-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/07/2016 02:01 PM, Chris Murphy wrote: > On Thu, Jan 7, 2016 at 11:14 AM, Matthew Miller > <mattdm@xxxxxxxxxxxxxxxxx> wrote: >> On Thu, Jan 07, 2016 at 11:06:35AM -0700, Chris Murphy wrote: >>>> Mozilla provides an API to sign extensions outside from >>>> their infrastructure. It's our infrastructural decision >>>> (correctly in my opinion) that prohibits this type of >>>> implementation. >>> Why is it OK for Fedora infrastructure to sign the bootloader, >>> the kernel, and kernel modules, but not application >>> extensions? >> >> I don't think that's the question. The problem is that there >> isn't a way for us to sign them -- the above is just an API for >> Mozilla to sign them over the network, right? > > OK but shim is signed by Microsoft, which is clearly outside our > infrastructure. The assertion that Fedora infrastructure prohibits > external signing of things to be included in Fedora would seem to > be incorrect, unless I'm misunderstanding some nuance. > You do not have to run Fedora with a signed shim. That's an added measure of security. You can turn this feature off trivially and still run Fedora. You can no longer do this with Firefox. > Are there Firefox extensions only hosted by Fedora that aren't > available in AMO? Why can't these be made available through AMO > instead? Off hand it doesn't really make sense to me that a whole > separate extension signing infrastructure needs to be created. > No, but that's not really the point. One of the advantages to having extensions in Fedora proper is that it becomes much easier to produce a standard build for a company or home that has certain extensions available to all users, without all users needing to voluntarily download them from somewhere into their own Firefox profile. This can be for convenience or sometimes for compliance with a company's policies. > If there's some reason certain add-ons can't be in AMO, but need to > be in Fedora, (and same for Chrome and any other browser) then > yeah, we're going to need code signing infrastructure implemented > for each of these browsers. I don't see a way around that. > Disabling code signed in the browser is a bad idea, I don't like > that at all, certainly not be default, that'd be a huge loss of > trust in my mind if the default browser weren't doing everything it > can to avoid executing malicious software. > Well, no extension gets added without the user's permission. This really only protects against trojans like installing an extension from a random website rather than a trusted source like AMO or Fedora repositories. I understand the intent and even approve of the implementation... almost. It needs to have a way for someone besides Mozilla to sign extensions or else it is producing a walled-garden. I don't necessarily trust that this won't lead to 1) The extension store! Pay $$$ for adblock software or 2) The NSA mandates that all extensions add on a mandatory reporting function, etc. For some users, that peace of mind is necessary. In general, Fedora has been good about providing that up to now; I don't like sacrificing that degree of control to another organization. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlaOwmsACgkQeiVVYja6o6MXYQCdF5WJLXBs+SmMB0O+kHuE1lcW HeAAn2+zrNupvat+XvYu5AFAl0GIdMWD =Ue4F -----END PGP SIGNATURE----- -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/desktop@xxxxxxxxxxxxxxxxxxxxxxx
