Ignore my other email. I sent too early > > The > > selfhost issue Jonas brought up doesn't seem to apply if the > > packages > > are signed. > > self-host... selfhost... i'm lost. sorry. do you have a reference > (wiki URL) which explains? >
The situation is more complicated than I remember. See http://groups.google.com/group/mozilla.dev.b2g/msg/b079d34ccdec0f85 The part about SMSMessageInc. The scenario is that we have an untrusted store attempting to sell an app which is hosted on a trusted store. The idea was for the installer to query our trusted store to see what capabilities the app received. However if we go with the dpkg model, then the permissions are in the signed package and SMSMessageInc can "mirror" the trusted store. Handling payments for this workflow doesn't appear to be defined. > > I could host my own app and have it on the store at the same > > time. There is still the question of granting permissions. I'm not > > sure > > if the store is the proper entity to decide whether an app can > > obtain > > permission X/Y/Z. > > *deep breath*.... :) > > the permissions need to be codified in some format (text file?) > which > is incorporated into the OS once they're downloaded, unpacked and > installed. > > however because those permissions *are* just "a text file", they > *can* be included.... as part of the GPG-signed package (by the > developer) :) > > not only that, but prior to the FTP Masters letting it out the door, > they can review the permissions file. if the permissions are > ridiculously over-permissive, the FTP Masters really should not sign > the package. > > meaning, it wouldn't get released. which, unfortunately, makes the > people managing the store the equivalent of "apple". whoops. but, > there you go. it seems to work for debian, but that's because they > have 1,000 people with a ring-of-trust, and those 1,000 people are > often *not* the developers of the package. they have some free time > to give, and a reputation to maintain. > > ultimately, the _store_ doesn't decide... but a human does. > > l. > The review process seems to work for the AMO team at Mozilla. I don't know how much work it takes them. There were some mentions of requiring app developers to explain why they are asking for certain permissions in the app submission process. There has also been discussion by the apps team to put permissions requests in the manifest file. David Chan _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
