Firefox Add-on review process is wrong and Firefox is a lost cause. Im out

So recently an addon of mine was flagged to have a manual review. It’s been in the store for years working just fine, updates usually would get approved quickly. Over 3,000 users and 4+ ratings.

Recently, someone at Mozilla decides to flag the latest update for review. And because I use NPM, NUXT, and Webpack to build, I left instructions on building from the source.

Here’s the catch. From my understanding, the source is there so they can read the code if need be. Otherwise, I don’t see what else you would need a source for. You want to check it for security, see what exactly is going out without obscuring the code.

As this person at Mozilla builds from the source, they complain that the files aren’t the same. No shit. You built them locally on your machine, on your OS, on your node. As some of you know, frameworks like Nuxt generate random file names, and with webpack, the code base can never be compared because of how it chunks.

Anyways, that’s my rant, Firefox is a lost cause. The browser share is shrinking rapidly. Trying to explain to the review person that what they are comparing is like apples to oranges. I hate to say it. but Chrome has won. and they don’t even want the source code. lately, their review process has been pretty darn fast. (my CWS extension has over 10,000 users…)

Yes, how else would you verify that the provided source actually generates the extension you submitted? If the source doesn’t represent what you submitted, it can’t be used to check what the extension does…

I’m not familiar enough with nuxt, but I do know that webpack can be configured to create a reproducible build, where the filenames and contents are deterministic from the input files.

1 Like

Well first, you shouldn’t have to give anyone your source code. Google does it just fine without a source. It’s called testing the extension, what it does, and what it tracks. Building the source code doesn’t help, oh good you are able to see that it builds the same files, who the hell cares. It’s what the extension actually does that matters. They aren’t looking at the source code, they could care less, there’s so much sh*t you can easily hide in that if anyone wanted. The process is flawed. It’s unnecessary red tape. Use reports and reviews to determine extensions that need to be investigated. If they actually looked at the code or the extension itself, they would find all the terrible malicious extensions that are still active, but they don’t.

Same here, tried to get my extension though this new review process for like 2 months now. my build instructions get ignored by using different node versions, not installing the dependencies etc. and then I get build logs back saying that the build doesn’t work or differs or native node extensions dont work with their node version… what a surprise ig. If you provide a field for instructions maybe actually use it