Eric H. Jung wrote: > I agree with Michael that code-signing is the same as vouching that the > extension is non-evil. It simply ensures that the code hasn't been > tampered with. > I'll open a bugzilla bug on it to track it, if you want?
It's not as good a solution as code-signing, but you can add SHA hashes to the update.rdf and the Javascript install call. http://bugzilla.mozilla.org/show_bug.cgi?id=306478 It would at least protect against one of the mirror sites being hacked to host a malicious version of the XPI. Matthew Wilson _______________________________________________ Project_owners mailing list [email protected] http://mozdev.org/mailman/listinfo/project_owners
