Make things a bit less shady

[olemartinorg]

Hi!

Firstly, thanks for all the good work. When i got the message when starting Firefox just now, that I could upgrade by clicking that button, I'm guessing I'm not the only one who found it quite shady. The page I was brought to basically said "download this directly, because this new version is sooo good Mozilla won't accept it". I'm familiar with github from before, but for someone who's not, getting sent to "a hub for gits" and getting that message does not seem trustworthy.

Please, if you can, explain why I should get this new version, why Mozilla won't accept it, and what are the drawbacks of just keeping the version already installed (and if that message pops up more, it has appeared twice for me by now, how do I disable it).

Thanks again!

[Noitidart]

Thanks very much @olemartinorg for this question.

The reason AMO won't accept it is because I use eval. This is a very powerful function that allows users to do anything. It enabled us to write new functionalities as we did here - https://github.com/Noitidart/MouseControl/issues/7#issuecomment-257068373

AMO prefers non-developers not to have this, and it makes sense. Someone might tell them "paste in blah blah" and it will give you $1000 but it will crash your computer.

I found this functionality critical, because in MouseControl 1.x people would message me all the time asking me to add a certain function (as in that bookmark functionality in the other topic), but I can't add everytime someone asks for something small.

I do hope to create a github based community of snippets, so people can browse submissions by others and use them. :)

[olemartinorg]

Huh, ok, I think I understand. I had to read up on this extension, because it apparently (at least 2.x) does a lot more than what I use it for (i literally just want to be able to zoom using the mouse, because of my eyesight and addiction to high-resolution displays, when I usually browse using the mouse and not the keyboard). So, for me 1.x works perfectly, and I don't see the need to upgrade.

Still, do you really need eval() for this? Look at the way Tasker does it - the pre-build list of actions works for 99% of users (and that, like 2.x, is targeted at power users). And, without having looked into all of how MouseControl 2.x works, I bet you could still allow the user to input options? So instead of "copy this script and add it to your config" to make a gesture that presses ctrl+v for you, you could instead have a "press keys" action that lets the user input which keys to press. Forcing users off the mozilla addons platform to reach you addon doesn't really seem worth it to me (at least not for something like this, that seems avoidable to me).

I would appreciate if you could inform users a bit more about the reasoning for this change (in the link they get to open when starting Firefox, not just here in this issue). Remember that installing an addon from Mozilla seems safe, even though it could be anyone who wrote that code - so that popup is informing users that "We just really need for this addon to execute arbitrary code on your system, and since Mozilla doesn't like that, please just download it from us directly. We promise not to abuse this power you'll give us".

Sorry if this comes across as overly negative, it isn't meant like that. I love the effort, but as mentioned, this is not really what I'm looking for - and if there's more users like me, the lack of information might scare them off from 2.x (which, in addition to the version number bump, seems like solid progress).

[Noitidart]

I totally understand. I really appreciate your honesty.

I am trying to bring it back to AMO, so I am writing it as a webextension. I am currently working on building the template, it requires native messaging so EXE's.

It makes sense not to use eval just for the mouse zoom stuff. But its deeply ingrained right now, as all functions are customizable. Even the shipped features are actually not hardcoded, they are custom user defined function. In the Webext I'm going to make sure it gets AMO approval.

I'll add more information to that alert for sure.

[olemartinorg]

Hooray! :-) That sounds good @Noitidart! A webextension with AMO approval surely sounds like the best way forward (and it would surely reach the most users as well).