[Project_owners] signed XPI files

Paul Tomlin paul at paultomlin.com
Fri Oct 21 18:27:46 EDT 2005


Michael Johnston wrote:
> i think if someone wanted to be malicous, they would go to the lengths
> to download, compile and sign.

does moz update care much about where the cert is for when installing an 
extension?

ignore the download-to-disk scenario for a second, would the updater 
barf if an xpi was being installed from mozdev.org but signed by [a cert 
issued to] nasty-haxor.ru? visa-versa?

the code review part is to protect mozdev from being seen as 
distributing/condoning something without concern for what it was. you 
don't sign a piece of paper without making sure you agree (not often 
anyway) so people could reasonably assume that something signed by 
mozdev would be, if not guaranteed, at least inspected by them. of 
course 'mozdev' in this context could mean us, or in reality, the domain 
registrant (legally speaking).

think of it as a step in the direction of making mozdev known for 
providing not only an environment for developers to produce extensions, 
but for users to be able to come for stuff that can be trusted.


More information about the Project_owners mailing list