It looks to me like you're arguing about a separate point (AMO review requirements for add-on updates), when the subject at hand is the add-on signing system's reliance on the AMO validator as the only prerequisite for automatic signing.
Gavin On Mon, Nov 30, 2015 at 10:30 AM, Thomas Zimmermann <tzimmerm...@mozilla.com > wrote: > Hi > > Am 27.11.2015 um 16:50 schrieb Gavin Sharp: > > On Fri, Nov 27, 2015 at 7:16 AM, Gervase Markham <g...@mozilla.org> > wrote: > >> But the thing is, members of our security group are now piling into the > >> bug pointing out that trying to find malicious JS code by static code > >> review is literally _impossible_ (and perhaps hinting that they'd have > >> said so much earlier if someone had asked them). > > No, that's not right. There's an important distinction between > > "finding malicious JS code" and "finding _all_ malicious JS code". The > > latter is impossible, but the former isn't. > > > > Proving "the validator won't catch everything" isn't particularly > > relevant when it isn't intended to, in the overall add-on signing > > system design. > > I think the fact that the validator (or manual review) cannot catch > everything is very relevant. > > Users cannot rely on the review process (automatic or manual), because > it can never catch all bugs (malicious or not). So users still have to > rely on an extension's developers to get their code into good shape; > just as it is currently the case. And I'd guess that malicious code will > get more sophisticated when the review procedures improve. > > Another point is that one never knows how close to 'good' an extension > or a review is, because this would require knowledge about the absolute > number of bugs in the extension. Getting this number requires a perfect > validator. So all bugs from a review might get fixed, but the overall > extension is still in the 'crap territory'. I'm a bit surprised that > this hasn't been mentioned here yet. > > Therefore I'm skeptical about the effective benefit for the users. The > mandatory review seems to create a promise of security that it cannot > fulfill. Reviews and validation are good things, but holding back an > update for a pending review doesn't seem helpful. > > Best regards > Thomas > > > > > Gavin > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform