On Tue, Dec 15, 2020 at 11:45 PM Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: > I wrote in the update that in my opinion the solution for this bug > can't involve expecting add-ons to suddenly get re-signed en masse, or > users to change their local configuration. It needs to keep working as > it did before. If the policy is ahead of the real world, the policy > needs to be loosened. It was my (possibly failing) recollection that Mozilla has been signing add-ons with SHA2 (and SHA1 for compatibility) for a few years now. Is this just an issue because Mozilla has not re-signed existing add-ons (which while is obviously not something to be taken lightly, because they do control the primary distribution point(*) should be at least theoretically possible to do a bulk re-signing, and probably a good thing to do to avoid needing to downgrade their security stance), or is Mozilla not signing with SHA2 as I thought? (*) Yes, there are other distribution points for add-ons other than Mozilla itself, and they, too, would need to consider such re-signing. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
