Re: verifying unpacked signed add-ons

2017-11-03 Thread Andrew McKay 
> WebExtensions are never meant to be installed unpacked except during
> development. It's currently possible for some side-load methods to install
> them unpacked in production, but that's not supported. System add-ons are
> never installed unpacked in production builds.

We don't have any telemetry on the packed state of an extension, so we
don't know how widespread the use of unpacked extensions is. We might
want to collect first if there's a plan to disable that.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: verifying unpacked signed add-ons

2017-11-03 Thread Kris Maglione 

On Fri, Nov 03, 2017 at 03:25:39PM -0700, David Keeler wrote:

[firefox-dev, dev-addons, and the enterprise mailing list cc'd - please
direct follow-up discussion to dev-platform]

Hello All,

As you're no doubt aware, from 57 onwards, only signed WebExtensions
will be available as add-ons for the general release population. My
understanding is these are all packaged as "xpi" files (zip files,
really, but what's important is that they're bundled up as a single file
rather than a directory). Add-on developers can develop their add-ons by
temporarily loading them as unsigned packages or unsigned unbundled
directories (again, if my understanding is correct).

This leaves the question of what use we have for verifying unbundled
add-ons. Is there ever a case where we want to verify an unbundled yet
signed add-on? For example, do we ever do this with system add-ons? (And
if we do, I've been told this would be bad for performance, so perhaps
we should disallow this?)


WebExtensions are never meant to be installed unpacked except during 
development. It's currently possible for some side-load methods to 
install them unpacked in production, but that's not supported. System 
add-ons are never installed unpacked in production builds.


So I'm fine with removing signature verification for unpacked add-ons as 
long as we make sure we never enable them when signatures are required.

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: verifying unpacked signed add-ons

2017-11-03 Thread Robert Helmer 
On Fri, Nov 3, 2017 at 3:43 PM, David Keeler  wrote:
> On 11/03/2017 03:34 PM, Robert Helmer wrote:
>> On Fri, Nov 3, 2017 at 3:25 PM, David Keeler  wrote:
>>> [firefox-dev, dev-addons, and the enterprise mailing list cc'd - please
>>> direct follow-up discussion to dev-platform]
>>>
>>> Hello All,
>>>
>>> As you're no doubt aware, from 57 onwards, only signed WebExtensions
>>> will be available as add-ons for the general release population. My
>>> understanding is these are all packaged as "xpi" files (zip files,
>>> really, but what's important is that they're bundled up as a single file
>>> rather than a directory). Add-on developers can develop their add-ons by
>>> temporarily loading them as unsigned packages or unsigned unbundled
>>> directories (again, if my understanding is correct).
>>>
>>> This leaves the question of what use we have for verifying unbundled
>>> add-ons. Is there ever a case where we want to verify an unbundled yet
>>> signed add-on? For example, do we ever do this with system add-ons? (And
>>> if we do, I've been told this would be bad for performance, so perhaps
>>> we should disallow this?)
>>
>>
>> System add-on updates must be packed into a XPI[1]. Built-in add-ons are 
>> always
>> shipped packed (along with Firefox in the application directory), but
>> unpacked will
>> work for builds so you can modify a file in ./browser/extensions/ and
>> see the change
>> without a rebuild.
>
> I imagine those directories are unsigned when you're doing that work,
> though, right?


Yes.


>> We plan to move built-in add-ons into the omni jar eventually (bug 1357205)
>>
>>
>>>
>>> Thanks,
>>> David
>>>
>>>
>>> ___
>>> firefox-dev mailing list
>>> firefox-...@mozilla.org
>>> https://mail.mozilla.org/listinfo/firefox-dev
>>>
>>
>> 1 - 
>> http://searchfox.org/mozilla-central/rev/af86a58b157fbed26b0e86fcd81f1b421e80e60a/toolkit/mozapps/extensions/internal/XPIProvider.jsm#6561
>>
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: verifying unpacked signed add-ons

2017-11-03 Thread David Keeler 
On 11/03/2017 03:34 PM, Robert Helmer wrote:
> On Fri, Nov 3, 2017 at 3:25 PM, David Keeler  wrote:
>> [firefox-dev, dev-addons, and the enterprise mailing list cc'd - please
>> direct follow-up discussion to dev-platform]
>>
>> Hello All,
>>
>> As you're no doubt aware, from 57 onwards, only signed WebExtensions
>> will be available as add-ons for the general release population. My
>> understanding is these are all packaged as "xpi" files (zip files,
>> really, but what's important is that they're bundled up as a single file
>> rather than a directory). Add-on developers can develop their add-ons by
>> temporarily loading them as unsigned packages or unsigned unbundled
>> directories (again, if my understanding is correct).
>>
>> This leaves the question of what use we have for verifying unbundled
>> add-ons. Is there ever a case where we want to verify an unbundled yet
>> signed add-on? For example, do we ever do this with system add-ons? (And
>> if we do, I've been told this would be bad for performance, so perhaps
>> we should disallow this?)
> 
> 
> System add-on updates must be packed into a XPI[1]. Built-in add-ons are 
> always
> shipped packed (along with Firefox in the application directory), but
> unpacked will
> work for builds so you can modify a file in ./browser/extensions/ and
> see the change
> without a rebuild.

I imagine those directories are unsigned when you're doing that work,
though, right?

> We plan to move built-in add-ons into the omni jar eventually (bug 1357205)
> 
> 
>>
>> Thanks,
>> David
>>
>>
>> ___
>> firefox-dev mailing list
>> firefox-...@mozilla.org
>> https://mail.mozilla.org/listinfo/firefox-dev
>>
> 
> 1 - 
> http://searchfox.org/mozilla-central/rev/af86a58b157fbed26b0e86fcd81f1b421e80e60a/toolkit/mozapps/extensions/internal/XPIProvider.jsm#6561
> 



signature.asc
Description: OpenPGP digital signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: verifying unpacked signed add-ons

2017-11-03 Thread Robert Helmer 
On Fri, Nov 3, 2017 at 3:25 PM, David Keeler  wrote:
> [firefox-dev, dev-addons, and the enterprise mailing list cc'd - please
> direct follow-up discussion to dev-platform]
>
> Hello All,
>
> As you're no doubt aware, from 57 onwards, only signed WebExtensions
> will be available as add-ons for the general release population. My
> understanding is these are all packaged as "xpi" files (zip files,
> really, but what's important is that they're bundled up as a single file
> rather than a directory). Add-on developers can develop their add-ons by
> temporarily loading them as unsigned packages or unsigned unbundled
> directories (again, if my understanding is correct).
>
> This leaves the question of what use we have for verifying unbundled
> add-ons. Is there ever a case where we want to verify an unbundled yet
> signed add-on? For example, do we ever do this with system add-ons? (And
> if we do, I've been told this would be bad for performance, so perhaps
> we should disallow this?)


System add-on updates must be packed into a XPI[1]. Built-in add-ons are always
shipped packed (along with Firefox in the application directory), but
unpacked will
work for builds so you can modify a file in ./browser/extensions/ and
see the change
without a rebuild.

We plan to move built-in add-ons into the omni jar eventually (bug 1357205)


>
> Thanks,
> David
>
>
> ___
> firefox-dev mailing list
> firefox-...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>

1 - 
http://searchfox.org/mozilla-central/rev/af86a58b157fbed26b0e86fcd81f1b421e80e60a/toolkit/mozapps/extensions/internal/XPIProvider.jsm#6561
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

verifying unpacked signed add-ons

2017-11-03 Thread David Keeler 
[firefox-dev, dev-addons, and the enterprise mailing list cc'd - please
direct follow-up discussion to dev-platform]

Hello All,

As you're no doubt aware, from 57 onwards, only signed WebExtensions
will be available as add-ons for the general release population. My
understanding is these are all packaged as "xpi" files (zip files,
really, but what's important is that they're bundled up as a single file
rather than a directory). Add-on developers can develop their add-ons by
temporarily loading them as unsigned packages or unsigned unbundled
directories (again, if my understanding is correct).

This leaves the question of what use we have for verifying unbundled
add-ons. Is there ever a case where we want to verify an unbundled yet
signed add-on? For example, do we ever do this with system add-ons? (And
if we do, I've been told this would be bad for performance, so perhaps
we should disallow this?)

Thanks,
David



signature.asc
Description: OpenPGP digital signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform