Public bug reported: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1]
Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 ** Affects: firefox (Ubuntu) Importance: High Status: New ** Affects: iceweasel (Debian) Importance: Unknown Status: Unknown ** Changed in: firefox (Ubuntu) Importance: Undecided => High ** Bug watch added: Debian Bug tracker #800150 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800150 ** Also affects: iceweasel (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800150 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1532484 Title: Don't warn about unsigned extension installed via Debian packages Status in firefox package in Ubuntu: New Status in iceweasel package in Debian: Unknown Bug description: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1] Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp