On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote: > On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos > <comzeradd@xxxxxxxxxxxxxxxxx> wrote: > > On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth <mike@xxxxxxxxxx> > > wrote: > > > > I'm sure those that need to know, know, but for those that haven't heard[1] > > Mozilla's official Firefox build will enforce addons to contain a Mozilla > > signature without any runtime option to disable the check. Initially this > > prevents Fedora packaged addons since they are unsigned. The Mozilla signing > > process takes time and can't be part of a package building process. Is > > Fedora going to get authorization to build Firefox with a runtime disable > > option? > > > > > > If the only way is to completely disable this feature, I'd prefer we don't. > > I wouldn't like for us to ship a less secure build of Firefox. > > A better way would be to add a "Fedora Signature" in addition to > mozilla's and use that for packaged extensions. > But that would require work on the build system (koji) side. The RPMs deploying the packaged extension are already signed and those signatures are checked at time of package install. So it seems like firefox merely needs to be taught that the pre-packaged extensions deployed by RPM are pre-verified, so it can skip its verification for those, while still doing verification for stuff that is live downloaded Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
