I agree with Michael that code-signing is the same as vouching that the extension is non-evil. It simply ensures that the code hasn't been tampered with.
I'll open a bugzilla bug on it to track it, if you want?
It sounds like the timing is bad.
I'll open a bugzilla bug on it to track it, if you want?
It sounds like the timing is bad.
----- Original Message ----
From: David Boswell <[EMAIL PROTECTED]>
To: Mozdev Project Owners List <[email protected]>
Sent: Wednesday, October 18, 2006 8:18:30 AM
Subject: Re: [Project_owners] code-signing certificates from mozdev?
From: David Boswell <[EMAIL PROTECTED]>
To: Mozdev Project Owners List <[email protected]>
Sent: Wednesday, October 18, 2006 8:18:30 AM
Subject: Re: [Project_owners] code-signing certificates from mozdev?
If people are interested in code signing, I recommend that someone
should research the details and then come up with a policy for how
mozdev could do this. We can then see if the project owners approve
the idea and if the resources are available to do it. The admins are
fully booked right now, so we'll need to find someone else to own this
issue.
David
> Mozdev vouching for an extension may be too much to ask for - just
> think
> of the approval queues on amo, and they check at most functionality.
>
> On the other hand, signing extensions would at least certify that the
> extension comes from the extension author - it's more about
> authenticity
> than about security. There are many extension mirrors; often patched
> versions float around (maxVersion changes, enhancements, adjustments
> to
> nvu and such) which the original author doesn't even know about. Code
> signing could make sure that one gets the "original" version from the
> author if the certificate is the one that comes along with the
> corresponding mozdev project. Maybe this could be clarified in a
> signing
> policy? I don't know much about X.509 certs, though.
>
> Michael
> _______________________________________________
> Project_owners mailing list
> [email protected]
> http://mozdev.org/mailman/listinfo/project_owners
>
_______________________________________________
Project_owners mailing list
[email protected]
http://mozdev.org/mailman/listinfo/project_owners
should research the details and then come up with a policy for how
mozdev could do this. We can then see if the project owners approve
the idea and if the resources are available to do it. The admins are
fully booked right now, so we'll need to find someone else to own this
issue.
David
> Mozdev vouching for an extension may be too much to ask for - just
> think
> of the approval queues on amo, and they check at most functionality.
>
> On the other hand, signing extensions would at least certify that the
> extension comes from the extension author - it's more about
> authenticity
> than about security. There are many extension mirrors; often patched
> versions float around (maxVersion changes, enhancements, adjustments
> to
> nvu and such) which the original author doesn't even know about. Code
> signing could make sure that one gets the "original" version from the
> author if the certificate is the one that comes along with the
> corresponding mozdev project. Maybe this could be clarified in a
> signing
> policy? I don't know much about X.509 certs, though.
>
> Michael
> _______________________________________________
> Project_owners mailing list
> [email protected]
> http://mozdev.org/mailman/listinfo/project_owners
>
_______________________________________________
Project_owners mailing list
[email protected]
http://mozdev.org/mailman/listinfo/project_owners
_______________________________________________ Project_owners mailing list [email protected] http://mozdev.org/mailman/listinfo/project_owners
