[Project_owners] XPI security issues
erwin at transpontine.com
Thu Jan 22 12:02:41 EST 2004
>Are we concerned about security?
Always. Especially when you're dealing with (potentially) private issues
like people's email, like for TB, or peoples online banking.
>Should we use a signed XPI installation or not?
Not sure if I have much faith in signing. So John Doe signed this
extension, what does this mean to me? It's a matter of trust, and
signing alone doesn't make me trust something..
>Who benefits from this policy?
From a security policy in general, I would say especially less savvy
users benefit. The hard-core users are smart enough to dodge most
bullets. Since we're working on making Mozilla* more end-user friendly,
I do believe it's a sane thing to do _something_. Also, to put it
simply, security sells. If you can say that something is secure, it
earns you bonus points.
>What do we need for this?
Trust. I don't want to bomb this initiative, but I do think signing
alone is not the answer. Alternatively (or rather in addition) we might
want to look at trusted delivery methods - if there are only a few
sources for extensions, rotten apples are easily and swiftly sniffed.
>Are you willing to change your XPIinstall process?
Sure. Why not? It's not that complicated.
>note: remember this, not all source code is avalable, you have to download many XPI's before you can take a look at it.
Even if you do, can you _always_ examen _all_ source code?
>One day we might need so called 'TRUSTED" project owners to scan sources on mozdev.org
That would only work for mozdev project. Not all extensions are
*.mozdev.org ... Also, even this would be no guarantee that a _release_
wouldn't be dirty anyway - you can just add code outside the CVS.
This is a signature.
More information about the Project_owners