On 06/10/2014 01:40 PM, Jacob Hoffman-Andrews wrote: > How about just sticking to the format we have now for update.json and > going with the decision to serve multiple versions from different URLs > depending on the release type? > > > This sounds good to me. Yan, sound good to you?
Sounds good, though I think we still need to deal with Jacob's point that JSON-to-string conversion is non-deterministic! Originally I had proposed something like verifying the signature over the string produced by JSON.stringify(JSON.parse(req.responseText).update) but apparently JSON.stringify won't reliably preserve ordering of the object properties? So perhaps GPG-clearsigning the update file, verifying the signature, and then parsing the JSON in the update file is the simplest thing. I'm not sure extensions support GPG signature formats; will leave it up to Zack to figure out the details there and add them to the spec. > > > _______________________________________________ > HTTPS-Everywhere mailing list > [email protected] > https://lists.eff.org/mailman/listinfo/https-everywhere > -- Yan Zhu <[email protected]>, <[email protected]> Staff Technologist Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
