On Thu, Jan 7, 2016 at 12:54 PM, Stephen Gallagher <sgallagh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On 01/07/2016 02:01 PM, Chris Murphy wrote:
> OK but shim is signed by Microsoft, which is clearly outside our
> infrastructure. The assertion that Fedora infrastructure prohibits
> external signing of things to be included in Fedora would seem to
> be incorrect, unless I'm misunderstanding some nuance.
You do not have to run Fedora with a signed shim. That's an added
measure of security. You can turn this feature off trivially and still
run Fedora. You can no longer do this with Firefox.
Secure Boot is not optional on all hardware. And even on hardware
where there's a knob to disable it, it's less trivial to find it and
disable it than to install Epiphany or Icecat, should the user want a
browser that doesn't enforce code signing.
> Are there Firefox extensions only hosted by Fedora that aren't
> available in AMO? Why can't these be made available through AMO
> instead? Off hand it doesn't really make sense to me that a whole
> separate extension signing infrastructure needs to be created.
No, but that's not really the point. One of the advantages to having
extensions in Fedora proper is that it becomes much easier to produce
a standard build for a company or home that has certain extensions
available to all users, without all users needing to voluntarily
download them from somewhere into their own Firefox profile. This can
be for convenience or sometimes for compliance with a company's policies.
I recognize there might be some deployment inconvenience for multi
user environments. But it doesn't look like an insurmountable barrier.
How hard is it to create your own package and push it out to machines?
I'd have to do that same thing on OS X or Windows, because they
certainly don't offer their own repository of Firefox extensions.
> If there's some reason certain add-ons can't be in AMO, but need to
> be in Fedora, (and same for Chrome and any other browser) then
> yeah, we're going to need code signing infrastructure implemented
> for each of these browsers. I don't see a way around that.
> Disabling code signed in the browser is a bad idea, I don't like
> that at all, certainly not be default, that'd be a huge loss of
> trust in my mind if the default browser weren't doing everything it
> can to avoid executing malicious software.
Well, no extension gets added without the user's permission. This
really only protects against trojans like installing an extension from
a random website rather than a trusted source like AMO or Fedora
repositories. I understand the intent and even approve of the
implementation... almost. It needs to have a way for someone besides
Mozilla to sign extensions or else it is producing a walled-garden. I
don't necessarily trust that this won't lead to 1) The extension
store! Pay $$$ for adblock software or 2) The NSA mandates that all
extensions add on a mandatory reporting function, etc.
The signing requirement only applies to add-on types 2 and 32, so
themes and language packs aren't included in this. And it looks like
nightlies and the ESR versions will still offer a functional disable
switch. There's quite a bit of maneuvering room here, even if though
it would be better if additional keys were allowed but I don't know
how they'd implement that and not consider it a substantial
The "submitting them to AMO" and then putting them into Fedora
repository for distribution seems like the same thing as what's done
with shim though.
For some users, that peace of mind is necessary. In general, Fedora
has been good about providing that up to now; I don't like sacrificing
that degree of control to another organization.
OK well at this point it looks like the short term Fedora 24 time
frame choices are:
1. Firefox <current> which likely won't provide a code signing check
disable knob. But users still have the choice to download Firefox ESR,
or nightly, or developer versions which do have a know. Or install
Epiphany or Icecat.
2. Firefox ESR 45, which by default enforces signed extensions, but
has a knob to disable this. The download it is suggests ESR 45 for the
life of Fedora 24 at least by default; the user would have to manually
install a different Firefox package to be on the current rolling
I have no real strong preference between 1 and 2. Both protect users
by default. Both provide an option for users to opt out of enforced
code signing checks.