On 11/26/2015 11:07 AM, Thomas Zimmermann wrote:
Hi,
I haven't followed the overall discussion closely, but I'm very
concerned about this change and that we're driving away extension
developers. I hope that some of the relevant people read this thread, as
I'd like to propose a different strategy for extension signing.
1) As dburns mentioned in this thread, some people have to run unsigned
extensions. We should continue to allow this if the users explicitly
enables it in about:config. Unsigned extensions are disabled by default
and should come with a big warning sign.
2) If extension signing is enabled (the default), Firefox should only
allow for extensions that have been signed by a Mozilla-generated key.
3) Obtaining a signing key from Mozilla should be automated in a way
similar to Let's Encrypt. So the overhead for extension developers is
minimal.
4) Keys should be bound to URLs and there can only be one URL per
extension. So it's not possible to modify and redistribute someone
else's extension.
5) Changing an extension's URL requires manual intervention.
6) If an extension turns out to be malicious we can revoke the key.
Firefox would then notice all affected users and disable the extension
automatically.
7) Popular extensions on AMO should be reviewed by Mozilla staff 'behind
the scenes' and get an additional quality label or something similar.
Best regards
Thomas
Perhaps you missed.
Add-ons/Extension Signing - MozillaWiki -
<https://wiki.mozilla.org/Addons/Extension_Signing#FAQ>
I've noticed a couple new items there about how an extension developer
can get their extension signed if it isn't hosted on AMO.
--
Linux Mint 17.2 "Rafaela" | KDE 4.14.2 | Thunderbird 45.0a1 (Daily)
You don't need zero-days when machines wherever are packed with old-days.
Go Bucs! (next season) Go Pens! Go Sabres! Go Pitt!
[Visit Pittsburgh]<http://www.visitpittsburgh.com/>
[Coexist ยท Understanding Across Divides]<https://www.coexist.org/>
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
