[Project_owners] Online version of McCoy
Eric H. Jung
eric.jung at yahoo.com
Tue Feb 5 11:50:31 PST 2008
--- Matthew Wilson <matthew at mjwilson.demon.co.uk> wrote:
> Eric H. Jung wrote:
> > --- Andrew Archer <AndrewArcher at hotmail.com> wrote:
> >
> >> I'm curious to know how the keys will be kept secure.
> >
> > The wouldn't be any keys in an online version. It would work like this:
> >
> > 1. User uploads XPI to http://mozdev.org/mccoy
> > 2. mozdev.org generates hash of uploaded XPI
> > 3. mozdev.org unzips XPI, inserts the <em:updateHash/> into install.rdf, re-zips XPI, sends
> XPI
> > back to user as a file download
> >
> >
>
http://developer.mozilla.org/en/docs/Extension_Versioning,_Update_and_Compatibility#Update_Hashes
>
> That's not the McCoy functionality though is it? em:updateHash was
> available before McCoy, and doesn't secure updates.
>
I don't know, but the point is mozdev should have an upload tool which preps XPIs for
auto-updating when update.rdf isn't hosted at AMO (it's probably hosted at mozdev, but not
necessarily). I believe updateHash is the only install.rdf entry required for this. updateKey,
updateLink are not required. Anyone confirm?
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
More information about the Project_owners
mailing list