> On 01/07/2016 08:41 AM, Martin Stransky wrote: >> On 01/07/2016 02:29 PM, Naheem Zaffar wrote: >>> ESR will only delay the problem. >>> >>> Can the Fedora build add a secodary key to accept signed >>> extensions? >> >> Is it possible to use Mozilla API to sign our extensions? >> >> https://developer.mozilla.org/en-US/Add-ons/Distribution >> http://olympia.readthedocs.org/en/latest/topics/api/signing.html >> > > No, it is not. The primary reason being that Koji builds intentionally > have no network access. This is to ensure that all builds are > reproducible (since if they relied upon external network resources, > the output from the same input could be different if it was rebuilt at > a different time). Additionally it's to ensure that some third-party > service isn't inserting unexpected code into the output, thereby > resulting in us shipping a binary that doesn't match the sources. And for Fedora we'd need to provide a mechanism within koji to actually sign the built work. We already have infrastructure to do this for the kernel/grub and friends but I'm not sure how much would it would take to extend that to other formats. Peter -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/desktop@xxxxxxxxxxxxxxxxxxxxxxx
