>________________________________ > From: Pauli Virtanen <[email protected]> >To: [email protected] >Sent: Tuesday, December 13, 2011 4:58 AM >Subject: Re: Extension security? > >13.12.2011 02:31, Jonathan Wilkes kirjoitti: >> So are all reviewed extensions signed with a key that is not kept on a >> public system, as Alan Cox proposed? I couldn't tell from the "About" page, >> nor from the discussions referenced in above responses. > >There does not seem to be additional signature checks on the client >side, apart from relying on the https certificate for the whole site: > >http://git.gnome.org/browse/gnome-shell/tree/js/ui/extensionSystem.js
So when someone hacks the extension website and changes the code for "Popular Extension #1" to log the user's keystrokes, how does my Gnome Shell know to reject that rogue extension when I try to install it? -Jonathan > >_______________________________________________ >gnome-shell-list mailing list >[email protected] >http://mail.gnome.org/mailman/listinfo/gnome-shell-list > > > _______________________________________________ gnome-shell-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-shell-list
