Simeon from the Firefox Add-ons team here. Sorry about the rocky experience. I realize this is a bit late for your situation, but earlier this year the source code submission docs were updated with information about the default reviewer build environment[1].
It's not a huge improvement, but it sounds like one thing we could do to improve the communications process around build errors is to include a link to this documentation in the notification email sent to developers. I'll create a ticket for this now.
I was about to say "concurrent writes shouldn't be a problem because localStorage is synchronous and JS is single-threaded," but then I started thinking about multiple tabs, WebWorkers, and multi-process browsers and figured I should double-check the spec.
> Warning! The localStorage getter provides access to shared state. This specification does not define the interaction with other agent clusters in a multiprocess user agent, and authors are encouraged to assume that there is no locking mechanism. A site could, for instance, try to read the value of a key, increment its value, then write it back out, using the new value as a unique identifier for the session; if the site does this twice in two different browser windows at the same time, it might end up using the same "unique" identifier for both sessions, with potentially disastrous effects.
I don't know exactly what the the person you're replying to had in mind, but support for different parts of the manifest varies (especially in Manifest V3). While it's possible to write a single manifest that works in all browsers (with warnings), doing so requires more than a little specialized knowledge.
For example, Firefox does not currently support the `optional_host_permissions` top level manifest key. To work around this, developers can declare their optional host permissions in both the `optional_host_permissions` array for Chrome compatibility and in the `optional_permissions` array for Firefox/Safari compatibility.
Another example is that currently only Chrome supports `background.service_worker` in stable releases. To work around this, developers can write their MV3 background scripts in a way that's compatible with both service workers and event pages, then declare both in the manifest like so:
Yep, that's it! I settled for generating the manifest.json through a script, since at some point adding something only supported by one browser would cause an error in the other, though I think that may have been remedied now.
To my knowledge no browser supports transferring an extension's user base from one extension to another. If you want your users to switch, the only think you can do is show them a link of where to get the new extension they should install.
The GGP suggested "officially transfer the single extension to a new owner" which you can obviously already do (by giving the new owner your account, if nothing else), and "tell the user the ownership changed and offering them a chance to uninstall" can already be done by any extension that has any sort of UI. You don't need to "[transfer] an extension's user base from one extension to another".
> The extension ID is derived from a private key that the developer uploads with the first upload to the app store
While what you described is possible, this process isn't required or the typical way an extension ID is generated. Typically developers just upload a ZIP file on their first submission, then CWS will generate and store a private key to sign the extension for public distribution.
> and the ID will change if any subsequent uploads include a different key.pem in their zip file
CWS should never change an existing extension's ID. The ID is what I uniquely identifies an extension. If the ID changed, Chrome clients wouldn't be able to request an updated version of that extension. CWS & Chrome do not support migrating users from one extension to another.
To the best of my knowledge CWS will reject an extension if the zip after the first submission contains a key.pem file.
> Therefore, if the extension ID changes, it's possible the owner changed.
If the extension ID changes, it's not the same extension.
> then the new owner could push changes without even needing access to that key.
This is mostly true, but there is one case where developers CANNOT update an extension without the PEM: if the dev signed the extension they submitted to CWS. To be honest I'm not even sure this is possible to do any more; as I recall this feature was a huge foot-gun and often ended up causing developers to lose their install base because they lost their private keys that they used to sign their own uploads.
It's not a huge improvement, but it sounds like one thing we could do to improve the communications process around build errors is to include a link to this documentation in the notification email sent to developers. I'll create a ticket for this now.
[1]: https://extensionworkshop.com/documentation/publish/source-c...