woodruffw

This is very disappointing, and points to a weakness in these kinds of platforms: I can be a passive user of an excellent extension for years, and wake up one morning to discover that my browser has (silently!) upgraded the extension to one controlled by an entity that I don't necessarily trust.

I think it would behoove Firefox and Chrome to change their policies around automatic extension upgrades in these scenarios: if an extension discloses a change in ownership, then upgrades should require user approval. If an extension fails to disclose a change in ownership, then users should be able to report it as malicious.

chaxor
This problem is more far reaching than just extension, and further reaching than what entity is in charge of something. For instance, the worst company imaginable may be in charge of software that was once FOSS, and they may change absolutely nothing about it, so it should be fine. However, if a small update is added that does something bad, you should know about it immediately.

The solution seems to be much more clearly in the realm of things like crev: https://github.com/crev-dev/cargo-crev/

Wherein users can get a clear picture of what dependencies are used in the full chain, and how they have been independently reviewed for security and privacy. That's the real solution for the future. A quick score that is available upon display everytime you upgrade, with large warnings for anything above a certain threshold.