On Thu, Jan 7, 2016 at 12:54 PM, Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/07/2016 02:01 PM, Chris Murphy wrote: >> OK but shim is signed by Microsoft, which is clearly outside our >> infrastructure. The assertion that Fedora infrastructure prohibits >> external signing of things to be included in Fedora would seem to >> be incorrect, unless I'm misunderstanding some nuance. >> > > You do not have to run Fedora with a signed shim. That's an added > measure of security. You can turn this feature off trivially and still > run Fedora. You can no longer do this with Firefox. Secure Boot is not optional on all hardware. And even on hardware where there's a knob to disable it, it's less trivial to find it and disable it than to install Epiphany or Icecat, should the user want a browser that doesn't enforce code signing. > > >> Are there Firefox extensions only hosted by Fedora that aren't >> available in AMO? Why can't these be made available through AMO >> instead? Off hand it doesn't really make sense to me that a whole >> separate extension signing infrastructure needs to be created. >> > > No, but that's not really the point. One of the advantages to having > extensions in Fedora proper is that it becomes much easier to produce > a standard build for a company or home that has certain extensions > available to all users, without all users needing to voluntarily > download them from somewhere into their own Firefox profile. This can > be for convenience or sometimes for compliance with a company's policies. I recognize there might be some deployment inconvenience for multi user environments. But it doesn't look like an insurmountable barrier. How hard is it to create your own package and push it out to machines? I'd have to do that same thing on OS X or Windows, because they certainly don't offer their own repository of Firefox extensions. > > >> If there's some reason certain add-ons can't be in AMO, but need to >> be in Fedora, (and same for Chrome and any other browser) then >> yeah, we're going to need code signing infrastructure implemented >> for each of these browsers. I don't see a way around that. >> Disabling code signed in the browser is a bad idea, I don't like >> that at all, certainly not be default, that'd be a huge loss of >> trust in my mind if the default browser weren't doing everything it >> can to avoid executing malicious software. >> > > Well, no extension gets added without the user's permission. This > really only protects against trojans like installing an extension from > a random website rather than a trusted source like AMO or Fedora > repositories. I understand the intent and even approve of the > implementation... almost. It needs to have a way for someone besides > Mozilla to sign extensions or else it is producing a walled-garden. I > don't necessarily trust that this won't lead to 1) The extension > store! Pay $$$ for adblock software or 2) The NSA mandates that all > extensions add on a mandatory reporting function, etc. The signing requirement only applies to add-on types 2 and 32, so themes and language packs aren't included in this. And it looks like nightlies and the ESR versions will still offer a functional disable switch. There's quite a bit of maneuvering room here, even if though it would be better if additional keys were allowed but I don't know how they'd implement that and not consider it a substantial modification. The "submitting them to AMO" and then putting them into Fedora repository for distribution seems like the same thing as what's done with shim though. > For some users, that peace of mind is necessary. In general, Fedora > has been good about providing that up to now; I don't like sacrificing > that degree of control to another organization. OK well at this point it looks like the short term Fedora 24 time frame choices are: 1. Firefox <current> which likely won't provide a code signing check disable knob. But users still have the choice to download Firefox ESR, or nightly, or developer versions which do have a know. Or install Epiphany or Icecat. 2. Firefox ESR 45, which by default enforces signed extensions, but has a knob to disable this. The download it is suggests ESR 45 for the life of Fedora 24 at least by default; the user would have to manually install a different Firefox package to be on the current rolling release. 3. Ephiphany. 4. Icecat I have no real strong preference between 1 and 2. Both protect users by default. Both provide an option for users to opt out of enforced code signing checks. -- Chris Murphy -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/desktop@xxxxxxxxxxxxxxxxxxxxxxx
