On Thursday, August 27, 2015 05:40:18 PM Alexander Ploumistos wrote: > On Thu, Aug 27, 2015 at 5:09 PM, Dennis Gilmore <dennis@xxxxxxxx> wrote: > > We have no real practical way to do this other than package up the addon > > and build it as a -unsigned package, then making a separate package that > > has the precompiled binary and signed by mozilla and put into the add on > > package. > Aren't the addons that we ship in fedora a bunch of text files zipped > in an xpi archive? It is kind of awkward to send them back and forth, > but if there are no other binaries, does it go against a particular > policy? I have no idea what they actaully are as I have not looked, but the issues from the build perspective is that the builders have extremely limited network access, and the buildroot itself has none. we have no way to do something at build time to request mozilla sign the artifacts. so being unable to sign at buildtime means we get a rpm with unsigned content. we have no way to replace the content in a rpm post build and even if we did I would not want to support it as it breaks things like rpm verification and build reproducability, though you could update the headers in the rpm so it validates. we would need some kind of audit trail and check to make sure that the signed artifact actually matches the unsigned one and was not tampered with by mozilla. setting up the full audit trail would take some effort. It is doable just not a simple fix. > Or we could decide that we trust Mozilla's code review process and > drop packaging addons altogether, as was suggested. At least the users > will receive updates faster. depends on what was pushed to mozilla's addons, It could be possible for Fedora to have newer code than whats available from mozilla and vice versa. there is nothing today stopping people pulling addons directly from Mozilla and never using the version we build Dennis
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
