WingNews logo WingNews
top | item 46974089

(no title)

singularfutur | 19 days ago

This is why I only run open source extensions that I can actually audit. uBlock Origin, SponsorBlock, the kind of tools where the code is available and the developer isn't anonymous. The Chrome Web Store is basically unregulated and Google doesn't care as long as they get their cut. Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.

discuss

order

mixedbit|19 days ago

An extension from a trusted, non anonymous developer which is released as open source is a good signal that the extension can be trusted. But keep in mind that distribution channels for browser extensions, similarly to distribution channels for most other open source packages (pip, npm, rpm), do not provide any guarantee that the package you install and run is actually build verbatim from the code which is open sourced.

m4rtink|18 days ago

If the RPM/deb comes from a Linux distribution then there is a good chance there is a separate maintainer and the binary package is always built from the source code by the distro.

Also if the upstream developer goes malicious there is a good chance at least one of the distro maintainers will notice and both prevent the bad source code being built for the distro & notify others.

randunel|19 days ago

How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?

endsandmeans|19 days ago

I agree but let me play the devil's advocate. I'll channel Stallman:

Same argument can be applied to all closed source software.

In the end its about who you trust and who needs to be verified and that is relative, subjective, and contextual... always.

So unless you can read the source code and compile yourself on a system you built on an OS you also built from source on a machine built before server management backdoors were built into every server... you are putting your trust somewhere and you cannot really validate it beyond wider public percetptions.

nickjj|18 days ago

> How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?

Extensions are local files on disk. After installing it, you can audit it locally.

I don't know about all operating systems but on Linux they are stored as .xpi files which are zip files. You can unzip it.

On my machine they are installed to $HOME/.mozilla/firefox/52xz2p7e.default-release/extensions but I think that string in the middle could be different for everyone.

Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted.

oj-hn-dot-com|18 days ago

The open source one automatically publishes to the Chrome Store from GH actions so that there is no human involvement in the deployment process.

I'm currently in the process of setting that up for the one I'm building, because this transparency is very important to me) and it is a pain in the butt to do so. You have to go through a few verification processes at Google to get the keys approved.

pbhjpbhj|18 days ago

I'm running Uniget on Win11 and this is my worry there. Provenance of installs vs the actually released files.

pezgrande|18 days ago

I wish we had something like "source hash" available in all repositories.

fn-mote|19 days ago

This kind of nihilistic comment doesn’t do anything for me.

There’s always a possibility of problems along the chain. You are reducing your risk not eliminating it.

Rebuff5007|18 days ago

Do you also audit every part of every car you buy or medicine you take? Or do you rely on large well-established institutions to do that for you?

"Dont trust google" imo is the wrong response here. We are at the mercy of our institutions, and if they are failing us we need mechanisms to keep them in check.

coldtea|18 days ago

>Do you also audit every part of every car you buy or medicine you take? Or do you rely on large well-established institutions to do that for you?

Cars are under quite strict laws that software isn't. And there is only a small number of car vendors, while there are several orders of magnitude more extension vendors. Also a car vendor is a big company with many audits and controls, an extension "vendor" could just be some guy in his garage office, who just sold it to scammers, even for popular extensions.

And I still wouldn't trust a modern car using subscriptions and code updated.

acheron|18 days ago

“Don’t trust Google” is table stakes for being on the Internet over the past couple decades.

PurpleRamen|18 days ago

There are no established institutions for checking add-ons. The stores claim doing some checks, but seems enough is slipping through their net. It's also common sense to not buy something critical from a random anonymous source on the internet.

__alexs|18 days ago

My car can't login to my bank account.

worksonmine|18 days ago

> "Dont trust google" imo is the wrong response here.

Straw man. The argument is that by installing random extensions you trust anonymous developers *because* Google doesn't audit. I'll cite the parent to spare you the effort of reading it again:

> The Chrome Web Store is basically unregulated and Google doesn't care.

Yes, I trust the contents of the medicine I buy at the drug store more than I trust the drug dealer on the corner. That's why they hand out test kits for free at raves.

lapcat|18 days ago

> This is why I only run open source extensions that I can actually audit.

How far does your principle extend? To your web browser too? Google Chrome itself is partly but not entirely open source. Your operating system? Only Linux? Mac and Windows include closed source.

nemomarx|18 days ago

On HN of all places it's not that implausible that someone might be running Linux and Chromium or Firefox, surely?

NamlchakKhandro|18 days ago

If they live in California, they're most assuredly borrowing prestige through licenced usage of apple hardware.

Because let's get real, no one ever gets a job in tech if they're not an iPhone user right?

bennydog224|18 days ago

This is the safest way. You also want to disable auto update to version lock, which means using Firefox or Safari or loading unpacked if you use Chrome.

Angostura|18 days ago

It’s one of the reasons I run Safari, which strictly limits what extensions can do for these reasons

lapcat|18 days ago

No, Safari is really no different here from Chrome, and indeed there's broad compatibility between the extension API, such that in many cases you can use a Chrome extension unmodified in Safari.

lofaszvanitt|18 days ago

And you audit every update? Ahem.

falcor84|18 days ago

Annoyed with how the AWS console sometimes changes regions on its own, I recently decided that I need an extension to make the current region displayed prominently. After a bit of research, I found the AWS Colorful Navbar [0] extension, which does pretty much exactly what I wanted, but (understandably) requires granting it "This extension can read and change your data on sites" on `://.console.aws.amazon.com/*`, which I'm not willing to give to an external extension. So my solution was forking the repo [1], carefully auditing the code, and then installing it from a local clone (which they actually have a nice explanation for). Going forward, I think I'll try using this approach for all sensitive extensions.

[0] https://chromewebstore.google.com/detail/aws-colorful-navbar...

[1] https://github.com/nalbam/aws-navbar-extension