unauthorized, unverified and outdated uBlock Origin binary on Safari Extensions Gallery and "marketing" website

[vassudanagunta]

The issue:

1. @hartator published in the Safari Extensions Gallery a "uBlock Origin" extension binary as "Chris Aljoudi/Raymond Hill", linking to Ellis Tsung's GitHub account, without advanced notification, permission or authorization from Raymond Hill or Ellis Tsung. (It's an additional insult that Chris Aljoudi is even mentioned.)
2. @hartator unilaterally created and maintains a "marketing site" (his own words): https://hartator.github.io/uBlock-Safari/, also without advanced notification, permission or authorization, linking to another "uBlock Origin" binary.

You can read the detailed history of this situation under Issue #34.

Even if @hartator had good intentions, this is very bad and should no longer go unaddressed.

Why is this bad?

• uBlock Origin is used by thousands if not millions of people. This fact amplifies everything I say below.
• @hartator did this without the creators/maintainer's knowledge. He admitted to it after-the-fact.
• @hartator had to impersonate or claim to be acting as an authorized representative of the names he supplied to Apple when he published to the Gallery using his Apple Developer account. As long as he keeps it up in the gallery, he is continuing to represent it as such.
  • Here is a link to the Apple Developer Program License Agreement. IANAL, but I'm pretty sure by agreeing to this agreement and by signing the extension with his certificate, he made false representations to Apple, and violated multiple clauses of the agreement.
  • Whether or not you care about Apple's policies, its users trust that software they install through Apple is software that follows its policies and rules.
• The marketing site (link to today's snapshot on InternetArchive) impersonates an official, authorized website for uBlock Origin.
• The marketing site links to yet another binary of the extension.
• This means there are two binaries out there not built or managed by the creators/maintainers of uBlock Origin, yet published under their names. This is a SERIOUS SECURITY ISSUE:
  • The binaries are outdated (7 months and 3 versions old as of this writing). If a uBlock Origin security vulnerability is discovered, users who have installed this unauthorized build will not get notified or updated.
  • The binaries are unverified. We are trusting @hartator built the source code untouched. He may be a good guy, but this is a very bad practice.
  • The binaries are unauthorized: People should only be installing binaries published by the actual sources, not unknown and unauthorized third parties that decide to post their own build. @hartator, by publishing of under those names without their permission, is making a misrepresentation to the public.
• People are being mislead and confused.
• uBlock has already been victim to someone absconding with and damaging the brand. In that case, Raymond Hill himself called that website a "misrepresentation". Let's not be sloppy about such things again.

@hartator has had 6 months to rectify this deed, but nothing has changed.

[gorhill]

I don't have any browser which allows me to see the extension in Apple store, that is what I get with your link:

So at this point I cannot even get 1st-hand knowledge about this. If there is something I could do, like report it to Apple store as a fraudulent version (assuming that is possible), I need at least to get 1st-hand knowledge about what is there.

[BugDave]

It will show for me using vivaldi.

…

On Oct 11, 2017, at 8:06 AM, Raymond Hill ***@***.***> wrote: I don't have any browser which allows me to see the extension in Apple store: So at this point I cannot even get 1st-hand knowledge about this. If there is something I could do, like report it to Apple store as a fraudulent version (assuming that is possible), I need at least to get 1st-hand knowledge about what is there.

[vassudanagunta]

@gorhill Here is a screenshot for that link in Safari. Here is the Install now ↓ link if you want to examine what it points to: https://safari-extensions.apple.com/extensions/com.el1t.uBlock-8782JU4WM4/uBlock.safariextz.

[vassudanagunta]

@gorhill Here is how it appears in Safari once installed.

[vassudanagunta]

@gorhill @el1t

Here is the source for @hartator's "marketing site": hartator/uBlock-Safari.

I created an issue under it requesting that he remove the site and the distributions: hartator/uBlock-Safari#1

[gorhill]

Is there a way for you to download the package as served by Apple store? I would like to do a diff with the one here.

[vassudanagunta]

Sure. GitHub required me to to zip it first: uBlock.safariextz.zip

But here again is the download link on apple.com so that you can get it from "the source": https://safari-extensions.apple.com/extensions/com.el1t.uBlock-8782JU4WM4/uBlock.safariextz

[vassudanagunta]

@gorhill You can use xar to extract the contents of a safariextz file. Let me know if I have to do that on macOS for you.

[gorhill]

I don't have xar, doesn't look like it's readily available on linux.