Hi Am 26.11.2015 um 13:56 schrieb Till Schneidereit:
> I read the blog post, too, and if that were the final, uncontested word on > the matter, I think I would agree. As it is, this assessment strikes me as > awfully harsh: many people have put a lot of thought and effort into this, > so calling for it to simply be canned should require a substantial amount > of background knowledge. Ok, I take back the 'complete nonsense' part. There can be ways of improving security that involve signing, but the proposed one isn't. I think the blog post makes this obvious. > > I should also give a bit more information about the feedback I received: in > both cases, versions of the extensions exist for at least Chrome and > Safari. In at least one case, the extension uses a large framework that > needs to be reviewed in full for the extension to be approved. Apparently > this'd only need to happen once per framework, but it hasn't, yet. That > means that the review is bound to take much longer than if just the > extension's code was affected. While I think this makes sense, two things > strike me as very likely that make it a substantial problem: many authors > of extensions affected in similar ways will come out of the woodwork very > shortly before 43 is released or even after that, in reaction to users' > complaints. And many of these extensions will use large frameworks not > encountered before, or simply be too complex to review within a day or two. Thanks for this perspective. He didn't seem to use any frameworks, but the review process failed for an apparently trivial case. Regarding frameworks in general: there are many and there are usually different versions in use. Sometimes people make additional modifications. So this helps only partially. And of course reviews are not a panacea at all. Our own Bugzilla is proof of that. ;) Pretending that a reviewed extension (or any other piece of code) is more trust-worthy is not credible IMHO. Code becomes trust-worthy by working successfully in "the real world." > > I *do* think that we shouldn't ship enforced signing without having a solid > way of dealing with this problem. Or without having deliberately decided > that we're willing to live with these extensions' authors recommending (or > forcing, as the case may be) their users to switch browsers. I think, a good approach would be to hand-out signing keys to extension developers and require them to sign anything they upload to AMO. That would establish a trusted path from developers to users; so users would know they downloaded the official release of an extension. A malicious extensions can then be disabled/blacklisted by simply revoking the keys and affected users would notice. For anything non-AMO, the user is on their own. Best regards Thomas > > > till > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform