The specific format is not a requirement, just that it be external to the JSON. Something friendlier to extensions would be fine too. On Jun 10, 2014 1:57 PM, "Yan Zhu" <[email protected]> wrote:
> On 06/10/2014 01:40 PM, Jacob Hoffman-Andrews wrote: > > How about just sticking to the format we have now for update.json and > > going with the decision to serve multiple versions from different > URLs > > depending on the release type? > > > > > > This sounds good to me. Yan, sound good to you? > > Sounds good, though I think we still need to deal with Jacob's point > that JSON-to-string conversion is non-deterministic! > > Originally I had proposed something like verifying the signature over > the string produced by > JSON.stringify(JSON.parse(req.responseText).update) but apparently > JSON.stringify won't reliably preserve ordering of the object properties? > > So perhaps GPG-clearsigning the update file, verifying the signature, > and then parsing the JSON in the update file is the simplest thing. I'm > not sure extensions support GPG signature formats; will leave it up to > Zack to figure out the details there and add them to the spec. > > > > > > > > _______________________________________________ > > HTTPS-Everywhere mailing list > > [email protected] > > https://lists.eff.org/mailman/listinfo/https-everywhere > > > > > -- > Yan Zhu <[email protected]>, <[email protected]> > Staff Technologist > Electronic Frontier Foundation https://www.eff.org > 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134 > >
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
