On Oct 6, 11:11 pm, HelderMagalhaes <[email protected]> wrote: > Hi everyone, > > I've stumbled across a curious fact: the version 1.7.x update RDF [1] > uses HTTP for the XPI package download link, whereas all the previous I guess you mean "uses HTTPS" here. > versions (update.rdf, that is) seem to use HTTP. > > I've crawled the discussion group and the bug tracker and couldn't > find anything related. Any special reason behind that? If not, I'd > suggest getting back to HTTP for coherence and I see no advantage in > performing the download with the extra (SSL) overhead, although I > admit using HTTPS has helped me working around proxy issues at work in > the past (not that this is supposed to happen, I guess it was due to > broken or too restrict network environment configurations).
Mozilla has two schemes for reducing the chance that an evil-doer will hijack your update and install their own code instead. One uses a digital signature and HTTP; the other uses HTTPS. In the early history of Firebug we did not have access to a server that supported HTTPS so we used the digital signature method. Because the support for creating digital signature is so horrible, this solution is painful and time consuming. For the last almost two years we have had HTTPS and anyway most browsers/servers now support it. By switching to HTTP we can use simple ant scripts to build Firebug. That is what Honza used for 1.7a3. jjb > > Cheers, > Helder > > [1]http://getfirebug.com/releases/firebug/1.7X/update.rdf -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
