[Project_owners] InstallTrigger (was: XPI install still vulnerable to MITM attacks on mozdev.org)
Douglas E. Warner
silfreed at silfreed.net
Fri Jul 20 11:03:50 PDT 2007
On Friday 20 July 2007, eric.jung at yahoo.com wrote:
> Yeah, I understand. If anything, promoting the use of InstallTrigger on
> mozdev without a file release system would only serve to get people to
> deliver their XPIs outside of the mirror system (i.e., linked from a
> regular HTML or PHP project page under their own control).
It *is* possible to link to a file directly, it's just not completely
intuitive (or maybe even supported).
For example, if you goto http://download.mozdev.org you will be redirected to
a mirror; from there you can navigate to some file you want to download/link
to, I'll take:
This same file on another mirror may be:
But you can refer to that single file by:
and this will be served from one of our mirrors.
So with this it should be possible to use InstallTrigger with our current
mirror system, it's just not intuitive, easy, or secure (ie, susceptible to
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070720/17e5277a/attachment-0001.bin
More information about the Project_owners