Disclosure: I am a full-time engineer on the Google Chrome team. Sorry, but your solutions don't work -- believe me, we didn't want to do this but it was done to prevent malware injections and not to stop users from installing software they want (which is why we only block it on Windows, and we don't block it on Dev or Canary channels).

a) Block the extensions that don't come through the app store, but let the user enable them one by one -- without scary 'developer mode' (and opening up the floodgates)

Unfortunately, if we just let the user manually override the blocking, we would have to store that choice in a preference file. Malware on your computer could easily install a bad extension and set the override flag in the preference file, making the blocking effectively useless.

This is why the only way the user can opt in to side-loading (by turning on developer mode) prompts scary warnings every time you open Chrome -- so that if malware does this, users will know something is up. We can't let you opt in to side-loading and be silent at the same time.

b) Reputation systems -- allow 'reputable' extensions; revert to a) above for the rest. Google and the AV vendors don't want to get their hands dirty classifying useless shit nobody wants as the useless shit nobody wants, fine let the 'community' handle the reputation.

The reputation system just moves the responsibility around, but still fundamentally has the same problem. Now you need to run a full-time service that records the reputation for each extension, and needs to be resilient to gaming (for example, having a malware author controlling a botnet spam the reputation server with good reviews to increase their score).

And for anyone who really wants it, they can manually enable it.

That is exactly what the "developer mode" switch is for. Again, we can't have a preference to enable side-loading without also letting malware turn it on for unsuspecting users, unless it gives a scary warning. There are other ways to enable side-loading without having to see the warning every time you start Chrome:
- Use Mac OS or Linux.
- Use Dev or Canary channel.
- Use Chromium instead of Chrome.
I hope one of these solutions are acceptable.

This is simply not true. I've been an extension developer for quite a long time, and I've always hosted a beta version of my extension outside CWS, with auto-update, using update_url key in the manifest.

Ah OK. I didn't know about this feature. Then yeah, I guess your users won't be able to use that unless they're on dev.

(Disclosure: I am a Google Chrome engineer.)

It's not like I don't understand the problem, I've seen rampant Chrome crapware on clueless people's computers. But this is heavy-handed.

I'm glad you understand the severity of the problem. We took no joy in introducing these restrictions, but I think we made a good compromise between security and user freedom. If you don't want the extension side-loading policy, you have a number of options:

• Use Mac or Linux.
• Use Dev channel (but have potentially unstable code).
• Load your extensions unpacked (but have Chrome warn you every time you start up).
• Use Chromium (missing various features, but the option is there).

None of these options are ideal, but there are numerous escape hatches for people determined to side-load. The point is to stop side-loading in the default case only, where people are getting unknowingly infected. I would call this as far from "heavy-handed" as possible while still being effective.

or are content with loading extensions unpacked, with no auto-update.

Non-Web-Store extensions never had auto-update to begin with. The only difference between loading unpacked and side-loading is that it's a bit trickier to install unpacked, and Chrome will warn you every time you start up.

I actually wonder why GOG doesn't improve their downloader app into a full Steam competitor, which automatically downloads, installs and keeps your games up to date. It wouldn't imply adding DRM -- you could still download the stand-alone .exe installers, and the GOG client could have a "save as .exe" button. Because as it stands, I have to keep making this trade-off between properly DRM-free games (GOG, and Humble Store for that matter, which is also nice in that it supports Linux) and the convenience of having a one-click download/install and always-up-to-date experience (Steam).

Hi, thanks for the details. Would you be able to file a full bug report by going to:
http://crbug.com/new
Just fill in the required fields (such as operating system, Chrome version, etc) and then paste what you told me here. Thanks.

Is the extension installed from the Web Store, or side-loaded? Either way, if you are sure there is no malware, I would appreciate a detailed bug report, because this is certainly not the intended behaviour. Thank you in advance.

Chrome developer here. If you are deleting your extensions and they are showing back up in a few minutes, you have malware on your system that is actively re-installing them (I have seen this in action).

Under normal circumstances, deleting an extension on one machine (assuming you have extensions sync turned on) will cause it to be deleted in your central account, and this delete will propagate to your other machines. Chrome won't push an extension back to your machine that you just deleted. Also, side-loaded extensions (ones that you didn't get from the Web Store) are never synced.

The problem is that many users have malware running in their system that continually installs a particular extension into Chrome, so if you delete it, it goes right back (through no fault of Chrome's). The only solution for now is to find and disable the malware. On Windows, we will soon be blocking side-loaded extensions to prevent this sort of thing from happening.

The difference with GOG is that with Steam games -- even those that don't use Steamworks -- you need to use Steam AND have a working Internet connection to install the game, so you are not truly separated from Valve's ecosystem. With GOG, you can download all the games you own, back them up to a portable hard drive, and then you can play all the games regardless of your Internet connectivity or GOG's continued existence, even if you change or wipe your computer. With Steam, you can only play these "DRM-free" games until you next need to re-install them for whatever reason.

Back in, say, 2000--2004, a game that needed the Internet to phone home during installation (but not every time you play the game) would have been considered an unacceptably intrusive form of DRM by some. It's funny how the public perception of DRM has changed so much that phone-home-on-install is no longer considered to be DRM at all. Well, it still is, because it's a server that controls your ability to use a product you have already paid for. Granted, it's relatively mild DRM, but it's still DRM.

I suppose that once you install a non-Steamworks game, you could manually grab the files and zip them up and archive them, but Steam doesn't make it easy. If you had, for example, used Steam's "back up game" feature, you would find that it requires a phone-home to restore the backup. In addition, Steam doesn't make it easy to play these non-Steamworks games without using Steam. All the Start Menu and Desktop shortcuts launch Steam with a particular game ID, not the game .exe directly, so using these shortcuts either requires that you are signed in to Steam, or have explicitly put Steam into offline mode. It's actually quite difficult for the average user to figure out how to run these so-called "DRM-free" games without Steam. So yes, GOG.com is absolutely more entitled to be praised as offering DRM-free games.

Did you read that in Murdoch's newspapers?

Nope. After Myst was a huge success, Cyan put some of the money into building their own dream office from the ground up. The Cyan office is vaguely reminiscent of Myst, and not the other way around.

You're missing the point. DRM is not bad for independent site authors (of course they can ignore it). It's bad for users because it restricts the set of browsers / operating systems they are allowed to use. That is not the point of the Web -- the point of the Web is that anybody can implement a free web browser using open tools and information. If this goes through, then I will have to use Hollywood-approved browsers to access the web. I won't have any "problems" as long as I use browsers Hollywood trusts with their keys. That is NOT how the Web is supposed to work.

Well, if you object to having DRM in the standard, then you should also have to object to anything in the standard that replaces stuff like silverlight and flash..

If you object to Hitler, you should also object to anybody else who has a moustache....

This is not like Silverlight and Flash, because those are not part of the web, they are separate plugins. True, a fully open system cannot access their content. But at least it's limited to content that loads up in a box in a plugin. Inviting DRM into the HTML standard means we could soon start seeing images that can't be saved to disk, text that can't be copied, etc, by simply using the same EME technology already established for video. Basically, I am worried that a lot MORE content will become DRM-encumbered now that the W3C has said it is okay.

What do you mean "all it does is prevent copying"? You do realise that everything that a computer does is copying, right? Watching a video is copying, therefore, DRM prevents watching videos unless certain specific circumstances are met. You said it yourself:

All this mechanism should do is restrict a container of content to one or more specified devices.

How is that an appropriate mechanism for the Web? The Web is supposed to work on all devices. If there is a device that the Web doesn't work on (assuming it is technically powerful enough), I should be able to implement a Web browser on that device to make it work. I should not need permission from any company to do so. That is the whole point of the Web, and it's the reason it is better than all of the other proprietary Internet services (like AOL, MSN) that came before it.

I'd love to know whether that's a real quote from the Windows logo rules. Unfortunately, a Google search for the text returns only one result: this comment. [Citation needed]

Chromebooks come with instructions on how to both:
a) unlock the bootloader and boot into a version of ChromeOS that gives you access to the Linux file system, allowing you to run arbitrary binaries including a modified kernel or Chrome executable, and
b) install alternative operating systems including Ubuntu, as well as running Ubuntu in a chroot (see: Crouton) so you can switch between ChromeOS and Ubuntu without rebooting.

There is nothing user-hostile down about Chromebook's boot protection. They just come with the security enabled by default (and make it a bit tricky to disable it so that an ordinary user does not accidentally flip the switch off). That is totally different from hardware that physically does not let the user install custom binaries.

Every game on the OUYA can be tried for free. You don't have to put a credit card in to start downloading apps from the store.

Actually, it seems about half of the Kickstarter backers (myself included) are being forced to enter their credit card info just to get to the console's main menu.

My OUYA is sitting on my shelf, unused at the moment, because I refuse to put my credit card into it as I wait for a response from OUYA support. I have no idea why some people are getting in for free, and others of us are being forced to enter credit card info, but there had sure be a good explanation.