On Tue, Dec 15, 2020 at 11:45 PM Adam Williamson adamwill@fedoraproject.org wrote:
I wrote in the update that in my opinion the solution for this bug can't involve expecting add-ons to suddenly get re-signed en masse, or users to change their local configuration. It needs to keep working as it did before. If the policy is ahead of the real world, the policy needs to be loosened.
It was my (possibly failing) recollection that Mozilla has been signing add-ons with SHA2 (and SHA1 for compatibility) for a few years now. Is this just an issue because Mozilla has not re-signed existing add-ons (which while is obviously not something to be taken lightly, because they do control the primary distribution point(*) should be at least theoretically possible to do a bulk re-signing, and probably a good thing to do to avoid needing to downgrade their security stance), or is Mozilla not signing with SHA2 as I thought?
(*) Yes, there are other distribution points for add-ons other than Mozilla itself, and they, too, would need to consider such re-signing.