Release notes for Zoter connector?

hmijail
My Firefox just updated the Zotero connector to 5.0.110.
It has no release notes, and the zotero-connectors GitHub repo only shows up to tag 5.0.108, with last commit weeks ago.
Probably it's just some oversight somewhere, but it makes me uncomfortable. I've seen extensions in the past being taken over by bad actors. So, could you please allow some easy way to keep track of what happens with each release?
  • adamsmith
    edited June 13, 2023
    I don't know why they didn't tag the two last releases on github, but I don't think this is a security issue: If you look at the connector .xpi, it updates directly from zotero.org, so hijacking updates would require hijacking zotero.org, which (apart from being very, very unlikely) means that the changelog wouldn't actually help for security -- if an attacker has the type of control to place a file into the download stream on zotero.org, they'd definitely be able to put up a fake changelog entry.

    (and to be clear, 5.0.110 is a regular release, you can see it referenced in the commit log)
  • dstillman
    I've just tagged 5.0.110, which was released earlier today. There was no 5.0.109, as explained in the commit history.

    (But yes, the idea that lack of a GitHub tag somehow calls into question the safety of a release is a bit silly. We obviously have stringent controls in place to protect and monitor our distribution channels.)
  • hmijail
    I'll argue that anything that lets the user know that a change is expected is good.

    Anything that leaves the user wondering if something is safe, and having to ignore the justified questions, is bad. It trains them to be unsafe.

    Personally, when I saw that a visible part of a release (like a tag) is missing, I didn't jump to think that surely there's a stringent control in place somewhere out of view.
  • dstillman
    edited June 13, 2023
    No, that's ridiculous. Git tags are for Zotero developers. They're not for end users. They're not "part of a release" — they have nothing to do with the release process. They're frequently updated days or weeks after a release. Zotero's millions of users obviously aren't expected to check for a Git tag to know that an automatic update is safe.

    And that's not what changelog entries are for, either. We write a changelog for the desktop app so people know what changed, not so they know that a release that appeared in the HTTPS update channel is safe to install. Connector changes are usually fairly technical and often tied to changes in the desktop app, so we don't bother maintaining a separate changelog. We could consider doing that, but it wouldn't in any way be for people to know that a release was safe.

    The reason for you to believe our software is safe is because you trust us to protect our distribution channels, as we have for the last 17 years. If you don't trust the software coming from our servers, you definitely shouldn't use Zotero.
Sign In or Register to comment.