On Tue, 2020-12-29 at 18:54 +0000, Gary Buhrmaster wrote: > On Tue, Dec 15, 2020 at 11:45 PM Adam Williamson > <adamwill@xxxxxxxxxxxxxxxxx> wrote: > > > I wrote in the update that in my opinion the solution for this bug > > can't involve expecting add-ons to suddenly get re-signed en masse, or > > users to change their local configuration. It needs to keep working as > > it did before. If the policy is ahead of the real world, the policy > > needs to be loosened. > > It was my (possibly failing) recollection that Mozilla > has been signing add-ons with SHA2 (and SHA1 > for compatibility) for a few years now. Is this just > an issue because Mozilla has not re-signed existing > add-ons (which while is obviously not something to > be taken lightly, because they do control the primary > distribution point(*) should be at least theoretically > possible to do a bulk re-signing, and probably a > good thing to do to avoid needing to downgrade > their security stance), or is Mozilla not signing > with SHA2 as I thought? Well, installing uBlock Origin (which is a pretty frequently updated addon) on a fresh VM fails, with the change. So I suspect it's the latter. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
