35 comments

[ 3.9 ms ] story [ 85.0 ms ] thread
Needs a better name. I thought they want us to create custom 3rd party installers.
> In 2023, a significant portion of Firefox downloads came from unknown sources.

Does anyone know where they get this data from?

Presumably telemetry coming back
(comment deleted)
I assume by comparing the sum of the downloads from all official channels to new telemetry instances claiming to come from Firefox packaged by Mozilla.

about:telemetry#environment-data-tab_partner

I have worked on this in the past, and still touch it from time to time.

This data comes from attribution data (https://firefox-source-docs.mozilla.org/browser/components/a...) and the installation ping (https://firefox-source-docs.mozilla.org/toolkit/components/t...).

Most of the Firefox installers/packages for Windows & macOS on https://archive.mozilla.org/ have a sentinel value for attribution data that indicates "this is a build that Mozilla produced and uploaded to archive.mozilla.org", and is considered to be from a known source. (Anyone that downloads directly from archive and redistributes will maintain this data and also be considered known.)

Downloads that flow through www.mozilla.org and meet certain conditions (most notably, Do Not Track being disabled) will have this data overwritten at download time with UTM parameter information (see the first link above). These are considered to be from a known source as well (our own website!).

I'm not an _expert_ on the analysis side of this data, but I believe that install pings that don't contain attribution data are considered "unknown". (There may be other cases that end up in the "unknown" bucket as well - I honestly don't know.) On Windows, there's a _shockingly_ high percentage of installs that fall into this bucket.

Ive been using a third party installer for probably 15 years.

It is very hard to beat ninite.com for installing everything at once on a new pc.

I've seen a few 3rd party post windows install tweak/essential utility scripts that use winget now. A search there shows a number of results, but the main one (winget show mozilla.firefox) seems to be official. I've never really liked those scripts though as it seems easy for someone to divert it to something else and I doubt a lot of users audit it.

Something that's been on my mind in terms of user reporting is while firefox puts a large emphasis on privacy, what proportion of the userbase conceal their user agent and disable/minimize telemetry

If you use Windows, you should try Windows package manager (winget). It offers thousands of packages and makes Ninite obsolete if you're okay with using shell commands/scripts.
How does that differ from chocolaty?

And for that matter Action1 is likely better if I am doing this on a regular basis.

For one thing, it's built into windows from the apt-get-go; And honestly has a pretty extensive library; So you can just copy your setupPC.ps1 file and run it to install all your software, and also update any that's already installed.

Honestly Microsoft's biggest miss is not having a GUI for it. (The Windows Store does act as a software source for it, but the primary software source is separate and much larger without the Windows Store overhang.)

If they implemented 1. An Apt like interface (it's kinda not amazing as is) and 2. a GUI, it could see mass adoption overnight. As long as they don't fuck it up or be overbearing on who gets to be included. And no paid software should be listed by default; at least not without a trial and a warning that it's paid software.

Package managers will either download from Mozilla, as with winget, or they will officially distribute their own builds with a distributionId, which you can find here about:telemetry#environment-data-tab_partner.

This is directed at predatory SEO sites that unofficially bundle Firefox installers with adware for example.

I couldnt do something like this in good conscience. It just feels too much like im snitching haha. Not that i know any of these sites
Snitching on sites that bundle adware or worse with a Firefox installer doesn't sound too bad to me?
It's a bit sad to me that I've lost so much trust in Mozilla that I'm immediately suspicious of this campaign. This could be exactly as innocuous as they want this to sound:

> Your report will help us identify the attributes and traits of third-party websites that offer Firefox download outside our official source, so we can work with them towards better distribution practices – eventually, leading to better security, privacy, and user experience for Firefox users.

It's also possible that what they really mean is that they're going to go after these providers for trademark violations [0] like what happened with Debian [1].

I'd love to be in a world where I can trust Mozilla to generally do the right and honest thing, but I'm having a hard time imagining what other form this "work[ing] with them" could take, and it makes me very uncomfortable that they're not forthright about the details of their plan when asking users to help them identify targets.

[0] https://www.mozilla.org/en-US/foundation/trademarks/policy/

[1] https://en.m.wikipedia.org/w/index.php?title=Debian%E2%80%93...

Mozilla top management did some stupid things in recent years, so your opinion is valid, but OTOH it's a bit sad to me that whatever Mozilla tries to do going forward (or really any software vendor), the top comments are always backlash, bashing of any initiatives, conspiracy theories, and people who want bug-free millions LOC software without any built-in telemetry.
It is very sad, but also a rational response. Mozilla still has a better reputation than most, but the industry overall has been punching people in the face for a long time now.

That people's instinctive response to pretty much anything coming from the big players is mistrust and backlash is entirely understandable. It's the result of learning from experience. On the whole, the industry has burned a significant amount of trust and benefit of the doubt.

That's the part that boggles my mind. Who are these people who rail against telemetry on HN threads?

Are they

1. Gods who simply ship bug free code and can't understand why mortals like us need telemetry to do the same.

2. Non-software people who've never shipped software to devices they don't control, just posting on HN for fun.

Valuing privacy, I can understand, I'm on board with that. It's when they take it to extreme, weird lengths, where they say that telemetry could allow the VSCode team at Microsoft to deanonymise them and then ... what exactly? It's gotten to a point where software like VSCode can't even be discussed on HN without the entire thread just being about telemetry.

Or, simply, people who do not want their behavior to be monitored regardless of developer rationalization.
> Are they

> 1. Gods who simply ship bug free code and can't understand why mortals like us need telemetry to do the same.

> 2. Non-software people who've never shipped software to devices they don't control, just posting on HN for fun.

I'm a user who thinks internal testing and user bug reports is good enough and doesn't like my computer telling other people how I use it. Doubly so when its software that explicitly bills itself as caring about privacy.

Most people would probably be okay with it if it were opt-in and clearly explained what it would be collecting (including letting you see exactly the contents if you'd like), perhaps letting you decide at a granular level what to upload. Upon encountering an error, you could also trigger a dialog to ask if the user would like to upload information (with "yes", "no", "always", and "never" as options).

What people don't like is that lots of modern tech employees apparently don't understand consent, and just assume it's okay to spy on you and take whatever personal data they want.

3. People who want you to respect their boundaries and are trying like hell to drag the Overton window back to an era when surveillance capitalism hadn't savaged privacy norms yet and developers didn't think they were entitled to such data.
So Mozilla wants me to search the web and install random binaries claiming to install Firefox, and in return they'll put my name on a blog post and (maybe?) send me merch? Who thought of this?
Why would you have to install anything?
> How can I know if an installer is not official?

> A: On Windows, when you open the downloaded .exe file, you’ll see a pop-up with a “Verified publisher” name. If “Mozilla corporation” is the publisher you have an official installer, else it’s not.

If you see a Windows exe anywhere not from a Mozilla domain, you should report it as unofficial.
(comment deleted)
How about Mozilla figure out wtf is going on with their builds being language specific and it basically being impossible to convert Spanish Firefox to English Firefox. Absolutely baffling. (No really, changing the spell check language doesn't change the spell check language and you can only side-load non-official English spell check packs in the Spanish build. Its one of those things where so many wrong decisions had to be made, and leaves users out to dry.

Or, at the very least, don't do the same stupid crap every other site does, aka: sniff my geo-ip and then opaquely serve me a specialized build without my knowledge. Just another thing on the list of reasons why i don't bother being a Firefox advocate anymore. There's so many basics not accounted for.

Finally more Android extensions, than previously only being possible with Fennec