[Project_owners] signed XPI files
special.michael at gmail.com
Fri Oct 21 17:14:53 EDT 2005
On 10/21/05, Michael Johnston <special.michael at gmail.com> wrote:
> i think if someone wanted to be malicous, they would go to the lengths
> to download, compile and sign.
> On 10/21/05, Paul Tomlin <paul at paultomlin.com> wrote:
> > Eric Jung wrote:
> > > Does anyone know how to sign a XPI file? I'd heard the Yahoo! Search
> > > Bar extension for Firefox was signed.
> > But to add more to the discussion, would it be seen as valuable and/or
> > possible to do this via mozdev?
> > Some form of code review possibly warranted to ensure no nastiness (I
> > recall a previous discussion on similar grounds), the exact machanism
> > for which I couldn't say.
> > But, maybe an automated system whereby a request from an author for a
> > signed package of a particular CVS tag could start a swathe of testing
> > :) followed by voting and a generated XPI if all goes well.
> > Initial testing might be lengthly (AMO is currently some 130+ extensions
> > in the initial submission queue - due to longer initial review) but
> > updates might be easier since diffing the CVS would show changes. By
> > using the CVS tree we can ensure what is built is what's there, it's not
> > code delivered by the author, the system simply extracts it from CVS on
> > demand.
> > Small PayPal-esque fee to cover cert costs? Though that might discourage
> > frequent requests to the detriment of speeding the review (larger diff
> > == more time). And certs aren't that pricey.
> > Not sure myself. Would I pay, probably $10, if I thought that people
> > would care. So far they haven't but you never know. OTOH, if someone
> > really cared I could do it, special like, for a little more than $10 ;)
> > _______________________________________________
> > Project_owners mailing list
> > Project_owners at mozdev.org
> > http://mozdev.org/mailman/listinfo/project_owners
More information about the Project_owners