Mozilla Firefox and Unsigned Extensions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Esteemed Council Members,

For a while now, FESCo has been deliberating options on how to deal with
Mozilla's change to Firefox that disallows the loading of extensions that
haven't been signed by the Mozilla Foundation, particularly those extensions
that we ship in the Fedora repositories.

A month ago, FESCo drafted a letter that we sent to Mozilla (reproduced below).
They replied that they would provide us with a detailed response the next day. I
have subsequently pinged them each week for the last four.

At this time, FESCo would like the Council's permission to offer Mozilla one
more chance to reply privately, else the Fedora Project will make the contents
of the letter into an open letter, published prominently. This will be done in
the hopes of involving other distributions and entities that value user freedoms
to support us in this effort.

We would like to have this discussed and (hopefully) approved during the Council
meeting this Monday, February 29th, so that we can contact Mozilla with a
deadline of March 10th to reply.



The original letter:


Subject: Mozilla Firefox Extension Signing
==========================================


Greetings, Mozilla Foundation,

Members of the Fedora Project have recently raised concerns about the state of
Firefox extensions in version 43 and later. As you are aware, beginning with
Firefox version 43, only those extensions which have been signed by the Mozilla
Foundation and published on addons.mozilla.org are permitted to be installed
and used.

We are aware of the set of problems that Mozilla is attempting to solve with
the implementation of this new policy. You want to help users avoid installing
malware or other harmful, insecure or privacy-violating software. This is a
noble goal and one that we agree is worth pursuing.

However, this new policy in Firefox has made a number of things very difficult
for Fedora and (presumably) other Free Software distributions. The requirement
for package signing effectively prevents the Fedora project from offering
distribution packages for any extensions. There are multiple reasons that such
packages are made available:

 * Users of Fedora may trust the distribution to sign their packages, but be
   unwilling to extend that trust to individual upstreams, regardless of
   Mozilla's relative reliability.

 * The Fedora Project or a downstream remix might wish to ship certain
   extensions to Firefox by default. A hypothetical example might be an
   extension to manage login to the Fedora Project family of web services.
   Another such example would be for us to ship with a security-enhancing
   extension such as "HTTPS Everywhere" in the default configuration.

 * A business might wish only to install packages provided by the distribution
   onto their users' systems (this is particularly common among users of
   enterprise distributions).

Furthermore, though the current policies on how an extension gets approved or
denied are quite good and transparent, some have expressed concern that at some
point this will change or be enforced incorrectly, resulting in denials of
useful extensions from distribution.

Representing the Fedora Project, we would like to request that Mozilla consider
implementing (or accepting patches from us to implement) one or more of the
following potential mitigating approaches:

 * Firefox does not mandate signature checking for system-installed extensions.
   - Only an administrative user (e.g. root) has privilege to install system-
     wide extensions, and this user already has ultimate power by installing an
     alternative Firefox build if malice was their goal.

 * Firefox retains the option of disabling signature checking for its
   extensions. A permissible compromise here would be for this feature to be
   unavailable to ordinary users, but configurable only in the system-wide
   configuration by an administrative user.

 * Firefox adds the ability for the system administrator to add and remove
   signing authorities that signature checking will honor. Fedora (and other
   distributions) could then choose to ship with their own signing certificate
   enabled by default.
   - This is our preferred solution, as it should be the most robust and the
     most in keeping with Mozilla's goals.
   - This option would also therefore permit an administrator to add a signing
     authority for private extensions or extensions under development.

Mozilla and the Fedora Project have had a long and mutually productive
relationship, so I am confident that we can work together to discover a way
forwards that will satisfy both the user-safety concerns as well as the ability
for users and distributions to run the software of their choosing.

Sincerely,
The Fedora Engineering Steering Committee
 * Josh Boyer
 * Kevin Fenzi
 * Stephen Gallagher
 * Haïkel Guémar
 * Dennis Gilmore
 * Kalev Lember
 * Adam Miller
 * Parag Nemade
 * Jared Smith
as well as Matthew Miller, the Fedora Project Leader

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
council-discuss mailing list
council-discuss@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
http://lists.fedoraproject.org/admin/lists/council-discuss@xxxxxxxxxxxxxxxxxxxxxxx

The Fedora Project's mission is to lead the advancement of free and
open source software and content as a collaborative community.

[Index of Archives]     [Fedora Users]     [Fedora Outreach]     [Fedora Desktop]     [Fedora KDE]     [KDE Users]     [Fedora SELinux]     [Yosemite Forum]     [Linux Audio Users]

  Powered by Linux