There can be alternative authorities, and you could opt to choose them
nstead. It's really a question of having the option of not relying on
Mozilla's decisions. It's not a choice of either each individual's
own keys or the original authority who's the one true authority.
Self-signing means
On Friday, 28 August 2015 at 11:24, Martin Stransky wrote:
On 08/28/2015 11:00 AM, Alexander Ploumistos wrote:
On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky stran...@redhat.com
wrote:
Can we ship addons which are already signed by Mozilla? Or does Fedora
packager modify them somehow?
On 08/27/2015 04:40 PM, Alexander Ploumistos wrote:
Aren't the addons that we ship in fedora a bunch of text files zipped
in an xpi archive? It is kind of awkward to send them back and forth,
but if there are no other binaries, does it go against a particular
policy?
Or we could decide that we
Dennis Gilmore wrote:
It sounds like the path mozilla is taking will likely prevent us
shipping addons in Fedora. That of course is their right to pursue
that.
As far as I can find out there are no plans to enforce this centralized
signing in Seamonkey, and I suppose the Icecat folks are free
On Fri, Aug 28, 2015 at 12:24 PM, Martin Stransky stran...@redhat.com wrote:
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
That depends on the extension and its particulars. For example,
adblock plus has an extortion-like
On 08/28/2015 11:00 AM, Alexander Ploumistos wrote:
On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky stran...@redhat.com wrote:
Can we ship addons which are already signed by Mozilla? Or does Fedora
packager modify them somehow?
It seems that even when the source is an xpi file, rpm treats
On 08/28/2015 11:34 AM, Alexander Ploumistos wrote:
On Fri, Aug 28, 2015 at 12:24 PM, Martin Stransky stran...@redhat.com wrote:
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
That depends on the extension and its
Am 28.08.2015 um 13:39 schrieb Emmanuel Seyman:
* Martin Stransky [28/08/2015 12:21] :
On 08/28/2015 11:40 AM, Emmanuel Seyman wrote:
* Martin Stransky [28/08/2015 11:24] :
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky stran...@redhat.com wrote:
Can we ship addons which are already signed by Mozilla? Or does Fedora
packager modify them somehow?
It seems that even when the source is an xpi file, rpm treats it like
any other source package and its contents can
* Martin Stransky [28/08/2015 12:21] :
On 08/28/2015 11:40 AM, Emmanuel Seyman wrote:
* Martin Stransky [28/08/2015 11:24] :
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
If there is a security issue with an extension,
Martin Stransky stran...@redhat.com wrote:
On 08/28/2015 11:34 AM, Alexander Ploumistos wrote:
adblock plus [...] allows
certain ads from certain companies [...]
This patch blocks those ads as well:
http://pkgs.fedoraproject.org/cgit/mozilla-adblockplus.git/tree/disable-safeads.patch
I
* Martin Stransky [28/08/2015 11:24] :
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
If there is a security issue with an extension, the packager might well
want to distribute a patched version while waiting for a new
On 08/28/2015 11:40 AM, Emmanuel Seyman wrote:
* Martin Stransky [28/08/2015 11:24] :
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
If there is a security issue with an extension, the packager might well
want to distribute
On Friday, August 28, 2015 01:43:08 PM Reindl Harald wrote:
Am 28.08.2015 um 13:39 schrieb Emmanuel Seyman:
* Martin Stransky [28/08/2015 12:21] :
On 08/28/2015 11:40 AM, Emmanuel Seyman wrote:
* Martin Stransky [28/08/2015 11:24] :
Thanks for the info. Actually is there any reason why
On Fri, Aug 28, 2015 at 12:18 AM, Martin Stransky stran...@redhat.com wrote:
On 08/27/2015 04:40 PM, Alexander Ploumistos wrote:
Aren't the addons that we ship in fedora a bunch of text files zipped
in an xpi archive? It is kind of awkward to send them back and forth,
but if there are no
On Fri, 28 Aug, 2015 at 09:34:14 GMT, Alexander Ploumistos wrote:
On Fri, Aug 28, 2015 at 12:24 PM, Martin Stransky stran...@redhat.com wrote:
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
That depends on the extension and
Dne 27.8.2015 v 16:09 Dennis Gilmore napsal(a):
On Wednesday, August 26, 2015 03:13:08 PM Richard Z wrote:
On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
Their FAQ is constantly updated:
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
I'm not sure if there is a
On Thu, Aug 27, 2015 at 5:09 PM, Dennis Gilmore den...@ausil.us wrote:
We have no real practical way to do this other than package up the addon and
build it as a -unsigned package, then making a separate package that has the
precompiled binary and signed by mozilla and put into the add on
On Wednesday, August 26, 2015 03:13:08 PM Richard Z wrote:
On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
Their FAQ is constantly updated:
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
I'm not sure if there is a valid practical reason to refuse
On 27 August 2015 at 08:26, Zdenek Kabelac zkabe...@redhat.com wrote:
Dne 27.8.2015 v 16:09 Dennis Gilmore napsal(a):
On Wednesday, August 26, 2015 03:13:08 PM Richard Z wrote:
On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
Their FAQ is constantly updated:
Am 27.08.2015 um 16:26 schrieb Zdenek Kabelac:
Chrome is not an option for me - it eats even more RAM and slows my
machine even more then FF.
So what are the option - if the person want to view Web with all modern
technologies being supported ?
simple answer: there is no option, we are in
On Thursday, August 27, 2015 05:40:18 PM Alexander Ploumistos wrote:
On Thu, Aug 27, 2015 at 5:09 PM, Dennis Gilmore den...@ausil.us wrote:
We have no real practical way to do this other than package up the addon
and build it as a -unsigned package, then making a separate package that
has
On Thu, Aug 27, 2015 at 02:28:48AM +0200, Reindl Harald wrote:
Am 27.08.2015 um 02:21 schrieb Solomon Peachy:
On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
A better solution would be to add a mechanism that allows you to use
your own signing keys.
That way you have both 1)
On Wed, Feb 11, 2015 at 10:30:11PM -0600, Michael Cronenworth wrote:
I'm sure those that need to know, know, but for those that haven't heard[1]
Mozilla's official Firefox build will enforce addons to contain a Mozilla
signature without any runtime option to disable the check.
Initially this
On Wed, Aug 26, 2015 at 3:13 PM, Richard Z r...@linux-m68k.org wrote:
On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
Their FAQ is constantly updated:
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
I'm not sure if there is a valid practical reason to refuse
On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
On Wed, Aug 26, 2015 at 3:13 PM, Richard Z r...@linux-m68k.org wrote:
On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
Their FAQ is constantly updated:
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
Their FAQ is constantly updated:
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
I'm not sure if there is a valid practical reason to refuse submitting the
addons that we ship to their signing service or if it is against our
policies; at least mozilla-https-everywhere has been signed.
On Thu, Feb 12, 2015 at 07:07:34PM +0100, Reindl Harald wrote:
Am 12.02.2015 um 18:53 schrieb Simo Sorce:
Maybe it is only about preventing people from bundling the official
Firefox version with dodgy add-ons. Not downright malware, but things
users may not actually want without realizing
Dne 26.8.2015 v 14:12 Alexander Ploumistos napsal(a):
Their FAQ is constantly updated:
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
I'm not sure if there is a valid practical reason to refuse submitting
the addons that we ship to their signing service or if it is against
our
On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
Their FAQ is constantly updated:
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
I'm not sure if there is a valid practical reason to refuse submitting the
addons that we ship to their signing service or if it is
On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
A better solution would be to add a mechanism that allows you to use
your own signing keys.
That way you have both 1) install self built extensions and 2) the
added security.
..and (3) a way for malware to install its own key, rendering
Am 27.08.2015 um 02:21 schrieb Solomon Peachy:
On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
A better solution would be to add a mechanism that allows you to use
your own signing keys.
That way you have both 1) install self built extensions and 2) the
added security.
..and (3) a
On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth m...@cchtml.com
wrote:
I'm sure those that need to know, know, but for those that haven't
heard[1]
Mozilla's official Firefox build will enforce addons to contain a
Mozilla signature
without any runtime option to disable the check.
On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
comzer...@fedoraproject.org wrote:
On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth m...@cchtml.com
wrote:
I'm sure those that need to know, know, but for those that haven't heard[1]
Mozilla's official Firefox build will enforce addons to
Nikos Roussos wrote:
If the only way is to completely disable this feature, I'd prefer we
don't.
I wouldn't like for us to ship a less secure build of Firefox.
After Restricted Boot, now Restricted Browser? No thanks! This feature
needs to be disabled no matter whether it affects our packaged
On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
A better way would be to add a Fedora Signature in addition to
mozilla's and use that for packaged extensions.
But that would require work on the build system (koji) side.
The RPMs deploying the packaged extension are already
On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
comzer...@fedoraproject.org wrote:
On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth m...@cchtml.com
wrote:
I'm sure those that need to know, know, but for those that haven't
On Thu, Feb 12, 2015 at 1:53 PM, Daniel P. Berrange berra...@redhat.com wrote:
On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
comzer...@fedoraproject.org wrote:
On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth m...@cchtml.com
On 02/12/2015 11:15 AM, Nikos Roussos wrote:
On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth m...@cchtml.com
wrote:
Is Fedora going to get authorization to build Firefox with a runtime
disable option?
If the only way is to completely disable this feature, I'd prefer we don't.
I
or simply exempt signature checking if
the extension is on disk. They should check on download only.
That would defeat the entire purpose; malware is very commonly sideloading
extensions.
Mirek
--
devel mailing list
devel@lists.fedoraproject.org
On 02/12/2015 04:53 PM, Simo Sorce wrote:
On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trmač wrote:
or simply exempt signature checking if
the extension is on disk. They should check on download only.
That would defeat the entire purpose; malware is very commonly sideloading
extensions.
On Thu, Feb 12, 2015 at 9:53 AM, Simo Sorce s...@redhat.com wrote:
Malware can easily binary patch firefox to ignore verification, I do
not
think trying to defeat sideloading with this kind of verification
makes
much sense.
And if you've already installed malware with on your computer, don't
On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trmač wrote:
or simply exempt signature checking if
the extension is on disk. They should check on download only.
That would defeat the entire purpose; malware is very commonly sideloading
extensions.
Malware can easily binary patch firefox to
On 12/02/15 16:53, Simo Sorce wrote:
Malware can easily binary patch firefox to ignore verification, I do not
think trying to defeat sideloading with this kind of verification makes
much sense.
Of course you may decide to exempt only extensions in non-user-writable
locations, if you are on
On Thu, Feb 12, 2015 at 09:54:16AM -0500, Miloslav Trmač wrote:
or simply exempt signature checking if
the extension is on disk. They should check on download only.
That would defeat the entire purpose; malware is very commonly
sideloading extensions.
If we only exempt extensions
I'm sure those that need to know, know, but for those that haven't heard[1]
Mozilla's official Firefox build will enforce addons to contain a Mozilla signature
without any runtime option to disable the check.
Initially this prevents Fedora packaged addons since they are unsigned. The Mozilla
46 matches
Mail list logo