(Gingerly wading into this thread and hoping not to get sucked in) Given the fundamental limits of static analysis, dynamic analysis might be a better approach. I think we can do a reasonable job (with the help of interpositions) of monitoring the various escape points at which addon code might do arbitrary dangerous things, without actually preventing it from doing those things in a way that would break lots of addons. We could then keep an eye on what addons are doing in the wild, and revoke the signatures for the addon / developer if we find them to be misbehaving.
I proposed this in [1] and it got filed separately as [2]. Detailed follow-up discussion is probably better to do in that bug. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1199628#c26 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1227464 On Mon, Nov 30, 2015 at 8:25 AM, Gavin Sharp <ga...@gavinsharp.com> wrote: > That's one of the suggestions Dan Stillman makes in his post, and it > seems like a fine idea to me. > > Gavin > > On Mon, Nov 30, 2015 at 11:15 AM, Jonathan Kew <jfkth...@gmail.com> wrote: > > On 30/11/15 15:45, Gavin Sharp wrote: > >>> > >>> and it's definitely the wrong thing to do. > >> > >> > >> Fundamentally the add-on signing system was designed with an important > >> trade-off in mind: security (ensuring no malicious add-ons are > >> installed/executed) vs. maintaining a healthy add-on ecosystem (ensuring > >> that building and distributing add-ons is as easy as it can be). > >> > >> If your proposed alternative plan is "get rid of automatic signing", > then > >> we know that it's going to significantly hamper Mozilla's ability to > >> maintain a healthy add-on ecosystem, and harm what were considered some > >> important add-on use cases. I don't think it strikes the right balance. > >> > >> If your proposed alternative plan is something else, maybe it would help > >> to > >> clarify it. > >> > > > > Perhaps if there were a mechanism whereby "trusted" add-on developers > could > > have their add-ons -- or even just updates for > > previously-reviewed-and-signed add-ons -- automatically signed without > > having to jump through the validator/review hoops each time? > > > > How would a developer acquire "trusted" status? By demonstrating a track > > record of producing add-ons that pass AMO review -- which may be a > > combination of automatic validation and/or human review. > > > > And of course any add-on developer who is found to have abused their > > "trusted" status to sign and deploy malicious code would have that status > > revoked, in addition to the malicious add-on being blocked. > > > > ISTM this would maintain most of the intended benefits of the signing > > system, while substantially smoothing the path for developers such as Dan > > who need to deliver frequent updates to their users. > > > > Feasible? > > > > JK > > > > > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
