omni.ja signing was introduced in https://bugzilla.mozilla.org/show_bug.cgi?id=1533818 and https://bugzilla.mozilla.org/show_bug.cgi?id=1515173. For a time, we checked the signature <https://bugzilla.mozilla.org/show_bug.cgi?id=1515712>, but that was removed awhile back <https://bugzilla.mozilla.org/show_bug.cgi?id=1883452>. Even when it was enabled, we never stopped loading code from it upon failure - merely reported it back in Telemetry.
Seeing as we do no validation of this, and have never done any useful validation, we should stop signing omni.ja to avoid a false sense of security, and reduce the amount of work we do during signing. We do not intend to remove support for signing altogether, so it can be re-enabled again in the future if we decide to do something useful with these signatures. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/21cb5ae6-fb3a-4460-b7ce-5874e848629en%40mozilla.org.
