Firefox addon signing
Dennis Gilmore
dennis at ausil.us
Thu Aug 27 14:09:17 UTC 2015
On Wednesday, August 26, 2015 03:13:08 PM Richard Z wrote:
> On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
> > Their FAQ is constantly updated:
> >
> > https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
> >
> > I'm not sure if there is a valid practical reason to refuse submitting the
> > addons that we ship to their signing service or if it is against our
> > policies; at least mozilla-https-everywhere has been signed.
>
> that would work for Fedora - if it can be guaranteed that they sign new
> versions quickly. Immagine if one of our plugins had a security hole and
> mozilla would need days or weeks to sign it. As far as I can see Fedora
> specific extensions would have to be listed which means they would go
> through manual code review at mozilla.
We have no real practical way to do this other than package up the addon and
build it as a -unsigned package, then making a separate package that has the
precompiled binary and signed by mozilla and put into the add on package.
It sounds like the path mozilla is taking will likely prevent us shipping
addons in Fedora. That of course is their right to pursue that.
> > Mozilla states that they will be offering an unbranded binary (en_US only)
> > for development and testing purposes.
>
> For me this appears the only possibility and I suspect there are more
> Fedora users like me maintaining their own Firefox extensions.
>
> So will we get a firefox-unbranded package?
>
> Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150827/c553eaca/attachment.sig>
More information about the devel
mailing list