[Project_owners] newbie question: how do secure updates for FF 3.0 work?
godmar at gmail.com
Fri Feb 15 14:04:47 PST 2008
On Fri, Feb 15, 2008 at 3:49 PM, Douglas E. Warner
<silfreed at silfreed.net> wrote:
> If you'd like to see any of our roadmap priorities changed or rearranged, let
> us know.
Well, I would very much like a way to provide automatic updates to my
users. If I understand Andrew's reply correctly, the only way to do
that is to force an update (and switch to updateKey-signed) xpis while
they are still using 2.0. (*) This would be a huge hassle for us,
because don't actually create .xpi files - we provide a web-based
system (libx.org/editionbuilder) that does. Doing what you suggest
would force us to either abandon this system by which a community of
adopters creates .xpi files (and tests them, etc.), or coerce all of
them to rebuild and retest their .xpi files.
The other options you mentioned (hosting on .mozdev.org, or on
addons.mozilla.org) obviously don't work in our setup, either.
I find it hard to believe that there's no way to grandfather existing
projects into the new 3.0 framework - I'm not asking for you to
tolerate unsigned xpis, but at least a migration path should have been
provided. Is there really no migration path? (Note that we control
the updateLink location. We could, conceivably, redirect those to a
https URL. Would that help us?)
(*) Although you said:
"Right now the best thing you can do is being using McCoy  to sign your
update manifests and add the updateHash to your files. This will allow you
to serve your update.rdf files from http sites securely and provide automatic
updates." - are you implying that following this path would provide a
means to participate in automatic updates even without forcing a
does that mean that doing so will allow an update path when 3.0 comes around?
>  http://wiki.mozilla.org/McCoy
>  http://bugzilla.mozdev.org/show_bug.cgi?id=17302
>  https://www.mozdev.org/bugs/show_bug.cgi?id=18526
> Douglas E. Warner <silfreed at silfreed.net> Site Developer
> Mozdev.org http://www.mozdev.org
> Project_owners mailing list
> Project_owners at mozdev.org
More information about the Project_owners