If the website is hacked, the attacker has the GPG key anyway, so they can sign a rogue extension. Unless I'm not understanding how the website is supposed to automatically sign extensions after they've been approved.
On Fri, Dec 16, 2011 at 8:14 PM, Pauli Virtanen <[email protected]> wrote: > 16.12.2011 20:44, Olav Vitters kirjoitti: > >> On Fri, Dec 16, 2011 at 08:38:03AM -0800, Jonathan Wilkes wrote: >>> >>> So when someone hacks the extension website and changes the code for >>> "Popular Extension #1" to log the user's keystrokes, how >>> >>> does my Gnome Shell know to reject that rogue extension when I try to >>> install it? >> >> >> If the website is hacked, the GPG signature would still be added. > > > What does this mean? The client as it is in Gnome 3.2.1 does not seem to > contain any code checking GPG signatures --- so if the site is hacked, enjoy > your keylogger? > > -- > Pauli Virtanen > > > _______________________________________________ > gnome-shell-list mailing list > [email protected] > http://mail.gnome.org/mailman/listinfo/gnome-shell-list -- Jasper _______________________________________________ gnome-shell-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-shell-list
