Firefox addon signing

[Richard Z]

On Thu, Feb 12, 2015 at 07:07:34PM +0100, Reindl Harald wrote:
> 
> Am 12.02.2015 um 18:53 schrieb Simo Sorce:
> >>Maybe it is only about preventing people from bundling the official
> >>Firefox version with dodgy add-ons.  Not downright malware, but things
> >>users may not actually want without realizing it.  The signature
> >>checking means that those who prepare the downloads can no longer use
> >>the unmodified upstream binary.  Which in turn might force them not to
> >>use Mozilla brands.
> >>
> >>Maybe this is a bit far-fetched, but after hours of staring at other
> >>people's code today, it seems pretty reasonable to me.
> >>
> >>But what do add-on developers do?  Surely there is a way to disable this
> >>somehow?
> >
> >Mozilla stated they will have to use the Developer Version (Aurora was
> >the name ?) or the nightlies ...
> 
> than Fedora needs to switch to the developer version if that *really* can't
> be disabled via about:config - that is a unacceptable restriction until
> hmtlvalidator, livehttpheaders and friends are available sigend via the
> mozilla page

any news on that on our side? From firefox-devel I gather that the "feature"
will land exactly as anounced.

There will be no configurable option for the user or sysadmin to allow loading 
of plugins not signed by mozilla - be it Fedora signed plugins or my personal
bunch of homebrown locally built plugins. 

So I think Fedora could provide 2 Firefox packages:
* firefox-official  with all restrictions
* unbranded-firefoxlike-browser which is almost identical but without said
  restrictions

Richard

-- 
Name and OpenPGP keys available from pgp key servers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150826/d9d117df/attachment.sig>