On 08/26/2011 06:46 PM, Justin Wood (Callek) wrote: > On 8/26/2011 8:49 PM, NoOp wrote: >> On 08/26/2011 01:33 PM, Robert Kaiser wrote: >>> David E. Ross schrieb: >>>> Is there an official, end-user release of SeaMonkey 2.3.1? I've seen >>>> some discussion about it, but there has been no announcement here. >>> >>> The surroundings have already been pointed out by Callek et al., and >>> http://www.seamonkey-project.org/ has it listed. >>> >>> This is a very small update to 2.3, but important to install as the only >>> change is to ensure that we can still send future updates even once the >>> current certificate of our update server expires. >>> >>> Robert Kaiser >>> >>> >> >> That's more than a little disconcerting: "we can still send future >> updates even once the current certificate of our update server expires". >> >> If your certificate has expired then you *shouldn't* be sending *updates >> at all*. You should *fix* your certificate instead! >> >> Are you stating that SeaMonkey doesn't adhere to these: >> http://www.mozilla.org/projects/security/certs/policy/ >> <http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html> >> >> <http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html> >> > > A bit overdramatic, (our release notes for 2.3.1 explicitly say what > change we made, with a link to the bug). But it was not in KaiRo's mail. > Let me briefly explain.
Actually *not* overdramatic at all given kairo's statement: "we can still send future updates even once the current certificate of our update server expires" If the statement is in dispute then chastise Robert. Actually it's the 'Changes' page that points to the bug report *not* the release notes: http://www.seamonkey-project.org/releases/ click 'release notes': http://www.seamonkey-project.org/releases/seamonkey2.3/ <quote> What's New in SeaMonkey 2.3.1 SeaMonkey 2.3.1 contains the following major changes relative to SeaMonkey 2.2: Several fixes when importing email from Microsoft Outlook </quote> "certificate" is nowhere to be found on that page. It's actually the 'changes' page that links to the bug report; http://www.seamonkey-project.org/releases/seamonkey2.3/changes [Add more app.update.certs.* possibilities to SeaMonkey (bug 679677).] And that bug has *no* mention of "we can still send future updates even once the current certificate of our update server expires". You may think this trivial. However when one the former driver of SeaMonkey makes a statement like this I do not consider it to be "overdramatic" at all. > > Our current certificate will expire soon. > We have a new certificate that we would have already switched to if not > for this issue. > > The two (old and new) certificates have a different CA Root. > SeaMonkey currently only accepts the *old* CA Root (and thus the new > certificate would never give current "SeaMonkey 2.1+" an update offer). > We are unable to renew the old certificate with the same CA Root, as > they no longer issue new certs with that root. > > The change is simply *adding* our new root (and another backup root) to > our "acceptable certificate" list for our updates, we are *not* simply > serving updates without a certificate. Sounds like a planning issue: https://bugzilla.mozilla.org/show_bug.cgi?id=679677 [Add more app.update.certs.* possibilities to SeaMonkey] <quote> Robert Kaiser (:[email protected]) 2011-08-17 05:55:07 PDT SeaMonkey currently only has one CA possibility for update: http://mxr.mozilla.org/comm-central/source/suite/browser/browser-prefs.js?mark=516-517#504 Firefox has two: http://mxr.mozilla.org/comm-central/source/mozilla/browser/app/profile/firefox.js?mark=136-137,139-140#124 We should add one or two in addition, so we have more freedom of where to get our certs from. Restricting them is good for security, but only one choice is bad again, giving us no possibilities to switch if one CA has a problem. fox2mike: Which CA(s) would Mozilla prefer us to add there? (Note that it will take quite some time until we have a so high audience on new versions that we could abandon the current one, but the sooner we introduce other pref values, the sooner we'll be actually able to have a choice.) </quote> What happened to the tow the Firefox line? You guys don't have your own certs? 1.12 +pref("app.update.certs.2.issuerName", "CN=GeoTrust SSL CA,O=\"GeoTrust, Inc.\",C=US"); http://support.mozilla.com/en-US/questions/750116 1.13 +pref("app.update.certs.2.commonName", "aus2-community.mozilla.org"); 1.14 +pref("app.update.certs.3.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US"); <http://mike.kaply.com/2011/07/12/firefox-4-doesnt-recognize-new-thawte-code-signing-cert/> <quote> Tony Mechelynck July 13, 2011 at 11:56 am # Per the Thawte instructions, I use on IE on Windows to manage my certs. Does this means that anyone running on a Mac or on Linux is left out in the cold? Right... Does mozilla.org not have a valid cert? You guya are now adding GeoTrust & Thawte certs so that you can do SeaMonkey updates? _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
