Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I mean, take a look at how many projects recommend curl | sh as the official way of installing their software and how many "alternative" package managers there are, where devs can just push updates directly.

The desire of developers to get around distro maintainers and grab full control of update distribution is strong...



I don't care about that. I am not asking for a browser or a linux distro that forbids the installation of extensions not in the repository. I want a browser that has a repository I can trust, as already exist for linux distros.

I cannot trust either Mozilla or Google's extension repositories, they are 'managed' in a substandard manner relative to Debian or android's F-Droid. Both of these extension repositories are managed so poorly it seems farcical to say they're managed at all.


In the current case, the extension used to be perfectly trustworthy, then it got sold with the full permission of the author.

I'd like such a repository too, but the "extensions going bad" dynamic usually happens with the full cooperation of the extension's developer, so I could imagine many extension developers would be actively opposed to such a repo. Therefore, the browser would have to possibly act against the wishes of the developers here and e.g. keep an earlier version of an extension available even if the developer would like to remove it.


The problem is when the extension owner is the same as the extension packager, and the repo doesn't enforce any meaningful review or standards before allowing an updated extension to be pushed to their repo.

If this extension were a program packaged by Debian or F-Droid, this wouldn't happen. The upstream can sell out and start publishing malicious updates but they can't push those updates to Debian or F-Droid, because they don't have the necessary permissions to do so. They would need to buy out or trick the Debian or F-Droid package maintainers, which I generally trust to not happen (and I haven't been burned by this trust before.)

This scheme works fine for the majority of software I give a shit about. Some developers don't like this scheme and that's fine, for the most part I simply choose to not use their software. I don't want this scheme forced on either users or developers, it's entirely voluntary on both ends. It could exist for browsers just as it does for linux and android, but as far as I know it presently doesn't.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: