Firefox addon signing
Richard Z
rz at linux-m68k.org
Wed Aug 26 11:26:20 UTC 2015
On Thu, Feb 12, 2015 at 07:07:34PM +0100, Reindl Harald wrote:
>
> Am 12.02.2015 um 18:53 schrieb Simo Sorce:
> >>Maybe it is only about preventing people from bundling the official
> >>Firefox version with dodgy add-ons. Not downright malware, but things
> >>users may not actually want without realizing it. The signature
> >>checking means that those who prepare the downloads can no longer use
> >>the unmodified upstream binary. Which in turn might force them not to
> >>use Mozilla brands.
> >>
> >>Maybe this is a bit far-fetched, but after hours of staring at other
> >>people's code today, it seems pretty reasonable to me.
> >>
> >>But what do add-on developers do? Surely there is a way to disable this
> >>somehow?
> >
> >Mozilla stated they will have to use the Developer Version (Aurora was
> >the name ?) or the nightlies ...
>
> than Fedora needs to switch to the developer version if that *really* can't
> be disabled via about:config - that is a unacceptable restriction until
> hmtlvalidator, livehttpheaders and friends are available sigend via the
> mozilla page
any news on that on our side? From firefox-devel I gather that the "feature"
will land exactly as anounced.
There will be no configurable option for the user or sysadmin to allow loading
of plugins not signed by mozilla - be it Fedora signed plugins or my personal
bunch of homebrown locally built plugins.
So I think Fedora could provide 2 Firefox packages:
* firefox-official with all restrictions
* unbranded-firefoxlike-browser which is almost identical but without said
restrictions
Richard
--
Name and OpenPGP keys available from pgp key servers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150826/d9d117df/attachment.sig>
More information about the devel
mailing list