There can be alternative authorities, and you could opt to choose them
nstead. It's really a question of having the option of not relying on
Mozilla's decisions. It's not a choice of either each individual's
own keys or the "original authority who's the one true authority."
Self-signing means cho
On Friday, 28 August 2015 at 11:24, Martin Stransky wrote:
> On 08/28/2015 11:00 AM, Alexander Ploumistos wrote:
> >On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky
> >wrote:
> >>Can we ship addons which are already signed by Mozilla? Or does Fedora
> >>packager modify them somehow?
> >
> >It se
On Fri, 28 Aug, 2015 at 09:34:14 GMT, Alexander Ploumistos wrote:
> On Fri, Aug 28, 2015 at 12:24 PM, Martin Stransky wrote:
>> Thanks for the info. Actually is there any reason why Fedora packager would
>> need to modify the original extension?
>
>
> That depends on the extension and its particul
On Fri, Aug 28, 2015 at 12:18 AM, Martin Stransky wrote:
> On 08/27/2015 04:40 PM, Alexander Ploumistos wrote:
>>
>> Aren't the addons that we ship in fedora a bunch of text files zipped
>> in an xpi archive? It is kind of awkward to send them back and forth,
>> but if there are no other binaries,
On Friday, August 28, 2015 01:43:08 PM Reindl Harald wrote:
> Am 28.08.2015 um 13:39 schrieb Emmanuel Seyman:
> > * Martin Stransky [28/08/2015 12:21] :
> >> On 08/28/2015 11:40 AM, Emmanuel Seyman wrote:
> >>> * Martin Stransky [28/08/2015 11:24] :
> Thanks for the info. Actually is there any
Am 28.08.2015 um 13:39 schrieb Emmanuel Seyman:
* Martin Stransky [28/08/2015 12:21] :
On 08/28/2015 11:40 AM, Emmanuel Seyman wrote:
* Martin Stransky [28/08/2015 11:24] :
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
I
* Martin Stransky [28/08/2015 12:21] :
>
> On 08/28/2015 11:40 AM, Emmanuel Seyman wrote:
> >* Martin Stransky [28/08/2015 11:24] :
> >>
> >>Thanks for the info. Actually is there any reason why Fedora packager would
> >>need to modify the original extension?
> >
> >If there is a security issue wit
Martin Stransky wrote:
> On 08/28/2015 11:34 AM, Alexander Ploumistos wrote:
> > adblock plus [...] allows
> > certain ads from certain companies [...]
> > This patch blocks those ads as well:
> > http://pkgs.fedoraproject.org/cgit/mozilla-adblockplus.git/tree/disable-safeads.patch
> > I didn't ca
On 08/28/2015 11:34 AM, Alexander Ploumistos wrote:
On Fri, Aug 28, 2015 at 12:24 PM, Martin Stransky wrote:
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
That depends on the extension and its particulars. For example,
adbl
On 08/28/2015 11:40 AM, Emmanuel Seyman wrote:
* Martin Stransky [28/08/2015 11:24] :
Thanks for the info. Actually is there any reason why Fedora packager would
need to modify the original extension?
If there is a security issue with an extension, the packager might well
want to distribute a
* Martin Stransky [28/08/2015 11:24] :
>
> Thanks for the info. Actually is there any reason why Fedora packager would
> need to modify the original extension?
If there is a security issue with an extension, the packager might well
want to distribute a patched version while waiting for a new relea
On Fri, Aug 28, 2015 at 12:24 PM, Martin Stransky wrote:
> Thanks for the info. Actually is there any reason why Fedora packager would
> need to modify the original extension?
That depends on the extension and its particulars. For example,
adblock plus has an extortion-like scheme in place and i
On 08/28/2015 11:00 AM, Alexander Ploumistos wrote:
On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky wrote:
Can we ship addons which are already signed by Mozilla? Or does Fedora
packager modify them somehow?
It seems that even when the source is an xpi file, rpm treats it like
any other sou
On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky wrote:
> Can we ship addons which are already signed by Mozilla? Or does Fedora
> packager modify them somehow?
It seems that even when the source is an xpi file, rpm treats it like
any other source package and its contents can be patched. I don't
Dennis Gilmore wrote:
> It sounds like the path mozilla is taking will likely prevent us
> shipping addons in Fedora. That of course is their right to pursue
> that.
As far as I can find out there are no plans to enforce this centralized
signing in Seamonkey, and I suppose the Icecat folks are fr
On 08/27/2015 04:40 PM, Alexander Ploumistos wrote:
Aren't the addons that we ship in fedora a bunch of text files zipped
in an xpi archive? It is kind of awkward to send them back and forth,
but if there are no other binaries, does it go against a particular
policy?
Or we could decide that we t
On Thursday, August 27, 2015 05:40:18 PM Alexander Ploumistos wrote:
> On Thu, Aug 27, 2015 at 5:09 PM, Dennis Gilmore wrote:
> > We have no real practical way to do this other than package up the addon
> > and build it as a -unsigned package, then making a separate package that
> > has the precom
On Thu, Aug 27, 2015 at 5:09 PM, Dennis Gilmore wrote:
> We have no real practical way to do this other than package up the addon and
> build it as a -unsigned package, then making a separate package that has the
> precompiled binary and signed by mozilla and put into the add on package.
Aren't t
On 27 August 2015 at 08:26, Zdenek Kabelac wrote:
> Dne 27.8.2015 v 16:09 Dennis Gilmore napsal(a):
>>
>> On Wednesday, August 26, 2015 03:13:08 PM Richard Z wrote:
>>>
>>> On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
Their FAQ is constantly updated:
ht
Am 27.08.2015 um 16:26 schrieb Zdenek Kabelac:
Chrome is not an option for me - it eats even more RAM and slows my
machine even more then FF.
So what are the option - if the person want to view Web with all modern
technologies being supported ?
simple answer: there is no option, we are in th
Dne 27.8.2015 v 16:09 Dennis Gilmore napsal(a):
On Wednesday, August 26, 2015 03:13:08 PM Richard Z wrote:
On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
Their FAQ is constantly updated:
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
I'm not sure if there is a va
On Wednesday, August 26, 2015 03:13:08 PM Richard Z wrote:
> On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
> > Their FAQ is constantly updated:
> >
> > https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
> >
> > I'm not sure if there is a valid practical reason to refuse
On Wed, Feb 11, 2015 at 10:30:11PM -0600, Michael Cronenworth wrote:
> I'm sure those that need to know, know, but for those that haven't heard[1]
> Mozilla's official Firefox build will enforce addons to contain a Mozilla
> signature without any runtime option to disable the check.
>
> Initially
On Thu, Aug 27, 2015 at 02:28:48AM +0200, Reindl Harald wrote:
>
> Am 27.08.2015 um 02:21 schrieb Solomon Peachy:
> >On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
> >>A better solution would be to add a mechanism that allows you to use
> >>your own signing keys.
> >>That way you have bo
Am 27.08.2015 um 02:21 schrieb Solomon Peachy:
On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
A better solution would be to add a mechanism that allows you to use
your own signing keys.
That way you have both 1) install self built extensions and 2) the
added security.
..and (3) a wa
On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
> A better solution would be to add a mechanism that allows you to use
> your own signing keys.
> That way you have both 1) install self built extensions and 2) the
> added security.
..and (3) a way for malware to install its own key, render
On Wed, Aug 26, 2015 at 05:53:36PM +0200, drago01 wrote:
> On Wed, Aug 26, 2015 at 3:13 PM, Richard Z wrote:
> > On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
> >> Their FAQ is constantly updated:
> >>
> >> https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
> >>
> >> I'm
On Wed, Aug 26, 2015 at 3:13 PM, Richard Z wrote:
> On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
>> Their FAQ is constantly updated:
>>
>> https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
>>
>> I'm not sure if there is a valid practical reason to refuse submitting the
On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos wrote:
> Their FAQ is constantly updated:
>
> https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
>
> I'm not sure if there is a valid practical reason to refuse submitting the
> addons that we ship to their signing service or if it
Dne 26.8.2015 v 14:12 Alexander Ploumistos napsal(a):
> Their FAQ is constantly updated:
>
> https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
>
> I'm not sure if there is a valid practical reason to refuse submitting
> the addons that we ship to their signing service or if it is against
> our
Their FAQ is constantly updated:
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
I'm not sure if there is a valid practical reason to refuse submitting the
addons that we ship to their signing service or if it is against our
policies; at least mozilla-https-everywhere has been signed.
Mozi
On Thu, Feb 12, 2015 at 07:07:34PM +0100, Reindl Harald wrote:
>
> Am 12.02.2015 um 18:53 schrieb Simo Sorce:
> >>Maybe it is only about preventing people from bundling the official
> >>Firefox version with dodgy add-ons. Not downright malware, but things
> >>users may not actually want without r
Nikos Roussos wrote:
> If the only way is to completely disable this feature, I'd prefer we
> don't.
> I wouldn't like for us to ship a less secure build of Firefox.
After Restricted Boot, now Restricted Browser? No thanks! This "feature"
needs to be disabled no matter whether it affects our pack
Am 12.02.2015 um 18:53 schrieb Simo Sorce:
Maybe it is only about preventing people from bundling the official
Firefox version with dodgy add-ons. Not downright malware, but things
users may not actually want without realizing it. The signature
checking means that those who prepare the downloa
On Thu, 2015-02-12 at 18:19 +0100, Florian Weimer wrote:
> On 02/12/2015 04:53 PM, Simo Sorce wrote:
> > On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trmač wrote:
> >>> or simply exempt signature checking if
> >>> the extension is on disk. They should check on download only.
> >>
> >> That would def
On 02/12/2015 04:53 PM, Simo Sorce wrote:
> On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trmač wrote:
>>> or simply exempt signature checking if
>>> the extension is on disk. They should check on download only.
>>
>> That would defeat the entire purpose; malware is very commonly sideloading
>> exte
On Thu, Feb 12, 2015 at 9:53 AM, Simo Sorce wrote:
Malware can easily binary patch firefox to ignore verification, I do
not
think trying to defeat sideloading with this kind of verification
makes
much sense.
And if you've already installed malware with on your computer, don't
you kind of ha
On Thu, Feb 12, 2015 at 09:54:16AM -0500, Miloslav Trmač wrote:
> > or simply exempt signature checking if
> > the extension is on disk. They should check on download only.
>
> That would defeat the entire purpose; malware is very commonly
> sideloading extensions.
If we only exempt extensions in
On 12/02/15 16:53, Simo Sorce wrote:
Malware can easily binary patch firefox to ignore verification, I do not
think trying to defeat sideloading with this kind of verification makes
much sense.
Of course you may decide to exempt only extensions in non-user-writable
locations, if you are on Linux
On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trmač wrote:
> > or simply exempt signature checking if
> > the extension is on disk. They should check on download only.
>
> That would defeat the entire purpose; malware is very commonly sideloading
> extensions.
Malware can easily binary patch firef
> or simply exempt signature checking if
> the extension is on disk. They should check on download only.
That would defeat the entire purpose; malware is very commonly sideloading
extensions.
Mirek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/li
On Thu, 2015-02-12 at 09:16 -0500, Miloslav Trmač wrote:
> > On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> > > A better way would be to add a "Fedora Signature" in addition to
> > > mozilla's and use that for packaged extensions.
> > > But that would require work on the build system (k
> On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> > A better way would be to add a "Fedora Signature" in addition to
> > mozilla's and use that for packaged extensions.
> > But that would require work on the build system (koji) side.
>
> The RPMs deploying the packaged extension are alr
On Thu, Feb 12, 2015 at 1:53 PM, Daniel P. Berrange wrote:
> On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
>> On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
>> wrote:
>> > On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth
>> > wrote:
>> >
>> > I'm sure those that need to know, kno
On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
> wrote:
> > On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth
> > wrote:
> >
> > I'm sure those that need to know, know, but for those that haven't heard[1]
> > Mozilla's official Firefo
On 02/12/2015 11:15 AM, Nikos Roussos wrote:
> On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth
> wrote:
>> Is Fedora going to get authorization to build Firefox with a runtime
>> disable option?
>
> If the only way is to completely disable this feature, I'd prefer we don't.
> I wouldn't like
On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
wrote:
> On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth
> wrote:
>
> I'm sure those that need to know, know, but for those that haven't heard[1]
> Mozilla's official Firefox build will enforce addons to contain a Mozilla
> signature without an
On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth
wrote:
I'm sure those that need to know, know, but for those that haven't
heard[1]
Mozilla's official Firefox build will enforce addons to contain a
Mozilla signature
without any runtime option to disable the check.
Initially this prevents
I'm sure those that need to know, know, but for those that haven't heard[1]
Mozilla's official Firefox build will enforce addons to contain a Mozilla signature
without any runtime option to disable the check.
Initially this prevents Fedora packaged addons since they are unsigned. The Mozilla
s
49 matches
Mail list logo
