[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
What could I do to help Ubuntu developers accept this 2 lines patch from Debian? Now there are no way to install Firefox extensions for all users, but this is critical for schools, other educational institutions and enterprise use, please, accept 2 lines patch from Debian. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1532484 Title: Don't warn about unsigned extension installed via Debian packages Status in firefox package in Ubuntu: Confirmed Status in firefox package in Debian: Fix Released Bug description: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1] Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
This bug was fixed in Debian 10 months ago, in Firefox 43, why Ubuntu
developers doesn't accept 2 lines patch, which is accepted in Debian
since December 2015?
iceweasel (43.0-1) experimental; urgency=medium
* New upstream release.
[...]
* toolkit/mozapps/extensions/internal/XPIProvider.jsm: Allow unsigned
addons in /usr/{lib,share}/mozilla/extensions. Closes: #800150.
There are lots of cases, when system administrators must install firefox
extension for all users, for example flashblock and adblock are widely
used in schools and other educational institutions, also this is a
regression, because Ubuntu 14.04 and 12.04 LTS versions allowed to use
extensions from deb packages, see bug #1507494 - Extensions stopped
working (Ubuntu 12.04 LTS)
** Package changed: iceweasel (Debian) => firefox (Debian)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1532484
Title:
Don't warn about unsigned extension installed via Debian packages
Status in firefox package in Ubuntu:
Confirmed
Status in firefox package in Debian:
Fix Released
Bug description:
"Mozilla is in the progress of requiring extensions to be signed, which I
think is a good thing. However, for Debian packages we
already have it signed by the Developer uploading it, I see no need to have
Mozilla also sign it. I suggest we don't warn / disable about extensions
installed on the system, but do require the signature for those that are
installed by browser itself." [1]
Shipping signed extensions in Debian packages is no options, because
then we could only ship unmodified, pre-build extensions. That
contradicts the Debian Free Software Guidelines (DFSG) #3 and signed
extensions are not the preferred source for modification.
So, please allow unsigned extensions installed in the system
directory. Debian already applied a patch for it (see Debian bug
#800150). Everyone having write access to the system directory would
probably also have access to the files of Firefox and could tinker
with it.
This severity of this bug will raise when Mozilla will reject unsigned
extensions (planned for Firefox 44).
[1] https://bugs.debian.org/800150
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
This bug potentially makes about a dozen extensions packaged for Xenial completely useless. Of the four I have installed, only the ubufox one is enabled. The other three are disabled without any means of enabling them (system-wide). If this isn't going to be fixed in Ubuntu, I think at least the maintainers of these, now utterly useless, packages deserve an explanation. For the record, I installed ublock-origin, y-u-no-validate and https- finder to make our browsing a more pleasant and safer activity. So far, no such luck. And without so much as a warning. :-( -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1532484 Title: Don't warn about unsigned extension installed via Debian packages Status in firefox package in Ubuntu: Confirmed Status in iceweasel package in Debian: Fix Released Bug description: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1] Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
** Tags added: patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1532484 Title: Don't warn about unsigned extension installed via Debian packages Status in firefox package in Ubuntu: Confirmed Status in iceweasel package in Debian: Fix Released Bug description: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1] Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
Please accept patch from Debian - there are lots of cases, when system administrators must install firefox extension for all users, for example flashblock and adblock are widely used in schools and other educational institutions, also this is a regression, because all Ubuntu LTS versions allowed to use extensions from deb packages, see bug #1507494 (Extensions stopped working (Ubuntu 12.04 LTS) ** Changed in: firefox (Ubuntu) Status: Opinion => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1532484 Title: Don't warn about unsigned extension installed via Debian packages Status in firefox package in Ubuntu: Confirmed Status in iceweasel package in Debian: Fix Released Bug description: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1] Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
This is fixed in Debian, why can't we apply the patch in Ubuntu? @chrisccoulson, could you please provide some reasoning behind "This isn't something that we're going to be changing in Ubuntu"? @bdrung, I have the following xul extensions installed: xul-ext-adblock-plus 2.7.1+dfsg-1~ubuntu xul-ext-ubufox 3.2-0ubuntu1 ...why is xul-ext-ubufox trusted by firefox, while adblock isn't? Does Canonical send ubu...@ubuntu.com.xpi to be signed by Mozilla? Thanks! -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1532484 Title: Don't warn about unsigned extension installed via Debian packages Status in firefox package in Ubuntu: Opinion Status in iceweasel package in Debian: Fix Released Bug description: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1] Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
This isn't something that we're going to be changing in Ubuntu ** Changed in: firefox (Ubuntu) Status: New => Opinion -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1532484 Title: Don't warn about unsigned extension installed via Debian packages Status in firefox package in Ubuntu: Opinion Status in iceweasel package in Debian: Unknown Bug description: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1] Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
Why?
Firefox introduces Tivoization for all extensions (like ubufox) and does
not provide more security. Everyone who can write to
/usr/{lib,share}/mozilla/extensions can probably also modify the system
files of Firefox to introduce malicious code there.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1532484
Title:
Don't warn about unsigned extension installed via Debian packages
Status in firefox package in Ubuntu:
Opinion
Status in iceweasel package in Debian:
Unknown
Bug description:
"Mozilla is in the progress of requiring extensions to be signed, which I
think is a good thing. However, for Debian packages we
already have it signed by the Developer uploading it, I see no need to have
Mozilla also sign it. I suggest we don't warn / disable about extensions
installed on the system, but do require the signature for those that are
installed by browser itself." [1]
Shipping signed extensions in Debian packages is no options, because
then we could only ship unmodified, pre-build extensions. That
contradicts the Debian Free Software Guidelines (DFSG) #3 and signed
extensions are not the preferred source for modification.
So, please allow unsigned extensions installed in the system
directory. Debian already applied a patch for it (see Debian bug
#800150). Everyone having write access to the system directory would
probably also have access to the files of Firefox and could tinker
with it.
This severity of this bug will raise when Mozilla will reject unsigned
extensions (planned for Firefox 44).
[1] https://bugs.debian.org/800150
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
** Patch added: "Allow-unsigned-addons-in-usr-lib-share-mozilla-exten.patch" https://bugs.launchpad.net/debian/+source/iceweasel/+bug/1532484/+attachment/4547081/+files/Allow-unsigned-addons-in-usr-lib-share-mozilla-exten.patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1532484 Title: Don't warn about unsigned extension installed via Debian packages Status in firefox package in Ubuntu: Opinion Status in iceweasel package in Debian: Unknown Bug description: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1] Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1532484] Re: Don't warn about unsigned extension installed via Debian packages
** Changed in: iceweasel (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1532484 Title: Don't warn about unsigned extension installed via Debian packages Status in firefox package in Ubuntu: Opinion Status in iceweasel package in Debian: Fix Released Bug description: "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing. However, for Debian packages we already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it. I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1] Shipping signed extensions in Debian packages is no options, because then we could only ship unmodified, pre-build extensions. That contradicts the Debian Free Software Guidelines (DFSG) #3 and signed extensions are not the preferred source for modification. So, please allow unsigned extensions installed in the system directory. Debian already applied a patch for it (see Debian bug #800150). Everyone having write access to the system directory would probably also have access to the files of Firefox and could tinker with it. This severity of this bug will raise when Mozilla will reject unsigned extensions (planned for Firefox 44). [1] https://bugs.debian.org/800150 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
