[Project_owners] Secure Updates for Firefox 3
Axel Hecht
axel at pike.org
Wed Jul 18 03:47:03 PDT 2007
Scott wrote:
> Douglas E. Warner wrote:
>> On Tuesday 17 July 2007, Scott wrote:
>>
>>> I already sign my XPI's with a SSL cert. I followed
>>> http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html to do this.
>>>
>>> Will I be required to stop doing that and use gpg then ? I figured a SSL
>>> cert was much better.
>>>
>> GPG and SSL can provide similar utilities here; the signing of a package.
>>
>> My understanding right now is that you'll be signing the updates.rdf file to
>> prove that the original developer is the same one pushing the update. It
>> will be very similar to the process you're currently using to sign your XPIs.
>>
>
> If I understand this correctly -- I will be forced to either abandoned
> my SSL signing for the forced signing of a updates.rdf or use both?
>
> Frankly this is very disappointing...... I intentionally got away from
> using the addons website because I was being forced to use the addons
> site as the sole update for my projects. Now I am being forced into
> something else that I don't see any better then me signing my XPI's with
> SSL.
>
> This just might end any more development on my part now. If there is
> anything that ticks me off more is being forced to do something I didn't
> want in the first place.
>
> - Scott
Would you mind citing the exact point that makes you think that you have
to drop SSL signing? Frankly I have no clue about the differences
between SSL and gpg, but I can't find anything obviously saying that.
Axel
More information about the Project_owners
mailing list