On Fri, Nov 27, 2015 at 7:16 AM, Gervase Markham <[email protected]> wrote: > But the thing is, members of our security group are now piling into the > bug pointing out that trying to find malicious JS code by static code > review is literally _impossible_ (and perhaps hinting that they'd have > said so much earlier if someone had asked them).
No, that's not right. There's an important distinction between "finding malicious JS code" and "finding _all_ malicious JS code". The latter is impossible, but the former isn't. Proving "the validator won't catch everything" isn't particularly relevant when it isn't intended to, in the overall add-on signing system design. Gavin _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
