On Tue, 2020-12-29 at 18:54 +0000, Gary Buhrmaster wrote:
> On Tue, Dec 15, 2020 at 11:45 PM Adam Williamson
> <adamw...@fedoraproject.org> wrote:
> 
> > I wrote in the update that in my opinion the solution for this bug
> > can't involve expecting add-ons to suddenly get re-signed en masse, or
> > users to change their local configuration. It needs to keep working as
> > it did before. If the policy is ahead of the real world, the policy
> > needs to be loosened.
> 
> It was my (possibly failing) recollection that Mozilla
> has been signing add-ons with SHA2 (and SHA1
> for compatibility) for a few years now.  Is this just
> an issue because Mozilla has not re-signed existing
> add-ons (which while is obviously not something to
> be taken lightly, because they do control the primary
> distribution point(*) should be at least theoretically
> possible to do a bulk re-signing, and probably a
> good thing to do to avoid needing to downgrade
> their security stance), or is Mozilla not signing
> with SHA2 as I thought?

Well, installing uBlock Origin (which is a pretty frequently updated
addon) on a fresh VM fails, with the change. So I suspect it's the
latter.
-- 
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net


_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to