"main reason I haven't put it in AMO yet is because AMO offers less security to users than EFF self-hosting it"
Another pointless crusade. Aren't there many ways you could make it safer still? Wouldn't some of those be really dumb because they would prevent many people from accessing the add on?
How many people are you making more secure? Close to no one because 98% of Firefox https everywhere users have some other add on from AMO. Weigh that against the many thousands more that might be experiencing the benefits of your add on if it were hosted where 99% of add ons people use are hosted.
If a result of this "pointless crusade" is for Mozilla to start applying better security to its plugin archive, it's a huge win.
Why commercial enterprises still aren't providing even a fraction of the level of archive integrity assurance completely volunteer free software projects were decades ago is utterly beyond reason.
As far as I understand you can't make people more secure using AMO without risking compromising those very users later on when some hackers put malware into AMO plugins including this one.
Security is determined by weakest link. Right now it's AMO.
Those 99% of addons are not about adding strong security and good practices to your browser hence do not bear the same expectations.
I would be disappointed if a security add on could easily be circumvented because of a poor choice of distribution.
Keep in mind that such security addons may be used by activists and journalists in hostile environments, you do have a different opinion when overlooking this kind of details could mean imprisonment and torture.
Aren't there many ways you could make it safer still?
None that are necessary and relevant for the plugin to be offered via AMO.
Should we trial this medicine on humans? No, that's another pointless crusade. Aren't there many other ways you could make it safer still? Your argument applies to any requirement and thus to none.
Weigh that against the many thousands more that might be
experiencing the benefits
"Many thousands more: of whom you don't know whether they are experiencing any benefits, because you don't know whether they are actually using the code you published, instead of a compromised variation.
My priorities are completly irrelevant here, I've been a happy user of https everywhere since idk since I heard of it (years? idk). My criticism is that their own stated priority is being crippled by a self-imposed and arbitrary rule.
It looks to me like they're trying to use not being in AMO as leverage to get Mozilla to implement additional security features. If they said "we'd like these features, but we're ok being in AMO in the mean time" Mozilla would probably mostly ignore them, and these are generally useful features that should help others if developed.
Another pointless crusade. Aren't there many ways you could make it safer still? Wouldn't some of those be really dumb because they would prevent many people from accessing the add on?
How many people are you making more secure? Close to no one because 98% of Firefox https everywhere users have some other add on from AMO. Weigh that against the many thousands more that might be experiencing the benefits of your add on if it were hosted where 99% of add ons people use are hosted.