[Project_owners] code-signing certificates from mozdev?

David Boswell davidwboswell at yahoo.com
Wed Oct 18 05:18:30 PDT 2006


If people are interested in code signing, I recommend that someone
should research the details and then come up with a policy for how
mozdev could do this.  We can then see if the project owners approve
the idea and if the resources are available to do it.  The admins are
fully booked right now, so we'll need to find someone else to own this
issue.

David


> Mozdev vouching for an extension may be too much to ask for - just
> think
> of the approval queues on amo, and they check at most functionality.
> 
> On the other hand, signing extensions would at least certify that the
> extension comes from the extension author - it's more about
> authenticity
> than about security. There are many extension mirrors; often patched
> versions float around (maxVersion changes, enhancements, adjustments
> to
> nvu and such) which the original author doesn't even know about. Code
> signing could make sure that one gets the "original" version from the
> author if the certificate is the one that comes along with the
> corresponding mozdev project. Maybe this could be clarified in a
> signing
> policy? I don't know much about X.509 certs, though.
> 
> Michael
> _______________________________________________
> Project_owners mailing list
> Project_owners at mozdev.org
> http://mozdev.org/mailman/listinfo/project_owners
> 



More information about the Project_owners mailing list