Seems like a culture problem created by improper management by Mozilla and Google.
After all when I run apt-get update any of the updates could install malware that could do anything at all.
Instead of programmatically limiting what extensions can do, which seems very difficult to do while preserving useful functionality, they should study what makes the debian packaging system so trustworthy and implement that.
Debian package maintainers who allow malware to slip through are likely to be forced out of their post by the community backlash. Similar accountability for Mozilla/Google addon reviewers isn't there. The addon gets taken off but what is the accountability from the employee who allowed it to pass review? A company apology is fine from a PR point of view but it also means that employees will not take their job as seriously as a real demotion or consequence.
How much of a 10$ wrench attack / rubber hose attack / bribery do you think it takes to target a Debian packager? This seems like a pretty weak defense.
Debian simply is less juicier to attack than consumer focused stores. Debian has much more technically aware and vigilant user base. It's also probably being used somewhere where there's constant monitoring for security and breaches etc. Not to mention that Debian can move really slow. Default repos have nginx at 1.10 (when 1.16 is the latest), node is stuck at v4, postgres is at 9.6 (when v10,v11,v12 exist)
Why would you attack a store where you can be burned in less than a week when you can attack stores where there are millions of less technically users who are more easier to fool and exploit?
After all when I run apt-get update any of the updates could install malware that could do anything at all.
Instead of programmatically limiting what extensions can do, which seems very difficult to do while preserving useful functionality, they should study what makes the debian packaging system so trustworthy and implement that.