Stephen Gallagher píše v Čt 07. 01. 2016 v 14:54 -0500: > On 01/07/2016 02:01 PM, Chris Murphy wrote: > > On Thu, Jan 7, 2016 at 11:14 AM, Matthew Miller > > <mattdm@xxxxxxxxxxxxxxxxx> wrote: > > > On Thu, Jan 07, 2016 at 11:06:35AM -0700, Chris Murphy wrote: > > > > > Mozilla provides an API to sign extensions outside from > > > > > their infrastructure. It's our infrastructural decision > > > > > (correctly in my opinion) that prohibits this type of > > > > > implementation. > > > > Why is it OK for Fedora infrastructure to sign the bootloader, > > > > the kernel, and kernel modules, but not application > > > > extensions? > > > > > > I don't think that's the question. The problem is that there > > > isn't a way for us to sign them -- the above is just an API for > > > Mozilla to sign them over the network, right? > > > > OK but shim is signed by Microsoft, which is clearly outside our > > infrastructure. The assertion that Fedora infrastructure prohibits > > external signing of things to be included in Fedora would seem to > > be incorrect, unless I'm misunderstanding some nuance. > > > > You do not have to run Fedora with a signed shim. That's an added > measure of security. You can turn this feature off trivially and > still > run Fedora. You can no longer do this with Firefox. > > > > Are there Firefox extensions only hosted by Fedora that aren't > > available in AMO? Why can't these be made available through AMO > > instead? Off hand it doesn't really make sense to me that a whole > > separate extension signing infrastructure needs to be created. > > > > No, but that's not really the point. One of the advantages to having > extensions in Fedora proper is that it becomes much easier to produce > a standard build for a company or home that has certain extensions > available to all users, without all users needing to voluntarily > download them from somewhere into their own Firefox profile. This can > be for convenience or sometimes for compliance with a company's > policies. How many extensions are packaged in Fedora repositories? 6? 6 out of thousands available for Firefox. Yes, it's easier to make a standard build when you happen to need an extension that is packaged in Fedora repositories, but what are the odds? And if you take time to package any other extension yourself, it's not a problem for you to package a simple script that will download the extension from Mozilla. I don't see how it makes it much more difficult. Jiri
Attachment:
signature.asc
Description: This is a digitally signed message part
-- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/desktop@xxxxxxxxxxxxxxxxxxxxxxx
