[Project_owners] newbie question: how do secure updates for FF 3.0 work?

Godmar Back godmar at gmail.com
Fri Feb 15 12:21:30 PST 2008


Hi,

we're hosting about 280 Firefox extensions on libx.org and are now
trying to prepare for the impending update to FF3.0.  I was reading
Mozilla's instructions [1] and have a couple of questions about it.

This page says:

"In the install.rdf of the already installed add-on updateURL must be
specified in one of the following ways:
  *  The updateURL uses https, or there is no updateURL at all (which
defaults to addons.mozilla.org which is https)
  * The updateURL uses http and the updateKey entry is specified which
will be used to verify the data in the update manifest."

We are currently using an "http" updateURL and we do not have an
updateKey in the files of the "already installed" install.rdf files -
that is, the install.rdf that is included in the .xpi files our end
users have downloaded.

Does that mean we are out of luck and will be precluded from taking
advantage of automatic updates to FF 3.0?

It seems to me that there may be a number of projects hosted on
mozdev.org that may face the same issue. Am I misreading the
instructions? Is there really no way to make existing add-ons
compatible so that they can be automatically updated?

 - Godmar

[1] http://developer.mozilla.org/en/docs/Extension_Versioning%2C_Update_and_Compatibility#Securing_Updates


More information about the Project_owners mailing list