the review in the first place?
While async review is better than no review, if someone pushed a malicious update and it got caught in the async review a few days later, the damage has already been done. Just a trade-off to think about.
its a tradeoff for sure; i tend to think the risk of unpatched software outweighs the risk of software hijacked from the author, so i prefer the moz model. iirc, there are automatic checks (ie permission changes, certain api calls, etc) which trigger a manual review before publishing. that said even the manual review is no guarantee malicious software doesnt get published (from my experience the reviewers are not always experts)
While async review is better than no review, if someone pushed a malicious update and it got caught in the async review a few days later, the damage has already been done. Just a trade-off to think about.