You know this wouldn't be so much of an issue if Chrome didn't disable the ability to install extensions outside of the web store.
As an extension developer its absolutely infuriating to realize that:
1. There is no way to install extensions outside the web store
2. Google won't approve anything to the web store.
3. The vast majority of people use Chrome vs other browsers.
------
I get it, Chrome is Google's browser and they can do what they please with it. However Chromium is open source and it's still impossible to do so.
Like thanks Google. I spent months developing an extension only to realize that as it stands today for the majority of developers, the chrome web store is closed for new submissions.
And Google didn't even have the courtesy of telling us it's essentially closed, they just string us along with "pending reviews" (for context I've been trying to get my extension approved since February).
It's worth noting that the Chrome Web Store is currently full of malware and most malware I see on PCs was installed via the Chrome Web Store. By design, HTTPS does not protect your privacy at all if you have extensions that violate it, since they see what you see after TLS termination.
So this is a huge deal, Google is already bad at it, but I can't fault them for heavily restricting extension install: Currently they are way too lax.
This is still something of a problem of Chrome's own creation though.
The reason Chrome can't be much, much more restrictive about what extensions get placed in the store is because there is no alternative. The less important your store is, the more exclusive (and safer) it can be.
Look at Linux with package managers like AUR. If a package isn't included in the official Arch repos, I generally don't mind. I can go install it if I've vetted it myself. What that means is that Arch can be a lot more restrictive about what they include. They don't really need to provide a bunch of justifications, they can just say they had a bad feeling or haven't gotten around to looking at it.
If the goal is to have safe spaces where users can be certain that they won't ever run into malware, the space maintainers need the freedom to be very restrictive. Google doesn't have that freedom with the Chrome Web Store specifically because getting banned from the Chrome Web Store is a massive deal -- they can't just decide to prioritize safety over everything else.
Small, optional safe spaces that people can opt into will always be better filtered, better moderated, and overall safer than a giant space that's forced to balance between freedom and safety for every single user at the same time. Moderation doesn't scale.
I don't think their priority is making a specific area where users are free from malware; they're trying to make it hard for malware overall to integrate with Chrome. Adding a supported path for software to integrate with Chrome (allowing extensions not through the store) where they can't block malware would be giving up on that goal.
> they're trying to make it hard for malware overall to integrate with Chrome
That's a reasonable argument, and you're probably right about their motivations. But I'm not convinced that's a realistic goal, because the definition of malware/spyware changes depending on the context/user.
The big reason moderation doesn't scale is because you're forced to balance everybody's needs at the same time -- you can't optimize for any particular user. If the end-consequence of an exclusive web store is that it's much harder for the Chrome team to ban shifty apps without everyone on Twitter asking for a bullet-pointed list explaining why, then the Chrome team isn't really making the world that much safer.
In general, I would advocate that it's better to try and build safe spaces rather than safe worlds. That's kind of a pragmatic philosophy: I'm having a hard time thinking of an existing safe world that I think runs well. All of the major app stores (including Apple's) have malware problems to at least a certain degree. Most giant social networks are not doing a good job of moderating content. Package managers for languages like Node and Ruby are running into the same issues.
Maybe the web itself? But the web doesn't get its safety from moderation, it gets its safety because of sandboxing.
If I'm thinking purely as a consumer, what I really want is an extension store where I know 100% that everything on it is fine. I don't want to have to think or read reviews or look up the author before I install an extension. I want it to be clear when I'm being safe and when I'm doing something dangerous. I suspect that's what a lot of consumers want, and I just don't see any realistic path for Chrome to provide that with their current strategy.
I get that "somebody might choose to leave the safe space and install malware anyway" feels bad, but if the consequence of avoiding that is, "everybody gets kind of substandard protection all the time", maybe it's worth questioning whether Chrome's malware goals are worth pursuing in the first place.
Google tries to do this with automated processes and minimum wage drones, which results in both million dollar extensions being bump AND widespread malware being let through.
Eg you could sell developer support at $10k/annum with a 3h SLA for escalation to a senior eng. Serious companies with business that rely on chrome plugins would purchase in a second.
Apple can do it for $99 a year (plus thirty percent of course). Their system is by no means perfect, but there absolutely is less bullshit malware on their market vs google chrome.
This is kind of strange thought isn't it? At that rate even if people were inclined to pay its affordable to what 10% of the US or a fraction of 1% of the world.
Why would it even cost that much? You could literally use the actual chrome store for curation and make a white list of the top 100 extensions that aren't skeevy or run by skeevy people and pull in updates periodically after checking that it hadn't become obvious malware or been sold.
If you imagine that such a list would consume meager resources per person using it a million people paying 1 dollar would probably pay more than it would cost to run it. It would be easier to convince a million people to pay a dollar than it would be to convince anyone to pay a thousand per year for chrome extensions while they are using computers and OS which cost them less combined.
So it's the usual: make it available unrestricted on launch so that idiots build on your platform, look how many apps/extension we have. Once the market is captured, sorry is closed now, for we must protect our users.
Even if that's how it ended up, I doubt that was the plan. I think a lot of Google products, especially those from 10+ years ago, start out built for people like themselves: highly tech literate software engineers. As long as that is true enough, extensions are great and useful, and the users are mostly skeptical/aware enough to avoid installing malware. Now the average chrome user is the same person that filled their IE browser window with banzai buddy toolbars.
It never is the plan, I would say. Great products like chrome are made by people that are driven by the idea of making a great product, for the user. But after that is proven, given some time, the shareholders take over and priorities shift.
It also doesn't help that dodgy folks started buying trusted extensions. One update of a trusted extension and you're just as bad off as installing a dodgy one in the first place.
You do realize that the original Pushbullet issue arose from Google trying to be even more strict and reduce the amount of malware, right? And even with all that, as you mention, CWS is still full of malware.
What hope does any other store then have to create a malware free web store if even Google can't? And if they allow installation from anywhere, do you realize that whatever state we are in now, it would be orders of magnitude worse?
If there is some way to get malware into your computer, someone out there will make you do it. That's exactly why installing extensions is so locked down. I don't understand how people think that it will magically all be better if users were given full access to install whatever from wherever. Have you never in your life interacted with an average non-poweruser?
> What hope does any other store then have to create a malware free web store if even Google can't?
I think you're giving Google too much credit here. For years nearly every single extension, no matter how targeted the purpose, has told me "This extension will have access to all your data on all your web pages". It is such a no brainer to do a little better than that but they tolerated it for years.
In a few cases I looked into why developers requested that kind of permissions and the answer was that Chrome permissions weren't designed well enough to allow narrower permissions. So Google has no excuses here. They control the browser and the store.
Just because they had a more lax approach in the past doesn't mean they aren't working hard to regain control now. And either way, none of that addresses the issue where expanding control would only make the malware issue worse, not better.
I use firefox as my primary browser, but I have recently ran into issues with several sites that I need to use. Whenever I contact support, they tell me their site requires Chrome.
As it is, I have a Winblows box for gaming only that I put Chrome on, but one day, I am going to be remote and needing Chrome. I don't want google's tentacles on my work laptop, but am starting to worry that I have no choice...
If you absolutely must use Chromium you can use Brave instead. It doesn't solve the extensions issue discussed here but at least it cuts out most of the Google garbage.
Netflix limits video quality on Firefox although you can trick it with an extension. Then there is the fact that hardware accelerated decoding for Linux/X11 hasn't hit yet.
Anyway one valid solution is to add one or more app shortcuts that effectively run chrome/chromium --app=url and collectively treat these chrome specific apps as such. Instead of opening a new tab just click the icon on your bar.
Ironic. Back in the days when IE was king, we thought that all that's needed for a truly open web is open standards. Now Google has demonstrated how you can have open standards, but still create and maintain a monoculture around them, simply by evolving them so fast that any competition can't keep up.
The builds themselves may potentially be insecure, but they're rather popular among the security-conscious target audience, so I hope someone would notice if they go bad.
At least it’s possible to side load extensions in Chrome. I’ve been more disappointed in Firefox, which doesn’t allow this at all, even in the developer release. The only thing similar to side loading that is allowed is a temporary debug process, which loads an addon but only until the browser is restarted.
You can! It's far more annoying, but I've been running a few that I've made for myself
In `about:config`, set `xpinstall.signatures.required` to false, and then you can an unsigned bundled extension locally and they'll persist like normal extensions.
If this is not in the MDN refs anywhere yet, it really should be. I’ve been battling with web-ext for a week now after something mysterious broke that I’ve not yet been able to fix. I’m so glad you posted!
It looks like that doesn’t work in the regular version of Firefox – only Nightly, Developer, or one of the unbranded versions. Is that true in your experience?
This was made particularly clear to me when I tried to install AdNauseam [1] on Chrome. Google removed the extension from their web store (imagine doing something the user wants, like messing with Google ads, terrible!) so you have to sideload it via the developer options. Now I get a popup every time I open Chrome telling me that there's a dangerous extension with a single click uninstall button.
Firefox has its issues (the signing requirements because of malware and invasive antivirus companies suck but I can understand why they exist) but their addons aren't discriminated against. There's addons listing porn sites on there, something for which Google would remove the extension on sight, there's addons that mess with Google and their ads, and the list goes on. The browser is no longer independent from Mozilla, but it still remains much more free than Chrome.
[1]: https://adnauseam.io/, it's an addon that clicks every ad while still hiding them to fight back against advertisements and break the profile ad companies construct around your interests.
On chrome you can actually create your own signing key, and then self sign the unpacked extension directory using your key. To remove the pop-up you then need to set up a group policy (on Windows) to trust your self signed extensions. End result is this popup doesn't come up at launch.
I think this is so hidden (and not really documented well) as a "fix" that must have been added for companies that use their own internal extensions that don't publish them on the web store.
If you can't figure it out from that description I can try to publish a step-by-step on how to accomplish this
Funnily enough, I was actually trying to figure this out today.
I created a very basic Extension, to modify the new tab page (as it's something you can't set in G Suite the way we'd like it).
I wanted to deploy it our G Suite users, and saw there was an option to deploy via a URL. So I packaged it up in Chrome, put the .crx in an public S3 bucket and set it to force install.
Unfortunately it did nothing... is this not possible? Why is it even an option? Eventually ended up paying for a developer account and submitting it for approval (which was actually super fast).
Self-hosting is def an option. Check out "Managing Extensions in Your Enterprise" https://support.google.com/chrome/a/answer/9296680?hl=en. That's probably the single best resource for hosting your own extensions and installing them on managed devices.
Yeah, pointed it to the crx, set it to force install and nothing happens.
If I install the crx locally it works fine. No way of seeing any logs to troubleshoot, pinged a message to our reseller but that method is looking like a dead end.
At some point I want to put together a simple Node.js server and ExtensionSettings policy to demo a basic working setup, but unfortunately that's back-of-the-bus level backseat at the moment.
> However Chromium is open source and it's still impossible to do so.
I don't know if it's true that the official Chromium or Chrome don't allow sideloading at all—but the rather popular ‘Ungoogled Chromium’ build certainly does (in fact, it probably still doesn't work with the web store directly): https://ungoogled-software.github.io/ungoogled-chromium-bina...
However, the security of these builds may be questionable.
You can still install them on Chrome by downloading a directory and loading it via the extensions page (you have to keep the directory around though).
Firefox allows you to install .xpi packages directly, just by opening the xpi and clicking "install", after enabling the option to do so in about:debugging (unless you use a development version of Firefox then it's automatically supported). No directory/zips extraction required.
So, judging from the discussion on Twitter, there is basically a single guy at Google handling issues like that.
> FWIW Tweeting at other Googlers will probably just get them to me – not that I have a problem with that. At the moment there isn't really a better way, and as a single human I don't scale well. TBH we have systemic issues to work through to improve the comms process here
I had an epiphany 5-10 years ago about technological advancement. An article on here was posted that bart workers would be obsoleted. That it would save so much money. That bart could be more efficient.
The solution was for users of bart to self service.
Which got me thinking: so much of technological advancement isn't about reducing inefficiency, its about making other people bear the cost of that inefficiency. Someone that is proficient in navigating a subway map - someone that is doing it daily - can do so much quicker than people that are unfamiliar. Despite it potentially being more efficient to keep the person used to doing these things day in and day out employed, (some) technologists still insist on eliminating them because that's more efficient when looking at the smaller picture.
This is basically what Google is doing here. They are making other people and organizations bear the burden of their inefficiencies.
Say what you want about Amazon, but they've encultured the best approach I've seen so far.
They constantly try to automate and make things more efficient, but they also assume they will constantly screw up for someone, somewhere, at scale.
So they back it with an empowered human CSR team, who do their best to make customers happy. They then (apparently) measure the rate of screw ups continuously, and iterate on their processes until they can drive that rate close to zero.
So essentially, Bezos realized that the way to excel was to (a) move fast, (b) break things, (c) apologize (and pay painfully!) when you break things, (d) do your best not to break things in the same way again.
I feel like Google (as a whole, some teams / products aside!) doesn't really grok (c).
Which may work for customer acquisition, but not so well for retention.
Amazon actually takes your money and also has competitors (high street etc). I think that partly explains some of the differences in their approach to your point (c). I think that Amazon also delegates a lot of the pain you're talking about onto their employees rather than their bottom line. BTW I speak as a complete hypocrite who is a happy Amazon customer.
That's very true. I have an example to do with government. Previously client organisations would have submitted paper forms containing hundreds of fields and then at the government end these had to be manually read and entered into their software in a time consuming data entry process. At the client end, the tediousness of data entry had generally long been eliminated by their own software overprinting the forms, although periodically the government would issue new batches of forms which for no good reason altered the margins/fonts or whatever, necessitating software upgrades. Then government had the bright idea of moving the process online. The new "improved" setup involved the clients having to fill in an online web form rather than a paper one. This obviously solved the data entry problem at the government end by transferring it to the clients. No allowance was made for client software with any kind of api or anything like that, it all had to be done manually with usernames and passwords and confirmation of T&As boxes and screen after screen of boxes to fill in, manually. The automated logout ensured that login had to happen every single time a form was entered and for good measure a captcha was added to "add assurance that the forms were submitted by humans".
Doubtless this was all viewed as a great success at the government in terms of increasing efficiency and offering an enhanced service to their clients
It's troubling, I agree. I think more systems thinking helps to address this kind of mindset. Take into account not only the direct costs but the indirect costs, and much of the economic activity we take for granted evaporates. Just as an immediately obvious example, I think most of the direct profit from the petroleum industry is going to end up allocated towards climate change remediation, at least within an order of magnitude.
> Yeah, that's where I'm still catching up. The changes you've made look good at first blush, so I'm a little lost on the follow-up rejection. I'm going to open an appeal to get a second opinion. https://twitter.com/DotProto/status/1260623259315265538
If it's one person why would they be confused why the follow up submission was also rejected? And why would they be "appealing it" to themselves?
There's clearly more than one person involved here. I think they mean they are the only one dealing with customers.
I have a feeling the main review team is disconnected from customers, outside of an appeals system managed by a single person at their discretion. Which still leaves the situation with no clear transparency to developers, as again it's still not clear how their process works or whether any of this is being addressed.
Jack: This exchange was nice to read. But why couldn't it have been initiated and had via the official channels? After a couple back and forwards with the automated responses the system should hook in a developer advocate like yourself instead of the dev having to go beg on twitter...
Simeon: I'm literally the only one for extensions. Generally speaking [Developer Advocates] aren't a super populated role
Google has one person handling extensions for the chrome store.
One person.
Just needed to say this to myself and let it soak in. This very much relates to my growing thinking that I need to port stuff away from Google for good.
Wow, they used the "complaining online and getting enough upvotes" support channel. It should not reflect well on companies when they fix things that come to their attention this way.
I almost want to start a customer service pledge that says "We won't do anything special based on social media unless it retroactively takes into account other customers, and involves process changes that would resolve the problem in the future."
Then at least they would be internally consistent about things like this. Too many Google products have "support by public outrage".
They could also tell what was wrong to the customers.
Also, I laugh about the google promise of being more open. Every single time they screw it and goes viral, they promise the same until 6 months later when another business is screwed again.
Call it having your mail shut down, your cloud, app deleted on the play store, the extension on chrome, etc etc.
I abhor such... dehumanising (for lack of better term) "features" whose advertised benefit is saving time, but has a subtle effect of gradually delegating decisionmaking to someone or something else --- whose goals may not be in your best interests.
Every time you "didn't have to think" is a time when someone else did the thinking for you. Take that too far and there is no you left in your life.
Until Google gives us a roadmap with what they're going to change about the review process and when, I'm not hopeful right now. I don't understand why they need to be this opaque about it if they want a healthy developer ecosystem.
It's currently expected behaviour that extension updates from developers can take up to 3 weeks to be reviewed and go live (same as before the pandemic):
> "If your item's status says "pending review" for more than three weeks, you should contact support."
Is it going to change? When? See here for all the developers waiting over 3 weeks for their updates to go live (that's not including what happens when they don't pass review):
All we seem to get back from the few people on the Chrome extension team that communicate with extension developers is along the lines of "I understand your concerns, I want it to change as well, and I'll talk to the team".
It's like the person from Google is talking about getting in touch with a team that work for entirely different company, as if what the team can't be influenced.
Who's the one making the actual decisions and why don't they talk to us directly?
The current internet giants got huge monopolistic like power that many dictators of many countries would envy. The set their rules, execute them, and judge them.
I believe once you become a platform there should be an independent nano-courthouse where you can appeal. Today being rejected by Apple, Amazon, or Google platform is equivalent to the economical death penalty for many individuals.
It should be possible to pay $100 by individuals and appeal to an independent nano-courthouse if the original platform rejects or blocks you. If you win, the appeal fee is refunded and the platform has to cover the cost. If you lose, your $100 is gone.
Imagine being banned by ALL of them. You are cut out from a large chunk of the Internet. the only thing saving you from being unable to access common internet services are those that dared to defy that monopoly (DDG, Mozilla and all those nameless folks working nights and weekends on projects you don't even know that exist until you become an internet pariah)
Oh, my company has been there. Our DNS was blacklisted because someone spoofed our emails via GoDaddy. Well, Google blocked the DNS IP, and any emails we sent or tried to receive went into the ether. We also had #1 search results go missing because of it, a nightmare it was.
I've since resolved the issue, lord did that take a chunck of our traffic away. Government bodies also could not access us, which hurt a lot!
As a Firefox fan, I really hope it happens again and again. It's good for the web as a whole when Chrome fails and Firefox doesn't.
As a technical person, you should be advocating the use of (real, community owned) open source browsers not just whatever the majority uses.
I feel that Google's monopoly on the browser market for desktops will be more and more endangered as they (for legitimate business reasons) refuse to provide the services and processes that a modern browser user/developer deserves.
2) Like 90% of Mozilla revenue comes from contract with Google.
3) Not sure what community-owned means here, but one could submit useful patch to both Chromium and Mozilla teams and have it accepted into main codebase.
4) Decisions for both products are not made by a community, but by internal full-time employees who are subordinates of CEO. Mozilla CEO knows the company absolutely can’t lose that contract with Google.
1. No, it is not. Chromium relies on binaries as well as calling Google's web services whose code you cannot read. That is why ungoogled-chromium is a thing
2. Not sure what your point is here. Mozilla needs to make money to maintain and improve its advocacy work
3. See point 1. You don't own or control Google's web services nor its domains therefore you have no full control of the build process if Google decides to shut down its services. If you want to see what community owned means, I suggest you look at the Python community. No hidden binaries or mysterious calls to corporate web services
4. Google's goal is to make money, Mozilla is to keep an open web. Obviously, Google has potential business conflicts while Mozilla doesn't, Mozilla wins even if it dies as long as the web is kept open, Google wins if it makes money full stop
You simply cannot compare them. Just look at Chrome in a fully Google-owned environment (Android), it does not even have extensions.
> Not sure what your point is here. Mozilla needs to make money to maintain and improve its advocacy work
I think the point is that Google could one day just say "hmm, we don't care about being the default search engine on Firefox anymore", decide to not renew the contract, and there's goes Mozilla's biggest source of revenue. With Firefox's market share as low as it is, I wouldn't be surprised to see it happen.
It's a bit risky when a large chunk of your revenue comes from a single company, and it's incredibly risky when that company is essentially a competitor.
if mozilla dies, the open web is over. mozilla has been the champion of the open web through two browser monopolies and the five minutes in between. without them, all that is left is a the internet archive and wikipedia, neither of which can hold the web open.
Firefox has gotten plenty of flack from extension authors. So have Apple and Microsoft.
The widespread failure of every major app store makes me skeptical that Google is going to improve. It's a good sign that it isn't possible, but even if it is, it's not going to happen unless a competitor forces it.
The problems with the Chrome store are likely not over. What good is it if you have to stir up half the internet to get through their process?
It's not as if developers can go to other platforms since Chrome has 70% of the market. Most of us in tech are in it to innovate and disrupt but hard to do that if everything is a Google or Amazon monopoly.
If Chrome is broken then the browser market is broken. Devs should organize to solve this since Google doesn't seem to be paying attention.
We need to collect and organize feedback from those experiencing problems which is everyone. Get it to antitrust folks in the EU and DOJ to start an investigation (to add to their other investigations). If Google knows the EU and Feds are watching, they might start behaving.
in the olden days we used linux and mozilla when if it wasn't windows or i.e. it was nothing. i filed taxes on paper. as the web goes closed and unfree, innovators have to open up new greenfields
As a user I want my browser's extension support to be more like Visual Studio Code's than like Atom's. Visual Studio Code has fine grained permissions, and prevents extensions from going through and changing everything. Still, it's nice that Atom exists so if I want more powerful extensions, I can use Atom.
There's two ways to go that I see. One is for someone to release an alternative browser that let you install pretty much any extension, sort of like Atom. The other is for the company that wants to provide the user with an innovative browsing experience to develop their own browser, which is what Brave has done.
My reaction to Pushbullet is, as the author of the top comment on a recent post put it, "Yikes" [0]. They have funding from reputable VCs but they require way too much permission and store way too much user data for what seems to be occasionally useful utilities, and this places them alongside the Ask Toolbar in my mental model of the space.
As a Pushbullet user, I think the two cases are nothing alike. Pushbullet is doing things for me. The toolbar plague was about getting access to do things to you. Should Pushbullet be using the minimum set of permissions for that? Sure. Could there be better permission models, ones that make sure Pushbullet doesn't do anything naughty? Possibly! But neither of those justifies a blanket ban.
I'd like to know what the number of users that directly used Pushbullet in the last day (or week, or month) over the number of users that have the Android app installed is. If they have it installed, everything they copy to the clipboard on Android is being sent to their servers, is it not? That puts them in the same category as Yahoo! Toolbar for me.
At one time Yahoo! Toolbar was useful for a significant percentage of its users, because it would let them know how many email messages they have, as well as give them convenient access to the news and weather - so I disagree that it did nothing for its users.
Edit: I took a look at https://blog.pushbullet.com/2014/08/20/introducing-universal... - it appears it was doing that at one time, but currently it may only be doing that for premium users, who would conceivably be likely enough to get good use the feature that it would justify the potential security risk.
I am a premium pushbullet user and have it on my android phone. It is the only reliable solution to handle texting and notification from the Windows or Chromebook desktop I have come across.
I've never thought about the information they capture or keep, but I do know photos sent through text are kept on https://dl3.pushbulletusercontent.com for a certain period of time. I don't know how long.
> They have funding from reputable VCs but they require way too much permission and store way too much user data for what seems to be occasionally useful utilities...
Having funding from VCs does not have much connection with security posture in products. If anything the correlation might be negative. Large funds seek market domination, not implementation of specific features.
I maintain an extension which provides a language server. I don't have to register intentions. I get the whole api and I even run a bundled executable which has full read/write/execute access to all your files...
I think I must have imagined it while making a basic extension and seeing the contribution API. I thought it would be sandboxed. Maybe with Deno floating the idea of code not having access to the network by default...
Who's keeping a list of all of the times that Google has shut down someone's Adwords/YouTube/Gmail/Play Store account / rejected their app / something else without any communication (this doesn't count as communication, as communication has to convey information) or apparent cause? Bonus points for finding the correlation between an article being linked to on Hacker News and the problem being resolved.
This is exactly what PushBullet was hoping would happen, so I don't know why they're surprised. Everyone loves a good "Google's algorithms are destroying my livelihood and I have no recourse" story... Why? Because it's fucking compelling and, to people outside of Google, it provokes a strong emotional reaction.
Nobody wants their life and livelihood to be fucked over by an algorithm, especially when there is no recourse. These stories almost always end with some random person at Google "fixing something, really sorry" with no explanation. This is how Google operates, and I think they actually try to cultivate this image of themselves. It adds to their mystique and helps them hire bright engineers.
What can I do? Same as last time this came up, the best thing you can do is just to not use Google properties or software, and turn on your adblocker.
> All of that attention resulted in our issue being resolved. This is good for us. It is not yet clear if the attention will help other developers that are struggling with similar vague rejections.
I think it's been made abundantly clear that Google will not, in fact, improve anything from experiences like this. They happen over and over and every single time it's the same; if it gets publicity, someone helps resolve it; but nothing ever improves in the way of communication.
If it works the same way as the play store does, the DA has little to do with that.
A play store advocate can not look up why your app got rejected, they can at most ask their play store colleagues to look it up and to contact the app owner.
It is this way to avoid getting in a situation where being friends with a DA is an huge advantage.
Their job is to collect dev feedback, as well as evangelizing good practices.
And granted, both teams could do a better job at pinpointing the issues (and devs might also try harder to follow the rules .. fwiw play store bans threads have just been banned from r/androiddev because devs had a tendency to forget to talk about the legitimate reason why they got kicked out)
As the lead of that Devrel team, this is pretty much spot on. The process for these things is out of our hands (prevents abuse etc). There is a lot of things we can improve about the Chrome Web Store processes, not to mention a lot of other areas across Chrome.
And he says with current events, meaning a massive number of recently-laid-off-developers Google could have cheap, things will continue to move slowly.
It seems like there are two ways to handle an exceptional condition. One is to say, "Gosh, this is bad! We'll fix it and move on!" And the other is to say, "This is bad, and it's telling us something about the system we've built. So let's fix it for this person, then find the systemic flaw and fix it so we stop doing this in the future."
Sadly, a lot of companies will look at a PR problem and do just enough to make their pain go away, without ever saying, "Wait, are their people we should care about besides ourselves?" It's disappointing.
The end result being a far less permissive extension. The permissions they required were insane but our entire focus is on Google's customer service.
Now that we all agree that Google's process sucks, can we talk about how insane it is to even have this level or permissions available for request in the first place?
permission, since things like generic content blockers have to be able to modify any page (you definitely need to take great care when installing these extensions, which unfortunately most users aren’t equipped to assess, which is why extension security is such a headache and stringent review is welcome).
On the other hand, this particular extension requesting this access just because they weren’t told not to is more of a wtf.
It might be difficult to impossible to currently implement, but perhaps if you have access to :///* you should lose access to pretty much every other permission.
That’s not how permissions work in Chrome extensions. You pretty much can’t do anything with the URL matching permission alone, however broad your pattern (including <all_urls>).
That wouldn't help much. For example, with read/write access to your banking website a malicious extension could inject a script tag that exfiltrated data to their server.
I think it's better to implement content blocking outside of the browser (especially considering it's not in the interest of the most popular browser's backing company) and eliminate these types of permissions completely! I.e. Wireguard + DNS adblocker (or w/e you want to block). Not only does it perform better but you aren't leaking data to third-parties, who even if they are noble could be acquired by a less noble entity down the road.
DNS filtering is a very crude form of content blocking. It’s a supplement, not a replacement. Have a look at uMatrix for an example of heavy machinery. See also CSS-based blockers like Shut Up (or mixed blockers like ABP that include CSS-based rules), which are completely impossible on the network layer.
Also, content blocking is just one example. There are other legit use cases of the all sites permission: Tampermonkey, Stylus, password managers, any kind of web clipper, trivial things like Don’t Fuck with Paste, auto refresh, user agent switcher, etc. The list is endless.
It's not unlike malware analysis. Heuristics make it better, and you need to be in the DOM for that. There's also handy things like "right click to block".
Google owns that side of it too. If Google thinks you are over-reaching in your access to permissions, they can simply choose not to provide access to the resources behind those permissions.
Google has effectively crowdsourced both developer support/restitution and extension filtering for chrome.
Instead of paying people to answer emails for developer support, they pay a small number of people to monitor social media sites for complaints that reach some threshold of outrage/publicity.
Way less hassle to let the public solve their problems.
-The permissions that pushbullet needed originally where a bit overaching.
-We never knew which was the offending one.
-Reading the original article it crossed my mind that some of the permissions the extension asked could be used for marketing (I'm not implying that they were used for that), and maybe google just didn't wanted extension developers to have a cut on that.
-I really don't like how this marketplaces have made big companies gatekeepers for market share.
I actually had a similar experience with Google Ads: A site was flagged for malware, no explanation what they had found, once I got answers out of them, days later, I found where a non-resolving but probably former malicious link ended up on the site. I purged it, cleared the CDN, asked for review, and was quickly rejected because I allegedly hadn't removed the malicious link.
I asked them to show me where they still found it... and they then realized it was indeed gone, rejecting my re-review was incorrect, and reenabled the account.
The only positive on my end, was that since it was the Ads team, where Google's money is, I got human email responses.
It started out with "Add google meet" not being a button, and below the Zoom button. Last week it shifted to the Google Meet button being a larger blue button. Today, they moved the Meet button to before the Zoom button by shifting their DOM around.
I assume Zoom can't do anything about this for 3 weeks at least, definitely goes to show how much authority Google has in this situation.
I imagine the value that Google gets from chrome extensions is a small fraction of what they would get from Android apps.
They're not going to be able to spend millions of dollars to fund better human moderators and tools for the extension reviews when a typical extension brings what, a few cents for Google?
They probably can't justify the resources to do the sort of specific feedback that would make this process much better.
Even Android App developers face the same thing. When they upload their app to the app store some bot looks at it, and can reject it for whatever reason and only provide a vague explanation. I've seen stories on /r/androiddev of developers apps getting rejected for uncertain reasons, or even having their whole account entirely banned. Unless you are a massive company like Netflix or Spotify you will have not way of contacting a human for support.
I've thought of messing around with developing an Android app and uploading it to the app store just to gain some experience and try something different, but the fact that my whole google account could be banned just because a bot thought my app was bad for whatever reason is scary.
There's a great moderately-popular opensource extension providing a desktop-quality image viewer interface: zoom, rotate, stretch by default, all that jazz. Specifically, ‘there is’ this extension for Firefox. It was also there for Chrome, but the dev received the same crappy letter and didn't feel like playing the guessing game. New CRXes are still made available on the site.
Since Big G's treatment of extension developers is incompatible with their self-respect, I wholeheartedly support devs who decide to dump the web store—despite me making some use of two Chrome-based browsers.
Makes you wonder - was there even a problem in the first place? Or were they just trying to silently kill this extension but failed due to this going viral?
I understand they were using a very broad wildcard for permission on websites they could access. I'm glad they narrowed that down. But after they did, they still needed this to blow up in order to get an actual response.
But we still don't know if that was the actual reason the app got pulled, as if that were the case it should have been trivial for a computer to notice it was fixed; do you not see how that sucks?
It is good that this was resolved, but not so good that they had to shame Google on HN/Twitter to get it looked at.
I understand that the Chrome extension store is free, but if you're going to point a bunch of bots at it and have them de-list extensions based on unknown metrics, the least you could do is communicate the "gotcha" rules the extension supposedly violated.
Even found a recent news article reporting that now you need to pay the fee immediately on signup as opposed to when you publish the first extension/app.
(In case anyone wonders why $5 is even worth mentioning — if you’re a teenager in a third world country you probably have neither the fund nor a credit card to publish a Chrome extension.)
No first hand experience, but I’ve heard stories of African kids doing impressive tech stuff using very limited resources. Presumably quite a few have access to school computers these days? Developing extensions is free as long as you have access to a computer. Anyway, not having access to a credit card (also need to be capable of international payment, which is not a given) is a much bigger issue than not having $5.
I have $5 but on principle I don't want to give it to Google so that I can make their web browser better.
That with the horror stories about the review process has stopped me from publishing an extension for Chrome.
Edit: there was a nice article on HN last week about how relationships change once you start to have a monetary exchange, which I think suggests I wouldn't be the only one to be irrational about it [1].
The dev said the iOS side of things are irrelevant for them anyway since most of their users are on Android, which is frankly disheartening since there's no alternative for iPhone users with linux desktops now
To me, Android PushBullet killer feature is notification sync (though I moved to KDE Connect once it came out), so I never had any reason to install their iOS app. For iOS, only Bluetooth devices can access notifications - BTW I made a script for Linux for that: https://github.com/pzmarzly/ancs4linux
Rest of the features seem to be possible to replicate with Firefox or Chrome for iOS, plus iCloud, plus pushover.net.
Wow. That's pretty lame of them. I don't agree with their logic, but I do agree with following the user base. I will continue to use the version I have. I could probably find a way to share the .app if anyone needs it.
Found pushover.net which seems like a decent (paid) alternative.
We need an open-source version of this kind of functionality, maybe using ActivityPub? Self-hosted option with Google integration for a start, and since everyone needs to have Sign in with Apple for iOS, I guess that too. Might as well add Facebook login support.
Not so sure about lame of PushBullet. It feels more lame of all of the major tech players to be essentially fighting over how much they can extort out of developers using their monopoly powers.
Facebook seems to say, you have 1 week to update your sign-in integration code to the latest version (or I guess they get cut off from Facebook API or something?).
Apple says you must support Apple sign-in, or you won't be allowed on our App Store, without with it's nearly impossible to get your app on an iPhone.
Google says guess what we want based on our vague emails and meaningless responses, or we remove your extension/app from the store, making it nearly impossible to use on Chrome.
Geez, it's like Microsoft is the good guy of the tech majors here.
Look, there's more than enough lame decisions to go around in this case. :P
I agree with Apple's stance. The landscape has changed. To be a tech superpower is to have your own pull, and to be able to make unilateral decisions on behalf of your business and your customers/users. That is what Apple has done here. I happen to agree because I already like Apple's implementation of Sign in with Apple specifically, even though I have never used it. I also agree with Apple's stance on privacy generally.
I don't like that Apple forced this decision in this way, but I am fine with the outcome in general, but am saddened to see that it negatively affected a developer whose product I use. However, I question the Pushbullet dev's dedication to the iOS platform. Mobile development is a moving target. To single out Apple for blame for changing the App Store conditions for apps is silly. You could just as well blame the dev for not keeping up with the times.
Can someone from Google use a throwaway to explain why the hell their support is garbage. From the Chrome store, to G-Suite, to Pixel Support. It's just awful.
Maybe that's a glimpse into the shitty future we're building for outselves: Judged by unexplainable results from machine learning decisions. No one except some machine is to blame and maybe their support could not even provide a useful explanation even if they cared. Maybe the pushbullet extension just used if-statements in a way that was a bit too close to how scammy extensions organize their code. </tinfoil-hat>
Fair enough. I was mainly talking about this specific instance. From what I have heard, the G Suite and Pixel phone support is bad, but it isn't downright non-existent like it was here.
As a former Call Center Director, it's pretty amazing to me how much bad-will these massive companies are willing to foment by not running their support correctly.
It's not that hard / expensive guys... you can hire great support employees for $20 / hour all across America.
Are these great $20/hr support engineers the kind I often deal with over email or phone, who usually employ canned responses, can’t solve off-script problems, tend to repeat the same unhelpful responses, and are sometimes indistinguishable from bots?
Look towards Shopify Support Gurus. Paid well, fully remote. As a Shopify Partner I deal with them a lot and have never had a bad experience; while some can't always answer my question, I always speak to a human (24/7 via live chat) and they direct my query in the right direction.
I know from an associate that their experience with GCP makes it seem like they aren’t able to handle the edge cases for customers. My associate tells me that GCP sales team will talk up all the capabilities, but when it comes time to move from a competing provider, it’s like a new road for them. Unforeseen outages because something that scaled well in AWS/Azure is not scaling as it should in GCP. Chalk it up to new learnings for the team, but having to reach out to GCP to fix or allow something that AWS/Azure already makes easy to do shouldn’t be difficult, or a surprise.
I'm less qualified to opine on Google than most of the people here, but in hindsight, what Google products remind me of is the way that black walnut trees slowly poison the soil so that the seedlings from other species of tree cannot grow nearby. The good intentions that poured energy into all the 20% products are no longer the point. Somewhere along the way, someone figured out how to use them strategically. The free products are good, good enough to use, until you realize that there is no path for continued growth or investment of resources, and run into seemingly arbitrary disappointments and limitations; it as if at some point, someone stopped the projects from adding cool utility to the product, and started making sure that hindered, crippled versions of the feature were offered instead. I experience this most acutely with the languishing "Google My Maps" product. It feels as if the target is not just potential competition, but the imagination and demand of the market itself.
I don't actually know the story of Google Reader and RSS feeds, but I remember how integral RSS feeds were to the golden era of blogging, and how abruptly that era seems to have ended with Google Reader's apparent death. And to me, that has a similar feeling. The idea is that the target is not potential competition wherever it might spring up; the idea is to sap the demand that might nourish competition, to suck the air out of the room, and stifle the imagination of the market itself.
It isn't Google alone who is responsible for this feeling, to be fair. There is watching the growth of the walled garden of Facebook, watching the collapse of the old chat services which allowed independent clients, watching successful startup after successful startup turn new ideas into content for a routine process wherein we see the exact same sheen of gloss on the promises, the same dance steps towards the pirouette, the attempt to pivot gracefully and effortlessly towards monetization in a maneuver that is in fact a mating dance desirous of acquisition.
All of it really sucks. It's not like there's an easy alternative. People like free things, and with computer-based resources there is often so much opportunity to scale the value of a thing that free things can be sustainable; a project can succeed and be useful to thousands of people merely on the basis of the labour that some are willing to commit to to sustain it. Again, I'm less qualified to describe this than most of you are. But that's what open source is like.
It doesn't work with services. Code that runs of different platforms can be replicated/adopted for infinitesimal cost, and the underlying costs of running it are naturally distributed. Services are different. The replication/adoption and the creation of value both involve on a massive rush of the many to the one. That relationship pretty much sums up the whole story. If capital accrued to capital by a square law, attention would accrue to attention by a cube law. In idiosyncratic niches that cannot be satisfied by the mass service, alternatives are actually viable and flourish. But anything that would be beneficial to us all encounters this problem of needing to absorb the real costs of operation while seeming to be as free as possible, or else the users will flit away to a different flower.
There's no good solution to this, but the way in which Google has graciously assumed responsibility for directing our attention does not make it better. All the improvements to search results over time seem to focus attention more and more to what an archetype of user is likely to be satisfied with. I would not be surprised if the energy costs per search had gone down. As many have noted, esoteric results are increasingly invisible.
Anyways, this is what we have done with the new universe of human communication that has opened up in the last few decades, which we imagined we would leverage into new systems of effortless communication and collaboration. And we have, to a lesser extent. Second best or third best. But we've discovered this really intractable problem with the distribution of costs.
