[Project_owners] Secure Updates for Firefox 3

Scott sgrayban at gmail.com
Wed Jul 18 01:22:51 PDT 2007


Douglas E. Warner wrote:
> On Tuesday 17 July 2007, Scott wrote:
>   
>> I already sign my XPI's with a SSL cert. I followed
>> http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html to do this.
>>
>> Will I be required to stop doing that and use gpg then ? I figured a SSL
>> cert was much better.
>>     
>
> GPG and SSL can provide similar utilities here; the signing of a package.
>
> My understanding right now is that you'll be signing the updates.rdf file to 
> prove that the original developer is the same one pushing the update.  It 
> will be very similar to the process you're currently using to sign your XPIs.
>   

If I understand this correctly -- I will be forced to either abandoned
my SSL signing for the forced signing of a updates.rdf  or use both?

Frankly this is very disappointing...... I intentionally got away from
using the addons website because I was being forced to use the addons
site as the sole update for my projects. Now I am being forced into
something else that I don't see any better then me signing my XPI's with
SSL.

This just might end any more development on my part now. If there is
anything that ticks me off more is being forced to do something I didn't
want in the first place.

- Scott


More information about the Project_owners mailing list