why is this gone from firefox store

[dogeatdogeatdog]

i can't install the xpi on firefox because not signed

[eric-bixby]

All the add-on versions were disabled because Mozilla decided to re-review the add-on 2 to 3 years after already approving it.

Mozilla has this policy that compiled code must be reproducible. The code you see in this repo is Javascript, but it's ES5/6 and uses some NodeJS dependencies, so it uses Babel and Webpack to generate code. The code running in your browser looks different than the code in this repo. Therefore, understandably, Mozilla wants to make sure they can reproduce the generated code themselves from the given source code for security reasons.

If you are familiar with how NodeJS handles dependencies, the NodeJS dependencies used now will most likely be different than the ones available two or three years ago to build a node package. Over time, dependencies get updated and when they get updated, the behavior might change. In this case, I use "weh" for handling preferences and it has dependencies, so when a different dependency is used this causes the generated code to be different.

I now know how to resolve/prevent the issue. I need to build "weh" with "npm shrinkwrap". This creates a shrinkwrap file so that the dependency versions used are frozen. If a newer version is available, it won't be used. This ensures the generated code will be reproducible.

I didn't do this for the previous versions of this add-on so it's difficult to reproduce the same results after the fact (many years after the fact).

Finally, I'm just going to submit a new version and provide the NPM shrinkwrap file so that in X years from now, Mozilla will be able to recreate the generated code.

[Gitoffthelawn]

Wow! I'm not currently using this extension (I used it in the past, and it was very helpful), but I'm glad I'm still subscribed to notifications for it. Eric, I just learned quite a bit from your amazingly detailed and helpful post. Thank you!

[eric-bixby]

@Gitoffthelawn - thanks, hopefully it was informative. I wanted to rant but decided to just describe the situation and move on. Actually, I have to admit, I don’t use Firefox anymore (not at all) for the past couple of years. Therefore; I’m going to start looking for a new moderator.

[dogeatdogeatdog]

@Gitoffthelawn - thanks, hopefully it was informative. I wanted to rant but decided to just describe the situation and move on. Actually, I have to admit, I don’t use Firefox anymore (not at all) for the past couple of years. Therefore; I’m going to start looking for a new moderator.

so it will be back on firefox store yes?

[eric-bixby]

I've been trying. I build on Mac and Mozilla uses Ubuntu. Mozilla is getting a different build. I figured out the problem. Webpack is bundling in a different order between Mac and Ubuntu. If Mozilla won't build on a Mac, then I will have to submit a new version using Ubuntu.

[eric-bixby]

I submitted a new version on Friday. I decided to rebuild on Ubuntu. I'm guessing the reviewers don't work on the weekend, so I'll probably hear from them on Monday.

[Gitoffthelawn]

Yes, AFAIK, the reviewers don't work on the weekend.

[eric-bixby]

FYI: yes, it appears the reviewers work weekdays, early east-coast time (based on build times).

I gave them build instructions: https://github.com/eric-bixby/auto-sort-bookmarks-webext/wiki/Build-Process

Reviewer's builds: https://we.tl/t-21ak0TNf8q https://we.tl/t-mfhaZqv5Qh

The screen capture for build: https://paste.mozilla.org/TTTLbvhx

I wrote a script that downloads, installs, builds, and diffs: https://github.com/eric-bixby/auto-sort-bookmarks-webext/releases/download/v3.4.3/reproduce.sh

The reviewer's reply: "Please include the script that you used in the source code folder and provide the instructions on how to generate the final xpi."

[eric-bixby]

I think I figured out what the reviewer was asking. They want any scripts used to be in the source code archive provided. I'm guessing that's what was meant instead of "folder".

Not having much confidence that the reviewer can follow my instructions, I decided to dockerize the build. The second script provided copied the .xpi file to the current directory, but then they complained there was no build folder. The .xpi file is just a zip archive of the build folder. Couldn't they have just unzipped it?

Anyway, after a few version updates; I'm up to 3.4.5 (started in 3.4.2), I've combined the docker scripts into one and now it copies the build folder into the current directory/folder.

Just waiting for a reply from the reviewer.

[Gitoffthelawn]

You might want to include an illustration of how to turn on the power to a computer... just in case. ;)

[eric-bixby]

It’s back