This discussion has probably been going on on mozilla.org before, but since the Security Concerns have also reached mozdev, I'd like to put my two cents to it:
Although I reckon that the hashing and secure downloads will prevent users from downloading false extensions from fake websites, it might also give them a false feeling of security. They do have the extension they wanted, but they have absolutely no guarantee on what that extension does. Even commercial extensions like google toolbar, yahoo, or del.ici.usbookmarks can have some kind of spyware functionality built in, to "assist" them in analyzing user behavior. They might even have put it in a disclaimer to which the user has agreed before using their software. The users might get a false feeling of security because of the secure downloads. I think mozilla and mozdev need to emphasize this... Am I right or did I miss something? Onno On 6/4/07, Matthew Wilson <[EMAIL PROTECTED]> wrote:
Eric H. Jung wrote: >> No, but all e-mails with attachments are trashed, so I will have to >> look >> into this later today and get back to you (out of band). > > That is too bad. > >> The generated md5 or sha1 values needs to be stored in install.rdf >> like >> this (which is basically the same example as the link I provided): >> >> <em:updateHash> >> sha1:c4e27e3819ec8e2ed732aaaea2531440a8694542 >> </em:updateHash> > > Neither the above example nor the link you sent explain where in the > install.rdf DOM <em:updateHash/> should appear. Should it appear as a > child of <RDF:Description/>, child of document.documentElement, or > somewhere else??? See for example http://wmlbrowser.mozdev.org/wmlbrowser-update.rdf Matthew _______________________________________________ Project_owners mailing list [email protected] http://mozdev.org/mailman/listinfo/project_owners
_______________________________________________ Project_owners mailing list [email protected] http://mozdev.org/mailman/listinfo/project_owners
