Onno Ekker wrote: > This discussion has probably been going on on mozilla.org before, but since > the Security Concerns have also reached mozdev, I'd like to put my two > cents > to it: > > Although I reckon that the hashing and secure downloads will prevent users > from downloading false extensions from fake websites, it might also give > them a false feeling of security. They do have the extension they wanted, > but they have absolutely no guarantee on what that extension does.
The hash is only used to check the XPI integrity, nothing else. > Even commercial extensions like google toolbar, yahoo, or > del.ici.usbookmarks can have some kind of spyware functionality built > in, to "assist" > them in analyzing user behavior. They might even have put it in a > disclaimer to which the user has agreed before using their software. > The users might get a false feeling of security because of the secure > downloads. For people who _misuse_ the term security, yes, but we're most certainly not going to that. > I think mozilla and mozdev need to emphasize this... This is a task for the responsible project leads. > Am I right or did I miss something? You was probably juts a little misinformed because of the subject, which I used at times not knowing what the hash code was used for, so pardon me. Michael _______________________________________________ Project_owners mailing list [email protected] http://mozdev.org/mailman/listinfo/project_owners
