I thought I explained the reasoning on the bug, but I can give it another go. Users are being tricked into installing malicious extensions, and thus getting compromised in significant numbers (Facebook "like" selling is a major target). We have continuously improving measures in the WebStore to catch malicious extensions, and the volume there is very low. However, we don't have a way of catching malicious off-store extensions. So, the best solution is to disallow other sources by default, and provide technically inclined users and enterprise administrators with the ability to add trusted sources.

This is basically the same model that every Linux distro uses, so I'm not sure what the complaints are about. I'm also surprised Firefox hasn't proposed something similar, since I'm told they're seeing the same trend.

This nicely illustrates the difference between merely being "open source" (Chromium) and being developed in the open (Firefox). At the very least a decision of this magnitude would have been discussed in the community BEFORE being merged in any sane openly governed project.

This is a pretty big change to bring in without warning. It would be nice if extensions could be signed but not on the store. I have extensions for internal business apps, they make no sense on the store but having a techy installation process is a big hassle. Google could even host the code (and have the ability to revoke), I just want a way to have "private" extensions that only only delivered to who I want.

I have no issues with the process, but only concerned with the way this change was made. The issue keeps referring to https://code.google.com/p/chromium/issues/detail?id=55584 for "details", but there is nothing there except statements asserting how much of a "big problem" this is.

I think this is a bigger problem with large open source projects in general where implementors are oblivious to which functionalities developers cherish and value. Any change in such features would require a more thorough explanation.

Was there some new law of nature added in the last few years that says as soon as any app platform takes the lead its vendor must begin restricting the distribution channels available to 3rd party developers?

Wouldn't it be awesome if Microsoft and Apple forbade competing walled gardens (such as Chrome) from running apps on their operating systems?

This change is being made without any buy-in from the community, ostensibly for security reasons. I'm skeptical, given the inherent incentives involved.

All the latest malware that I see spreading on facebook came from Chrome extensions. Users don't care, they click and install stuff. Then the extension, which can interact with any page, can spam walls and comments on facebook.

Unfortunately Google's policy doesn't cause only malicious extensions to be removed from their web store. For instance, All Mangas Reader, a combined reader and management tool for online manga sites, was removed from the store for "copyright infringement", although it's the sites that are hosting the mangas doing the infringement and not the extension. Additionally, the copyright problem does not apply to all jurisdictions where the store is accessible. ChromedBird, a Twitter client extension, was also removed because Google didn't like that it contained the "chrome" string (at least this problem was easily alleviated by changing the name to SilverBird).

As long as it's still possible to install non-webstore extensions I'll learn to live with that restrictions as it's not an activity I perform often in the first place.

I publish an extension, Textcelerator (https://textcelerator.com) off-store. This is the first I'm hearing about this, and it would completely the sign-up flow for my extension. (My extension is in the Chrome store, but my landing page doesn't link there.)

Fortunately, it seems this only affects the head versions for now, not the version regular users get on a new install (I just tried it) or an autoupdate, so I have some time to switch links around and make it work. However, I really think there needs to be some sort of deprecation before this is rolled out, probably in the form of a warning on download if Developer mode is enabled, backported to versions 19 and 20.

I have an extension on the Chrome Store, but I also distribute it via bundling and bundling requires an executable. For the bundle, I use the registry method found here: http://code.google.com/chrome/extensions/external_extensions...

Will this method still work?

I originally had the exe simply open a window to our Chrome store listing, but the friction was ridiculous. We would get about 5 installs for roughly every 100 we were paying for.

Yay, another "lets enforce our products to end users" on the cover of "security".

Can't wait for Google to remove the checkbox on every Android for "allow 3rd party software install", cause you know, it has to come from Google Play else it's OMG dangerous, and all the users are dumb and check the checkbox and install random apks. And look there's a nice illusion of choice, you need a procedure so complex that almost no one will be willing to do it (and thus you're forced into Google Play).

For security. /trustworthy.

I think restricting access in this way will slow the growth of browser extensions/addons as platforms for launching full-fledged web services and apps.

I see more and more web apps relying on extensions for a core part of their functionality, and this is only going to hurt them.

For installing non Web Store extensions, I would rather see an extra warning message or notification, rather than a protracted process that many users wont be able to figure out. Extensions are good, but not if they're hard to install.

But what happens if someone complains about my extension and Google decides to pull it from the store?

Such a shame that this appstore mentality is becoming the norm.