Yesterday, I’ve introduced XKit Packs, which allows developers to distribute XKit extensions without my permission/inspection. And I’ll be honest, I had about 4 hours of sleep last night.

Although I’ve implemented some server-side checking for scripts, which forbids developers from using IFRAMES, redirect pages or open popups, as you know, no system is bullet-proof.

So, I’ve started thinking: what if someone, somehow, bypasses this security system? Or what if they write a perfectly fine extension, get everyone to install it, then send an update that does bad stuff? Or what if they manage to break the “kill switch” used to delete malicious extensions? Or what if a developer with good intentions write a very buggy extension that causes a lot of problems for users?

Yes, bad software is everywhere, and any extension/application you install can do some very nasty stuff. But I just don’t want to provide the bad people yet another method of distribution. I want people to be able to click that Install button without worrying about what it might do.

So, less than 12 hours after it’s release, I am temporarily disabling creating/editing XKit Packs: if you’ve already published a Pack, people will be able to install it, but you won’t be able to edit it for now. Although it defeats the purpose of Packs, I will be implementing an approval system, so whenever you create/edit a Pack, it will need my inspection and approval to make it publicly available. Still, since it will be automated, when finished, it should be much faster and easier than the traditional way of submitting an extension to the Extension Gallery.

I’m terribly sorry and I apologize for this, especially to the extension developers. I hope you understand. When the approval system is done, I’ll be announcing it on the XKit Developer Blog.