On Fri, Nov 03, 2017 at 03:25:39PM -0700, David Keeler wrote:
[firefox-dev, dev-addons, and the enterprise mailing list cc'd - please
direct follow-up discussion to dev-platform]
Hello All,
As you're no doubt aware, from 57 onwards, only signed WebExtensions
will be available as add-ons for the general release population. My
understanding is these are all packaged as "xpi" files (zip files,
really, but what's important is that they're bundled up as a single file
rather than a directory). Add-on developers can develop their add-ons by
temporarily loading them as unsigned packages or unsigned unbundled
directories (again, if my understanding is correct).
This leaves the question of what use we have for verifying unbundled
add-ons. Is there ever a case where we want to verify an unbundled yet
signed add-on? For example, do we ever do this with system add-ons? (And
if we do, I've been told this would be bad for performance, so perhaps
we should disallow this?)
WebExtensions are never meant to be installed unpacked except during
development. It's currently possible for some side-load methods to
install them unpacked in production, but that's not supported. System
add-ons are never installed unpacked in production builds.
So I'm fine with removing signature verification for unpacked add-ons as
long as we make sure we never enable them when signatures are required.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
