reassign 804266 iceweasel 40.0-1 forcemerge 800150 804266 thanks On Sun, 27 Sep 2015 14:01:08 +0200 Kurt Roeckx <k...@roeckx.be> wrote: > Mozilla is in the progress of requiring extentions to be signed, > which I think is a good thing. However, for Debian packages we > already have it signed by the Developer uploading it, I see no > need to have Mozilla also sign it. I suggest we don't warn / > disable about extentions installed on the system, but do require > the signature for those that are installed by browser itself. > > As I understand it it's possible to have Mozilla's signature > installed by the Debian package, and I guess it would be nice to > have packages do that, but I see no need to require them to do > that and most don't seem to do that even though the upstream > version has been signed by Mozilla already.
Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Everyone having write access to the system directory would probably also have access to the files of Iceweasel and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). -- Benjamin Drung Debian & Ubuntu Developer