Firefox addon signing
Andrew Lutomirski
luto at mit.edu
Fri Aug 28 19:33:14 UTC 2015
On Fri, Aug 28, 2015 at 12:18 AM, Martin Stransky <stransky at redhat.com> wrote:
> On 08/27/2015 04:40 PM, Alexander Ploumistos wrote:
>>
>> Aren't the addons that we ship in fedora a bunch of text files zipped
>> in an xpi archive? It is kind of awkward to send them back and forth,
>> but if there are no other binaries, does it go against a particular
>> policy?
>>
>> Or we could decide that we trust Mozilla's code review process and
>> drop packaging addons altogether, as was suggested. At least the users
>> will receive updates faster.
>
>
> Can we ship addons which are already signed by Mozilla? Or does Fedora
> packager modify them somehow?
>
Another thought: could we ask Mozilla for permission to exempt a
specific directory (e.g. /usr/share/distro-firefox-extensions) from
signature requirements for .xpi files that are owned by root?
After all, anyone who can drop root-owned files in there can just as
easily replace the entire firefox binary.
--Andy
More information about the devel
mailing list