The thing is, users that ran this command know what it did. Maybe not in all its detail (I certainly didn't know exactly what it did, although I could have looked for it). That's because for this command to be of any use to the user, they first have to enable the "native client" to enable reading Tridactyl's RC file, which is explicitly stated to weaken the security model Mozilla tries to enforce on extensions.
This isn't a "random plug-in" playing with your security settings. It's a well designed extension which tries its hardest to allow power users to do what they want : control their browser the way they best see fit, without restrictions. If you want to stay safe, just don't enable those settings : they're not necessary to get a good out-of-the-box experience, but they allow some very powerful fine-tuning to turn your browser into your browser, with your commands.
It's explicitly stated that it will weaken the security model, but it's not explicitly stated that it will modify user.js. Now the author is claiming that reversing the change would be improper because it involves modifying user.js without explicitly saying so, but that's literally exactly what they did already.
They are not claiming that the problem is being forced to strengthen the security model without explicitly asking. They are claiming that the problem is specifically being forced to modify user.js without explicitly asking.
"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."
in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."
You can find these messages in src/excmds.ts at commit 92e1b005c47995e3d24f61a7d4c3935df8437f1a
The only way this hurts you as a user is if all of the following occurs:
1. You manually install Tridactyl
2. You manually install our native messenger
3. You manually fun a command called `fixamo` or you manually find and install our exemplar RC file that explicitly says at the top that you should read it because it does things you might not like; and then you don't read or edit it
4. You also manually install a malicious addon
5. That malicious addon doesn't have permissions for <all_urls> (otherwise it can steal your banking credentials without tridactyl's help) but does have permission for accounts.firefox.org
6. That addon can then steal your firefox account credentials and use them to e.g. mess with your synced settings and e.g. download your passwords database (if you don't have a master password set).
My view is that you're pretty much fucked if you install a malicious addon with <all_urls> anyway (and many addons request that permission), so this slight extra capability you get if you successfully phish someone in this pool of <1000 people isn't a big deal.
I used to be a Vimperator user, then Pentadactyl user, and after that, Vimium user. In all three cases I eventually gave up on 'em because they kept breaking and like you said, they got in the way as much as they helped.
But on the Vim-emulation for IDEs front I would like to send a shout-out to JetBrains for the IdeaVim plugin. IdeaVim combined with the CLion IDE, also by JetBrains, and language specific plugins, help me so massively much when I work on any project that spans more than a handful of files.
In several cases there are projects that I work on with ease in CLion that I could not imagine trying to do with plain old Vim, and there is no other IDE that I have enjoyed using as much as CLion, not even by a long shot.
I have nothing but good things to say about CLion and of JetBrains. Unless they do something drastically weird to CLion they likely have a customer for life in me.
IdeaVim is not a complete emulation of Vim, but it is a complete emulation of the parts of Vim that I use and expect, so I am very satisfied with it.
This isn't a "random plug-in" playing with your security settings. It's a well designed extension which tries its hardest to allow power users to do what they want : control their browser the way they best see fit, without restrictions. If you want to stay safe, just don't enable those settings : they're not necessary to get a good out-of-the-box experience, but they allow some very powerful fine-tuning to turn your browser into your browser, with your commands.