On 11/28/15 8:28 PM, Mike Hoye wrote:
To Ehsan's point that "malicious code here might look like this:
console.log("success"); [and] It's impossible to tell by looking at
the code whether that line prints a success message on the console, or
something entirely different, such as running calc.ex
On Sat, Nov 28, 2015 at 5:28 PM, Mike Hoye wrote:
> On 2015-11-28 2:40 PM, Eric Rescorla wrote:
>
>> How odd that your e-mail was in response to mine, then.
>>
>> Thanks, super helpful, really moved the discussion forward, high five.
Glad I could help.
To Ehsan's point that "malicious code he
On 2015-11-28 2:40 PM, Eric Rescorla wrote:
How odd that your e-mail was in response to mine, then.
Thanks, super helpful, really moved the discussion forward, high five.
To Ehsan's point that "malicious code here might look like this:
console.log("success"); [and] It's impossible to tell by
On 11/28/15 2:30 PM, Kartikaya Gupta wrote:
So it seems to me that people are actually in general agreement about
what the validator can and cannot do, but have different evaluations
of the cost-benefit tradeoff.
On the one hand we have the camp (let's say camp A) that believes the
validator pro
On Sat, Nov 28, 2015 at 11:30 AM, Kartikaya Gupta
wrote:
> So it seems to me that people are actually in general agreement about
> what the validator can and cannot do, but have different evaluations
> of the cost-benefit tradeoff.
>
> On the one hand we have the camp (let's say camp A) that beli
On 11/28/15 5:06 AM, Gijs Kruitbosch wrote:
On 27/11/2015 23:46, dstill...@zotero.org wrote:
The issue here is that this new system -- specifically, an automated
scanner sending extensions to manual review -- has been defended by
Jorge's saying, from March when I first brought this up until
yest
How odd that your e-mail was in response to mine, then.
-Ekr
On Sat, Nov 28, 2015 at 11:34 AM, Gavin Sharp wrote:
> I wasn't suggesting that you had made that incorrect assumption.
>
> Gavin
>
> On Sat, Nov 28, 2015 at 10:31 AM, Eric Rescorla wrote:
>
>> On Fri, Nov 27, 2015 at 11:06 PM, Gavi
I wasn't suggesting that you had made that incorrect assumption.
Gavin
On Sat, Nov 28, 2015 at 10:31 AM, Eric Rescorla wrote:
> On Fri, Nov 27, 2015 at 11:06 PM, Gavin Sharp
> wrote:
>
>> The assumption that the validator must catch all malicious code for
>> add-on signing to be beneficial is
So it seems to me that people are actually in general agreement about
what the validator can and cannot do, but have different evaluations
of the cost-benefit tradeoff.
On the one hand we have the camp (let's say camp A) that believes the
validator provides negligible actual benefit, because it is
On 11/28/2015 11:36 AM, Anne van Kesteren wrote:
On Sat, Nov 28, 2015 at 9:09 AM, Ian Young wrote:
Maybe a
Mozillian could drop in and give us an explanation of how the W3C
process influences what gets implemented and when?
Well, it doesn't really, many things are standardized by the W3C that
On 11/28/2015 11:36 AM, Anne van Kesteren wrote:
On Sat, Nov 28, 2015 at 9:09 AM, Ian Young wrote:
Maybe a
Mozillian could drop in and give us an explanation of how the W3C
process influences what gets implemented and when?
Well, it doesn't really, many things are standardized by the W3C that
On Sat, Nov 28, 2015 at 2:06 AM, Gijs Kruitbosch
wrote:
> On 27/11/2015 23:46, dstill...@zotero.org wrote:
>
>> The issue here is that this new system -- specifically, an automated
>> scanner sending extensions to manual review -- has been defended by
>> Jorge's saying, from March when I first br
On Fri, Nov 27, 2015 at 11:06 PM, Gavin Sharp wrote:
> The assumption that the validator must catch all malicious code for add-on
> signing to be beneficial is incorrect, and seems to be what's fueling most
> of this thread.
>
I'm not sure how you got that out of my comments, since I explicitly
On 27/11/2015 23:46, dstill...@zotero.org wrote:
The issue here is that this new system -- specifically, an automated
scanner sending extensions to manual review -- has been defended by
Jorge's saying, from March when I first brought this up until
yesterday on the hardening bug [1], that he belie
On Sat, Nov 28, 2015 at 9:09 AM, Ian Young wrote:
> Maybe a
> Mozillian could drop in and give us an explanation of how the W3C
> process influences what gets implemented and when?
Well, it doesn't really, many things are standardized by the W3C that
are a poor fit for browsers. What gets impleme
FIDO has now submitted the U2F Web API to the W3C[1]. I know this only
makes it a *proposed* standard, but I would hope having it on this track
would be enough to bump it up a bit in Mozilla's priorities. Maybe a
Mozillian could drop in and give us an explanation of how the W3C
process influences w
On 11/28/15 2:06 AM, Gavin Sharp wrote:
The assumption that the validator must catch all malicious code for add-on signing to be
beneficial is incorrect, and seems to be what's fueling most of this thread. Validation
being a prerequisite for automatic signing is not primarily a security measure
17 matches
Mail list logo
