Arch Linux

Firefox has a configure option ("--with-unsigned-addon-scopes" with values "app" and/or "system") which allows loading unsigned add-ons which are located in root-owned directories like /usr/lib/firefox/browser/extensions/, see [1] for a better explanation of the add-on scopes. The corresponding Mozilla bug with some background information is [2].

In Debian this configure option is used [3] because the Debian packages with the language packs and the add-ons are built from source and thus they are not signed by Mozilla. If I am not mistaken, this is not what is done in Arch Linux, but I don't know if this kind of package building might be something worth considering.

As explained in the Mozilla bug report, there isn't really a security issue with enabling this configure option, because if someone can put malicious add-ons in the corresponding directories, the user has a bigger problem than using these add-ons. The requirement for signed add-ons in user owned directories isn't changed by the configure option.

I am requesting this because I believe it gives users more freedom regarding what add-ons they can use, even if the packaging of Firefox language packs and add-ons does not change (at least in the near future), and I expect users with root privileges to know that they do.

[1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1464766
[3] https://salsa.debian.org/mozilla-team/firefox/commit/3e7d8f5d18f82410852961a1d87e79615bd69ea5