David Boswell venit, vidit, dixit 2006-10-18 03:58: > Thanks for clarifying. Our immediate concern with setting up a cert is > to make sure that we can create secure logins on the site. For mozdev > to set up a system of providing certificates for code signing for > projects would be a different matter. If this is something the project > owners decide that we want, we can look into doing it. My initial > thought is that this will require some resources dedicated to this > effort to review and approve projects since we are in effect vouching > for a project's code once we set this up.
Mozdev vouching for an extension may be too much to ask for - just think of the approval queues on amo, and they check at most functionality. On the other hand, signing extensions would at least certify that the extension comes from the extension author - it's more about authenticity than about security. There are many extension mirrors; often patched versions float around (maxVersion changes, enhancements, adjustments to nvu and such) which the original author doesn't even know about. Code signing could make sure that one gets the "original" version from the author if the certificate is the one that comes along with the corresponding mozdev project. Maybe this could be clarified in a signing policy? I don't know much about X.509 certs, though. Michael _______________________________________________ Project_owners mailing list [email protected] http://mozdev.org/mailman/listinfo/project_owners
