On Tue, Dec 15, 2020 at 11:45 PM Adam Williamson
<adamw...@fedoraproject.org> wrote:

> I wrote in the update that in my opinion the solution for this bug
> can't involve expecting add-ons to suddenly get re-signed en masse, or
> users to change their local configuration. It needs to keep working as
> it did before. If the policy is ahead of the real world, the policy
> needs to be loosened.

It was my (possibly failing) recollection that Mozilla
has been signing add-ons with SHA2 (and SHA1
for compatibility) for a few years now.  Is this just
an issue because Mozilla has not re-signed existing
add-ons (which while is obviously not something to
be taken lightly, because they do control the primary
distribution point(*) should be at least theoretically
possible to do a bulk re-signing, and probably a
good thing to do to avoid needing to downgrade
their security stance), or is Mozilla not signing
with SHA2 as I thought?



(*) Yes, there are other distribution points for
add-ons other than Mozilla itself, and they, too,
would need to consider such re-signing.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to