On Wed, 21 Mar 2012 17:05:44 -0500 Ian Bicking wrote: > - Use developer keys so uploads are signed; or continue to add new or > better authentication over time to keep the uploading process secure > - Keep a public log of updates > - Remove or revert code that was found to be malicious (i.e., Mozilla could > remove that code, not wait for the developer to act) > - Do some automated review of the code > - Potentially do manual review (manual review of code has at least been > mentioned by some people, often based on Mozilla's review of addon code – > I'm not sure if this is really practical, but maybe?) > - We could obfuscate and compress code on our servers, so that we have > access to review code before this process (while still maintaining > developer privacy) > - We can force developers to explain, in a somewhat structured way, what > their updates do or why permissions have changed > - How aggressive any of this review is can also depend on what permissions > are being asked for, or what agreements developers are making with users
I believe you can do this with both systems? _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security