Hi Am 30.11.2015 um 16:40 schrieb Gavin Sharp: > It looks to me like you're arguing about a separate point (AMO review > requirements for add-on updates), when the subject at hand is the add-on > signing system's reliance on the AMO validator as the only prerequisite for > automatic signing.
OK. Or maybe I used the term 'update' a bit sloppy. My question is: is it worth holding back an extension because of of a pending review (either by a tool or human)? I guess updating existing add-ons is the more common case, compared to signing new one's. Your reply makes me think that the whole discussion implicitly seems to assume that a manual review can fix any problems with the automated tools, or is always better. I would not agree to this. Manual reviews depend a lot on the reviewer and the reviewer's constitution during the review. With tools, at least you know what you get. Best regards Thomas > > Gavin > > On Mon, Nov 30, 2015 at 10:30 AM, Thomas Zimmermann <[email protected] >> wrote: >> Hi >> >> Am 27.11.2015 um 16:50 schrieb Gavin Sharp: >>> On Fri, Nov 27, 2015 at 7:16 AM, Gervase Markham <[email protected]> >> wrote: >>>> But the thing is, members of our security group are now piling into the >>>> bug pointing out that trying to find malicious JS code by static code >>>> review is literally _impossible_ (and perhaps hinting that they'd have >>>> said so much earlier if someone had asked them). >>> No, that's not right. There's an important distinction between >>> "finding malicious JS code" and "finding _all_ malicious JS code". The >>> latter is impossible, but the former isn't. >>> >>> Proving "the validator won't catch everything" isn't particularly >>> relevant when it isn't intended to, in the overall add-on signing >>> system design. >> I think the fact that the validator (or manual review) cannot catch >> everything is very relevant. >> >> Users cannot rely on the review process (automatic or manual), because >> it can never catch all bugs (malicious or not). So users still have to >> rely on an extension's developers to get their code into good shape; >> just as it is currently the case. And I'd guess that malicious code will >> get more sophisticated when the review procedures improve. >> >> Another point is that one never knows how close to 'good' an extension >> or a review is, because this would require knowledge about the absolute >> number of bugs in the extension. Getting this number requires a perfect >> validator. So all bugs from a review might get fixed, but the overall >> extension is still in the 'crap territory'. I'm a bit surprised that >> this hasn't been mentioned here yet. >> >> Therefore I'm skeptical about the effective benefit for the users. The >> mandatory review seems to create a promise of security that it cannot >> fulfill. Reviews and validation are good things, but holding back an >> update for a pending review doesn't seem helpful. >> >> Best regards >> Thomas >> >>> Gavin >>> _______________________________________________ >>> dev-platform mailing list >>> [email protected] >>> https://lists.mozilla.org/listinfo/dev-platform >> _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
