On Wed, 21 Mar 2012 21:23:29 -0400 Jim Straus wrote: > > - Remove or revert code that was found to be malicious (i.e., Mozilla could > > remove that code, not wait for the developer to act) > > That is a good point. Mozilla could retain the code in either case, but in > the base of signed manifests there is no way to distribute the code. On the > other hand, even if older code is distributed, there is no assurance that the > other resources would correspond to the code. > > In the case of removing code that is found to be malicious, there are already > plans for a blacklist. And that would still be necessary, since an app that > is locally cached may not go back to the developer or store in a timely > manner.
There is a revoke key feature in gpg too. I'm not sure what's the best way to go though. Would you want to be able to blacklist just an app, a developer, store or even all three? _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
