Re: IceCat-68.2.0-guix0-preview2 now available via GNU Guix

[Johannes Marbach]

Hi Mark,

Mark H Weaver wrote:
> * Reconsider this somewhat questionable IceCat-specific setting
>   (in gnuzilla/data/settings.js):
>
>     // Do not require xpi extensions to be signed by Mozilla
>     pref("xpinstall.signatures.required", false);

I've noticed this, too, a while ago and it does seem bad to me. I am not
sure what the backstory with this setting is (and I'm sure there is one)
but having Mozilla sign add-ons seems safer than not requiring any
signature at all to me. AFAIK this doesn't require the add-on to be
distributed via addons.mozilla.org. As an add-on author you can upload
your package on addons.mozilla.org and then download a signed archive
for manual distribution.

> * These bundled extensions are not shown in <about:addons>:
>
>     tortm-browser-button@jeremybenthum
>     disable-polymer-youtube@extension
>     viewtube@extension
>
>   for each one, there are text messages like this printed to
>   stdout/stderr on launch:
>
>   1572735499245       addons.xpi-utils        WARN    addMetadata: Add-on 
> tortm-browser-button@jeremybenthum is invalid: Error: Invalid addon ID: 
> expected addon ID tortm-browser-button@jeremybenthum, found undefined in 
> manifest(resource://gre/modules/addons/XPIDatabase.jsm:2715:15) JS Stack 
> trace: addmetad...@xpidatabase.jsm:2715:15

From cross-checking, all of the extensions that show in about:addons
seem to have an explicit ID...

    "applications": {
        "gecko": {
            "id":"tprb.ad...@searxes.danwin1210.me",
            ...

...while those that are missing do not. I had similar issues with my own
extensions on IceCat 60.7.0 that required me to explicitly set their ID
in the manifest. Interestingly the bundled extensions that fail in
68.2.0 seem to work on 60.7.0 despite lacking the ID which totally
confuses me.

> * These bundled extensions look okay in <about:addons>, but I
>   haven't tested them:
>
>     goteo@0xbeef.coffee
>     DMCAreg@0xbeef.coffee
>     google_drive@0xbeef.coffee
>     FreeUSPS@0xbeef.coffee
>     rnrMcDonalds@0xbeef.coffee
>     rsf@0xbeef.coffee

It's funny but for some reason all of these show the big yellow
signature disclaimer for me.

One thing I noticed when downloading other extensions from
addons.mozilla.org is that they have a cose.manifest and a cose.sig file
in the META-INF folder. These seem to not be present in the extensions
bundled with IceCat. I'm not sure how the copies that are bundled with
the IceCat source were acquired but maybe they have to be redownloaded
from Mozilla to get the latest signature variant?

Best,
Johannes

pEpkey.asc
Description: application/pgp-keys