Firefox addon signing
drago01
drago01 at gmail.com
Wed Aug 26 15:53:36 UTC 2015
On Wed, Aug 26, 2015 at 3:13 PM, Richard Z <rz at linux-m68k.org> wrote:
> On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
>> Their FAQ is constantly updated:
>>
>> https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
>>
>> I'm not sure if there is a valid practical reason to refuse submitting the
>> addons that we ship to their signing service or if it is against our
>> policies; at least mozilla-https-everywhere has been signed.
>
> that would work for Fedora - if it can be guaranteed that they sign new
> versions quickly. Immagine if one of our plugins had a security hole and
> mozilla would need days or weeks to sign it. As far as I can see Fedora
> specific extensions would have to be listed which means they would go
> through manual code review at mozilla.
>
>> Mozilla states that they will be offering an unbranded binary (en_US only)
>> for development and testing purposes.
>
> For me this appears the only possibility and I suspect there are more
> Fedora users like me maintaining their own Firefox extensions.
>
> So will we get a firefox-unbranded package?
A better solution would be to add a mechanism that allows you to use
your own signing keys.
That way you have both 1) install self built extensions and 2) the
added security.
More information about the devel
mailing list