On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky <stransky@xxxxxxxxxx> wrote: > Can we ship addons which are already signed by Mozilla? Or does Fedora > packager modify them somehow? It seems that even when the source is an xpi file, rpm treats it like any other source package and its contents can be patched. I don't know how that works, because signed addons contain a manifest file with md5 and sha1 checksums for all included files and I would expect that modifications to any of them would cause the addon to get disabled. Obviously we need input from a packager involved with the process. Asking legal couldn't hurt either. I think that these are all the addons that we ship and must be signed (dictionaries, themes and plugins are exempt from the signing process): http://pkgs.fedoraproject.org/cgit/firefox-esteidpkcs11loader.git/ http://pkgs.fedoraproject.org/cgit/mozilla-adblockplus.git/ http://pkgs.fedoraproject.org/cgit/mozilla-https-everywhere.git/ http://pkgs.fedoraproject.org/cgit/mozilla-noscript.git/ http://pkgs.fedoraproject.org/cgit/mozilla-requestpolicy.git/ http://pkgs.fedoraproject.org/cgit/spice-xpi.git/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
