That's one of the suggestions Dan Stillman makes in his post, and it seems like a fine idea to me.
Gavin On Mon, Nov 30, 2015 at 11:15 AM, Jonathan Kew <jfkth...@gmail.com> wrote: > On 30/11/15 15:45, Gavin Sharp wrote: >>> >>> and it's definitely the wrong thing to do. >> >> >> Fundamentally the add-on signing system was designed with an important >> trade-off in mind: security (ensuring no malicious add-ons are >> installed/executed) vs. maintaining a healthy add-on ecosystem (ensuring >> that building and distributing add-ons is as easy as it can be). >> >> If your proposed alternative plan is "get rid of automatic signing", then >> we know that it's going to significantly hamper Mozilla's ability to >> maintain a healthy add-on ecosystem, and harm what were considered some >> important add-on use cases. I don't think it strikes the right balance. >> >> If your proposed alternative plan is something else, maybe it would help >> to >> clarify it. >> > > Perhaps if there were a mechanism whereby "trusted" add-on developers could > have their add-ons -- or even just updates for > previously-reviewed-and-signed add-ons -- automatically signed without > having to jump through the validator/review hoops each time? > > How would a developer acquire "trusted" status? By demonstrating a track > record of producing add-ons that pass AMO review -- which may be a > combination of automatic validation and/or human review. > > And of course any add-on developer who is found to have abused their > "trusted" status to sign and deploy malicious code would have that status > revoked, in addition to the malicious add-on being blocked. > > ISTM this would maintain most of the intended benefits of the signing > system, while substantially smoothing the path for developers such as Dan > who need to deliver frequent updates to their users. > > Feasible? > > JK > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
