On Sat, Nov 16, 2013 at 09:58:40PM -0200, Erinn Clark wrote: > * Griffin Boyce <[email protected]> [2013:11:10 20:30 -0500]: > > It's been a while since there's been a discussion on-list about > > getting the TBB into Apple's app store [1]. Interest hasn't really gone > > away in the intervening 13 months, so I just want to open up discussion > > about it. > > Are there a lot of people interested in this? We hear complaints from OSX > users > about the packages not being signed the OSX way, but if we've received bugs > about putting TBB into the app store, they have been so infrequent and long > ago > that I don't remember them. I'm not disagreeing with your claim, I just wonder > where the interest is happening so I can read about it. :)
Getting TBB into the App Store would definitely help increase its visibility on the OSX side. However, I am not really in favour of giving a US company a list of all users having downloaded TBB plus information whether or not they are upgraded to the most recent version... > > Here are some possible solutions: > > - Submit Apple agreements to Wendy for review and > > rejection/acceptance. The last mention of this was a year ago on #6540. > > Status? > > I tried to get the licensing agreements earlier this year and they are, as far > as I can tell, not available until you actually sign up. If someone reading > this has put something in the app store (which may or may not be different > from > the app store the iPhone uses? does anyone know?) please send us a copy of any > agreements you may have! I think I still have access to both. Let me pull the latest version of both agreements (iPhone and OSX developer) and attach them to #6540. > > - Actively decide to continue without being blessed by Apple, but > > focusing instead on educating Mac users about their application security > > options. > > I am at this point in favor of signing OSX packages with their codesigning but > in order to acquire a codesigning cert you have to jump through some hoops > (and > there is the aforementioned issue of "who buys the certs? person or > organization?"; see also #10002) This is why this problem has never been > "solved" -- every time we look at it we get discouraged, confused, and/or > ideologically enraged. Codesigning is a good countermeasure against some attackers. The bar you have to jump over to get an Apple dev account and enroll for a codesigning cert is significantly lower than the one described in #10002. Have you spoken to Mozilla how they have obtained their code signing cert? Cheers, Ralf _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
