[Project_owners] Secure installation of extensions, Project overview pages, and file release system

Douglas E. Warner silfreed at silfreed.net
Fri Mar 28 06:03:25 PDT 2008


On Friday 28 March 2008 05:31:27 Onno Ekker wrote:
> Can you add file_management.html url to the
> https://www.mozdev.org/profile/index.html ?

Done, thanks;  It was previously linked from the "All Resources" page, but I 
missed this one.

> And after submitting files, you end up in an empty
> file_managment_actions.php. It would be better to return to the project
> selection page.

This isn't the desired action, but I haven't been able to duplicate it.  Could 
you send me some more details about your workflow off-list?

> I don't really see why end-users would believe they now have safe
> downloads. To the user, the only thing that has changed, is that they
> can start the download from a secure website, but they can't see that
> the file is also verified and they cannot verify the file themselves,
> since you don't display the md5sum. The download itself is still from an
> unsecure website, so the user could download another file than he thinks.

The security comes from using InstallTrigger which will verify the hash 
against the downloaded file for the user automatically.  This hash is served 
from a secure website, therefore the hash can be trusted.  The file can then 
be downloaded from anywhere and compared against the trusted hash.

-Doug

-- 
Douglas E. Warner    <silfreed at silfreed.net>    Site Developer
Mozdev.org           http://www.mozdev.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://www.mozdev.org/pipermail/project_owners/attachments/20080328/bcb8dd2d/attachment.bin 


More information about the Project_owners mailing list