On Sat, Dec 17, 2011 at 7:36 AM, Pauli Virtanen <[email protected]> wrote: > 17.12.2011 03:04, Jasper St. Pierre kirjoitti: > >> If the website is hacked, the attacker has the GPG key anyway, so they >> can sign a rogue extension. Unless I'm not understanding how the >> website is supposed to automatically sign extensions after they've >> been approved. > > > I don't understand where GPG comes into this discussion, if the Gnome shell > client, which downloads and installs the extension does not check any > signatures? > > The point with cryptographic signatures would be that the extensions would > *not* be signed automatically on the machine where the web service runs. > Rather, after review, an extensions.gnome.org maintainer (who might not be > the same person as the reviewer) would use a different, non-public, machine > where the private key is kept, and do the signing there. More work, yes, > more secure, yes.
Chances are, it would be me who would do this work. I do not trust myself to keep a signature private. > But it seems this was discussed previously, and Gnome shell authors decided > not to do it this way (why?). > > > -- > Pauli Virtanen > > _______________________________________________ > gnome-shell-list mailing list > [email protected] > http://mail.gnome.org/mailman/listinfo/gnome-shell-list -- Jasper _______________________________________________ gnome-shell-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-shell-list
