New XKit is restricted for violating Mozilla policies

[omena007]

After the newest update this came out: Why did this happen?

This extension, theme, or plugin violates Mozilla's add-on policies.

This add-on violates Mozilla's add-on policies by executing remote code and by not providing reviewable or reproducible source code.

[hobinjk]

Copying from a response I wrote elsewhere:

Atesh designed XKit with a slightly non-standard mechanism for updating itself (evaluating remote code) that made it possible to rapidly update for changes to Tumblr (good) but also circumvented the normal add-on review process that Mozilla/Google want to do (bad). For quite a few years now, Mozilla would waive their policy against this mechanism if we had people install from our own site instead of being listed on addons.mozilla.org. However, this exception has suddenly been removed for unclear reasons. On the other side of the data pond, Google will also be preventing this mechanism soon when they drop support for Manifest V2 extensions so we need to do some hard work no matter what.

One minor note on that Mozilla policy is that (as you may notice) you can see the reviewable and reproducible code right here 😆

We're hoping that 7.10 (version on the current main branch) will resolve these issues, but it's a large and complicated set of changes so we were taking our time to test it before this whole kerfuffle.

[marcustyphoon]

Two things I'll clarify (I need to figure out how to write these into a news post of some kind):

First: Mozilla's rule—just like Chrome's rule—is that to prevent extension developers from doing bad things, all extensions you can run on their browser "easily" (i.e. without jumping through the hoops a developer would) should have gone through their review process. New XKit violates this, and has always violated it, because the package we send to Mozilla mostly just contains code that has your browser download the latest code from GitHub. If, ten minutes from now, I or someone who gained access to this repository by tricking us wrote a modification to Old Blue that also made your web browser delete your Tumblr account—I am fully capable of doing this, fyi—Mozilla's review team would never see that code and couldn't stop me before it got to you. (Would they catch it if that happened after we make the 7.10 changes that submit all XKit code for review? Possibly not, but there's a chance they would; that's the point.)

The only change that's happening now is that our Firefox install process, where you cannot find New XKit on addons.tumblr.com but instead need to download it it from https://github.com/new-xkit/XKit/releases (something which, I can vouch, makes it way harder for users to find it!), is no longer qualifying for an exception to the rule (in a sense, it's "easy" enough to count as a non-developer method). I notably have the technical ability to make New XKit meet every requirement for listing on addons.mozilla.org, in theory (I'm an XKit Rewritten and Palettes for Tumblr contributor too, those obviously meet the requirements, and while the New XKit codebase has qualified as "extremely bad" for this entire decade, it's not unsalvageable). But if it were up to me, I definitely wouldn't put it on addons.mozilla.org—it's a project where everything we fix or add takes up more of our extremely limited development and review time than if we just move functionality to XKit Rewritten and Palettes for Tumblr. Users will get the most functionality from us if they install the new extensions and use them for the features that have overlap, and in cases like Old Blue, the new versions are just better in every way (per user consensus). The ecosystem is better if New XKit is still installable, IMO... but if you have to seek it out specifically because you're looking for your Blacklist backup, not if you're a new user and you find it by searching for "xkit," or if you're simply not aware that there's another option.

And second: New XKit is still installable presently. At least that seems to be the case. The Mozilla page linked by the warning says "Until the violation is resolved, this add-on won't be available for download from addons.mozilla.org," but New XKit already wasn't available for download from addons.mozilla.org, so that doesn't change anything. I tried installing New XKit the way it's always been installed on a new Firefox installation and it seemed to work just fine. Not sure if this will continue to be the case or if there's a deadline before this turns into an actual block of the extension—we'll have to message Mozilla about that—but as it is now, as long as we communicate about it publicly to indicate such, this incident just serves as a kick in the pants to get people onto our newer, easier-to-support codebases, which we were going to do anyway. I'm fine with that.

[SpacetimeMeatMachine]

The extension cannot be installed on Firefox now, I got this when trying to do the drag-and-drop installation on the add-ons page.

[marcustyphoon]

Ah, that's a pain. Thanks for reporting!

[marcustyphoon]

The extension cannot be installed on Firefox now, I got this when trying to do the drag-and-drop installation on the add-ons page.

Oddly, I can confirm this, but just clicking on the link in https://github.com/new-xkit/XKit/releases works fine. Tested on a fresh Firefox install.

Edit: Wait... nope, it works exactly once, and then if you uninstall it you can never reinstall it. What? Okay. Sure, Firefox.