Hey waffles, I was originally going to drive enterprise comms about the CRX2--> CRX3 migration, but I never actually completed that. Did anyone else pick that up or do we still need to formally communicate it to customers?

If not, we can include this in the comms. 

I've added this requirement to our internal extensions backlog (go/crxbacklog) for tracking.

+naveen/cyrus/max FYI, to make sure comms + policies + cpanel UI are in place for this deprecation effort.

I'm a bit concerned about the short deprecation timeline (removing policy in M77) - do we have stats for # old CRX versions in the field?

jawag: It's in the enterprise release notes since M69. No other comms have been done AFAIK.

atwilson: I haven't seen any stats. By definition this only affects extensions that do not flow through Omaha.

Many of our enterprise customers have said that they will need many quarters to make the switch - what about 10 releases later? (eg. removing policy in M85)

I am very fatigued, stressed, and frustrated with trying to make this change and hitting opposition and delay at every point. We published intent to implement before M64 and have had this change in the enterprise release notes since M68. By the time M77 hits, enterprise customers will have had 13 months since being notified to migrate. Pushing to M85 (September 2020) will increase that to 25 months.

I am nearing the end of my ability to argue about this. I feel physically sick every time I open this bug and the associated CL. It seems pointless to reiterate the risks of continuing to rely on the collision-resistance of SHA1.

My personal feelings aside, I respect that enterprise admins are responsible for balancing the security of their users and the cost of updating their tooling. I will move the published policy removal date to M85. I hope I am not working on this project by then.

Hey everyone. This bug is part of a larger plan--already in progress--to ensure that enterprises have enough time to react to the change.

First, note that this only affects extensions hosted privately. Anything in CWS has already been automatically repackaged.

Starting in M69, the enterprise release notes have been notifying admins about this change. Now, because we know the release notes are not sufficient for something disruptive, waffles@ is also implementing an escape hatch policy tracked by this bug. Come M75, privately hosted extensions that are non-compliant will stop updating and installing. Because this is disruptive, admins will be able to use policy to override the change and revert to the old behavior. This will be available for 2 releases (12 weeks), to give admins enough time to update their extensions, even if they missed the warnings in the release notes.

This plan conforms to our best practices for shipping enterprise-friendly changes: https://www.chromium.org/developers/enterprise-changes

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fd01b7cdfa049b6ade527ddbd70c6dda1638c640

commit fd01b7cdfa049b6ade527ddbd70c6dda1638c640
Author: Joshua Pawlicki <waffles@chromium.org>
Date: Thu Jan 17 16:18:34 2019

Add enterprise policy to control CRX2 usage.

The default right now is to allow - in a later milestone it will
switch to forbid, but the policy will provide an escape hatch to the
former behavior for another few milestones.

Bug:  889468 
Change-Id: I9ee0fa42e318b1fa019b26766aa27378f84c4619
Reviewed-on: https://chromium-review.googlesource.com/c/1297396
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: James Cook <jamescook@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Commit-Queue: Joshua Pawlicki <waffles@chromium.org>
Cr-Commit-Position: refs/heads/master@{#623706}
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/chromeos/BUILD.gn
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/chromeos/app_mode/kiosk_app_data.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/chromeos/app_mode/kiosk_external_updater.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/chromeos/extensions/external_cache_impl.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/chromeos/extensions/external_cache_impl_unittest.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/api/runtime/chrome_runtime_api_delegate_unittest.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/content_verifier_test_utils.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/crx_installer.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/crx_installer.h
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/extension_gcm_app_handler_unittest.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/extension_service_test_with_install.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/extension_service_unittest.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/startup_helper.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/updater/chrome_extension_downloader_factory.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/updater/chrome_extension_downloader_factory.h
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/extensions/updater/extension_updater_unittest.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/browser/policy/policy_browsertest.cc
[rename] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/test/data/extensions/page_action.pem
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/components/policy/resources/policy_templates.json
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/crx_file_info.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/crx_file_info.h
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/extension_prefs.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/extension_prefs.h
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/install/sandboxed_unpacker_failure_reason.h
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/pref_names.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/pref_names.h
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/sandboxed_unpacker.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/sandboxed_unpacker.h
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/sandboxed_unpacker_unittest.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/updater/extension_downloader.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/updater/extension_downloader.h
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/browser/updater/update_data_provider.cc
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/common/BUILD.gn
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/common/DEPS
[add] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/common/verifier_formats.cc
[add] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/extensions/common/verifier_formats.h
[modify] https://crrev.com/fd01b7cdfa049b6ade527ddbd70c6dda1638c640/tools/metrics/histograms/enums.xml