[Project_owners] code-signing certificates from mozdev?
Eric H. Jung
eric.jung at yahoo.com
Sat Oct 21 21:27:00 PDT 2006
I agree with Michael that code-signing is the same as vouching that the extension is non-evil. It simply ensures that the code hasn't been tampered with.
I'll open a bugzilla bug on it to track it, if you want?
It sounds like the timing is bad.
----- Original Message ----
From: David Boswell <davidwboswell at yahoo.com>
To: Mozdev Project Owners List <project_owners at mozdev.org>
Sent: Wednesday, October 18, 2006 8:18:30 AM
Subject: Re: [Project_owners] code-signing certificates from mozdev?
If people are interested in code signing, I recommend that someone
should research the details and then come up with a policy for how
mozdev could do this. We can then see if the project owners approve
the idea and if the resources are available to do it. The admins are
fully booked right now, so we'll need to find someone else to own this
> Mozdev vouching for an extension may be too much to ask for - just
> of the approval queues on amo, and they check at most functionality.
> On the other hand, signing extensions would at least certify that the
> extension comes from the extension author - it's more about
> than about security. There are many extension mirrors; often patched
> versions float around (maxVersion changes, enhancements, adjustments
> nvu and such) which the original author doesn't even know about. Code
> signing could make sure that one gets the "original" version from the
> author if the certificate is the one that comes along with the
> corresponding mozdev project. Maybe this could be clarified in a
> policy? I don't know much about X.509 certs, though.
> Project_owners mailing list
> Project_owners at mozdev.org
Project_owners mailing list
Project_owners at mozdev.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Project_owners