On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
On Wed, Aug 26, 2015 at 3:13 PM, Richard Z <rz(a)linux-m68k.org>
wrote:
> On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
>> Their FAQ is constantly updated:
>>
>>
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
>>
>> I'm not sure if there is a valid practical reason to refuse submitting the
>> addons that we ship to their signing service or if it is against our
>> policies; at least mozilla-https-everywhere has been signed.
>
> that would work for Fedora - if it can be guaranteed that they sign new
> versions quickly. Immagine if one of our plugins had a security hole and
> mozilla would need days or weeks to sign it. As far as I can see Fedora
> specific extensions would have to be listed which means they would go
> through manual code review at mozilla.
>
>> Mozilla states that they will be offering an unbranded binary (en_US only)
>> for development and testing purposes.
>
> For me this appears the only possibility and I suspect there are more
> Fedora users like me maintaining their own Firefox extensions.
>
> So will we get a firefox-unbranded package?
A better solution would be to add a mechanism that allows you to use
your own signing keys.
which would be possible only with firefox-unbranded unless some wonder
happens.
That way you have both 1) install self built extensions and 2) the
added security.
might be a security gain for some people but not for me.
Richard
--
Name and OpenPGP keys available from pgp key servers