polyzen
commented
4 years ago Closed polyzen closed 4 years ago
polyzen
commented
4 years ago 
mlgualtieri
commented
4 years ago My apologies I didn't get back to you sooner on this. I'm not an Arch user. Is it often the case that plugins are added into the AUR repos and side-loaded instead of loading directly from the Firefox/Chrome repositories? It seems like there would be some risk in the unsigned distribution of an extension.
Not that I'm against it, if it's something commonly done in Arch. Clearly there's nothing to stop someone from downloading and installing the extension manually if they chose to do so.
polyzen
commented
4 years ago Is it often the case that plugins are added into the AUR repos and side-loaded instead of loading directly from the Firefox/Chrome repositories?
Somewhat common, eg. in the official repos https://www.archlinux.org/groups/any/firefox-addons/. It's done for extensions you want to install for all profiles/users and be able to update the global install for all profiles.
It seems like there would be some risk in the unsigned distribution of an extension.
It's still signed, the extension is downloaded straight from AMO, and I reference the checksum of the XPI via AMO's API. Sometimes projects host their own signed XPI, so those may be used.
mlgualtieri
commented
4 years ago OK, makes sense to me. I'll get an update out asap that adds the ID to the manifest.
mlgualtieri
commented
4 years ago Sorry this took so long. It fell to the back burner since I wasn't sure if I really wanted to add the temporary id to the manifest.json. It looks like it's not possible to change id's, and also doesn't seem like there will be any ill effects from adding. Will be part of the 1.0.17 update.
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Distribution_options/Sideloading_add-ons