On Feb 26, 2016 12:09 PM, "Stephen Gallagher" <sgallagh(a)redhat.com>
wrote:
Esteemed Council Members,
For a while now, FESCo has been deliberating options on how to deal with
Mozilla's change to Firefox that disallows the loading of extensions that
haven't been signed by the Mozilla Foundation, particularly those
extensions
that we ship in the Fedora repositories.
A month ago, FESCo drafted a letter that we sent to Mozilla (reproduced
below).
They replied that they would provide us with a detailed response the
next
day. I
have subsequently pinged them each week for the last four.
At this time, FESCo would like the Council's permission to offer Mozilla
one
more chance to reply privately, else the Fedora Project will make the
contents
of the letter into an open letter, published prominently. This will
be
done in
the hopes of involving other distributions and entities that value
user
freedoms
to support us in this effort.
We would like to have this discussed and (hopefully) approved during the
Council
meeting this Monday, February 29th, so that we can contact Mozilla
with a
deadline of March 10th to reply.
The original letter:
Subject: Mozilla Firefox Extension Signing
==========================================
Greetings, Mozilla Foundation,
Members of the Fedora Project have recently raised concerns about the
state of
Firefox extensions in version 43 and later. As you are aware,
beginning
with
Firefox version 43, only those extensions which have been signed by
the
Mozilla
Foundation and published on
addons.mozilla.org are permitted to be
installed
and used.
We are aware of the set of problems that Mozilla is attempting to solve
with
the implementation of this new policy. You want to help users avoid
installing
malware or other harmful, insecure or privacy-violating software.
This is
a
noble goal and one that we agree is worth pursuing.
However, this new policy in Firefox has made a number of things very
difficult
for Fedora and (presumably) other Free Software distributions. The
requirement
for package signing effectively prevents the Fedora project from
offering
distribution packages for any extensions. There are multiple reasons that
such
packages are made available:
* Users of Fedora may trust the distribution to sign their packages, but
be
unwilling to extend that trust to individual upstreams, regardless
of
Mozilla's relative reliability.
* The Fedora Project or a downstream remix might wish to ship certain
extensions to Firefox by default. A hypothetical example might be an
extension to manage login to the Fedora Project family of web services.
Another such example would be for us to ship with a security-enhancing
extension such as "HTTPS Everywhere" in the default configuration.
* A business might wish only to install packages provided by the
distribution
onto their users' systems (this is particularly common among
users of
enterprise distributions).
Furthermore, though the current policies on how an extension gets
approved or
denied are quite good and transparent, some have expressed concern
that
at some
point this will change or be enforced incorrectly, resulting in
denials of
useful extensions from distribution.
Representing the Fedora Project, we would like to request that Mozilla
consider
implementing (or accepting patches from us to implement) one or more
of
the
following potential mitigating approaches:
* Firefox does not mandate signature checking for system-installed
extensions.
- Only an administrative user (e.g. root) has privilege to install
system-
wide extensions, and this user already has ultimate power by
installing an
alternative Firefox build if malice was their goal.
* Firefox retains the option of disabling signature checking for its
extensions. A permissible compromise here would be for this feature to
be
unavailable to ordinary users, but configurable only in the
system-wide
configuration by an administrative user.
* Firefox adds the ability for the system administrator to add and remove
signing authorities that signature checking will honor. Fedora (and
other
distributions) could then choose to ship with their own signing
certificate
enabled by default.
- This is our preferred solution, as it should be the most robust and
the
most in keeping with Mozilla's goals.
- This option would also therefore permit an administrator to add a
signing
authority for private extensions or extensions under
development.
Mozilla and the Fedora Project have had a long and mutually productive
relationship, so I am confident that we can work together to discover a
way
forwards that will satisfy both the user-safety concerns as well as
the
ability
for users and distributions to run the software of their choosing.
Sincerely,
The Fedora Engineering Steering Committee
* Josh Boyer
* Kevin Fenzi
* Stephen Gallagher
* Haïkel Guémar
* Dennis Gilmore
* Kalev Lember
* Adam Miller
* Parag Nemade
* Jared Smith
as well as Matthew Miller, the Fedora Project Leader
_______________________________________________
As a consumer of both unsigned internal extensions and Fedora, I appreciate
FESCO taking an interest in this issue. As an admin responsible for
Firefox redistribution in a former life, I believe that the approach of
allowing system level extensions is technically feasible, sane, and still
addresses concerns about bad extensions from the wild. Well done, FESCO,
public visibility of this letter would get my vote.
--Pete