Similar boat. I release an extension with about 1 million installs across Chrome/Firefox/Edge for work.
Firefox (despite being the smallest usage) is utterly insane with regards to process. They demand a reproducible build, but then can't do things like install the right version of yarn (no - npm install -g yarn is not correct, our readme says it in bold like 5 times and provides the exact correct command to install the right version), or follow basic setup steps like "Use this version of node (complete with exact steps to install it and a script to automate that for them)".
God fucking help you if you try to do something completely crazy as a private company like - checks notes - use a private NPM module. Despite providing them with access on a pre-configured account, or offering to give a review account access according to Mozilla "It's too hard to use external accounts during review".
Honestly - having to interact with the browser review team is a BIG reason I no longer recommend Firefox. They're incompetent at best, and I'm fairly convinced they're just milking the google search deal income for as a much as it's worth - I don't think they really want to provide an alternative and secure browser anymore.
On the flip side, having to interact with addon review has raised by confidence in the browser. The steps they take to review, while not perfect, seem like they could weed out a lot of potential garbage and malware. I was expecting a much more minimal review process, which would have raised my fear about the extensions I use and set to auto-update.
Reproducible builds and open source sounds like a good thing.
I wouldn’t expect the reviewers to deal with every add-ons bespoke snowflake build. Even less so if it requires access to a private module. Mozilla should provide a baseline of how a build is intended to be done, then extensions just have to follow this template. Though yes, you would expect them to have some familiarity with basic stuff like yarn and that the baseline supports a few of the most popular builders.
We use a relatively simple build. at the base of it, if you have node and npm, a complete build is as easy as
yarn npm login
yarn --immutable
yarn build
Personally - I don't really find it reasonable to place demands on build tooling for an external company.
I'm assuming you would also find it reasonable for Google to suddenly ship chromium with a requirement that you use "google-pack" for all js builds or they don't run it?
To be entirely blunt, what exactly do you think is going to change when we're already giving them bare JS? It's not like we're shipping a binary blob here, we're literally handing them a zip file with perfectly fine & inspectable javascript inside it.
Further, do you realistically believe that a single low grade QA/Support engineer who can't even install the correct tooling is going to catch malware?
Because I read their matrix chats and I can fucking promise they aren't catching the malware all that fast....
> I don't really find it reasonable to place demands on build tooling for an external company.
I'm not sure I agree, plenty of OS distributions do this. If you want to distribute on Arch in the official AUR you're going to need a PKGBUILD file. The difference though is they make it very easy to integrate custom distribution channels where you can build the package however you want, and I would really love to see browsers move more in that direction. Requiring centrally managed signatures from a corporation to install extensions in a purportedly open and community-driven product is just absurd to me.
> I'm not sure I agree, plenty of OS distributions do this. If you want to distribute on Arch in the official AUR you're going to need a PKGBUILD file.
This is fine. This is actually also roughly in line with what you need for an extension (a manifest.json file).
What the poster here is proposing is rather this: You cannot build that PKGBUILD file using any tooling other than the standard. Ex - you want to script how that PKGBUILD file get made? Fuck off, not allowed.
That's a COMPLETELY different take. It's not dictating limitations on the output (which I find reasonable as a required integration between products) it's dictating limitations on how a company produces that output (I find this monopoly behavior, why should they get to tell me what tools or processes to use? My output is the SAME.).
It seems reasonable that they'd have a requirement there's a single file they'll run, maybe even with a predetermined name like ./build, and that's it.
The developer can then juggle all their dependencies and run make/yarn/npm/etc within that. It's really not different from having a CI build script.
This is exactly what the review process for the Play Store is like, even worse for Google TV apps. Often times just re-submitting multiple times without changing anything at all will get it pushed through.
Yeah but despite how much HN hates Google everyone here will do whatever it takes to get on their app store. Google has the power to make the entire industry their bitch.
So much this. Mozilla barely breaks 10k installs out of our total 1million installed base.
We had a really frank internal discussion about just dropping support for Mozilla because their review process is also the most expensive out of every client we currently ship (And not "reasonable expensive"... Useless time sink expensive, back and forths with folks who I would frankly not hire as a junior because they can't read a readme file and follow basic and clear instructions.)
They are acting like they have the position to demand these reviews... and they just don't.
Good devs just leave because they're a waste of time and money, and they're STILL rampant with malware on their store (Mozilla is literally the only one of the major vendors that will make a listing live with no vetting, and then 4 months later yank it because of "problems"...).
It doesn't make me feel secure, it makes me feel like they're trying to market security. It makes me really dislike mozilla, and firefox was a formative part of the my tech career early.
This sounds super frustrating, as someone who has an idea or two for browser extensions I'm not looking forward to all the bureaucracy. I actually love the idea of requiring and validating reproducible builds but they really should invest in reviewers competent enough to manage that.
I do have half an idea to deal with it that I plan to try, thought it might be helpful to suggest: implement a Fisher-Price build system that checks and automates every single step and cannot go wrong. Ideally if the reviewers can run Docker, do it all in a container. Wrap package.json scripts with functions to validate the build environment before proceeding and either fix it automatically or fail and print clear instructions to the console. A preinstall hook could verify they have proper NPM auth and prompt for it if needed.
Annoying to have to do that at all though. I'm starting to come to similar conclusions on Firefox, using it currently but I've been thinking about jumping ship for a while. What browser would you recommend now? I wanted to get away from Google but I'm considering just Chromium since any remotely comparable options I've found are poorly thought out wrappers of it.
> ... it might be helpful to suggest: implement a Fisher-Price build system that checks and automates every single step and cannot go wrong...
Programming is a race between the programmers, trying to build better, idiot-proof software, and the Universe, trying to build better idiots. Do not underestimate the Universe.
Honestly I have to side with Mozilla team here. Kudos to them for trying to actually care about security and privacy. I can imagine the nightmare that people are submitting and trying to recheck everything and build those random extensions with private npm repos and whatnot.
It’s funny to think of Mozilla like landed gentry where they have captured serfs (their users) and get a payout from the king (Google) for their loyalty and support.
Firefox (despite being the smallest usage) is utterly insane with regards to process. They demand a reproducible build, but then can't do things like install the right version of yarn (no - npm install -g yarn is not correct, our readme says it in bold like 5 times and provides the exact correct command to install the right version), or follow basic setup steps like "Use this version of node (complete with exact steps to install it and a script to automate that for them)".
God fucking help you if you try to do something completely crazy as a private company like - checks notes - use a private NPM module. Despite providing them with access on a pre-configured account, or offering to give a review account access according to Mozilla "It's too hard to use external accounts during review".
Honestly - having to interact with the browser review team is a BIG reason I no longer recommend Firefox. They're incompetent at best, and I'm fairly convinced they're just milking the google search deal income for as a much as it's worth - I don't think they really want to provide an alternative and secure browser anymore.