On Thu, Feb 12, 2015 at 1:53 PM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote: > On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote: >> On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos >> <comzeradd@xxxxxxxxxxxxxxxxx> wrote: >> > On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth <mike@xxxxxxxxxx> >> > wrote: >> > >> > I'm sure those that need to know, know, but for those that haven't heard[1] >> > Mozilla's official Firefox build will enforce addons to contain a Mozilla >> > signature without any runtime option to disable the check. Initially this >> > prevents Fedora packaged addons since they are unsigned. The Mozilla signing >> > process takes time and can't be part of a package building process. Is >> > Fedora going to get authorization to build Firefox with a runtime disable >> > option? >> > >> > >> > If the only way is to completely disable this feature, I'd prefer we don't. >> > I wouldn't like for us to ship a less secure build of Firefox. >> >> A better way would be to add a "Fedora Signature" in addition to >> mozilla's and use that for packaged extensions. >> But that would require work on the build system (koji) side. > > The RPMs deploying the packaged extension are already signed and those > signatures are checked at time of package install. So it seems like > firefox merely needs to be taught that the pre-packaged extensions > deployed by RPM are pre-verified, so it can skip its verification > for those, while still doing verification for stuff that is live > downloaded Oh indeed. It is probably sufficient to just check the signature of non system wide extensions. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
