On Wed, Aug 26, 2015 at 3:13 PM, Richard Z <rz(a)linux-m68k.org> wrote:
On Wed, Aug 26, 2015 at 03:12:25PM +0300, Alexander Ploumistos
wrote:
> Their FAQ is constantly updated:
>
>
https://wiki.mozilla.org/Addons/Extension_Signing#FAQ
>
> I'm not sure if there is a valid practical reason to refuse submitting the
> addons that we ship to their signing service or if it is against our
> policies; at least mozilla-https-everywhere has been signed.
that would work for Fedora - if it can be guaranteed that they sign new
versions quickly. Immagine if one of our plugins had a security hole and
mozilla would need days or weeks to sign it. As far as I can see Fedora
specific extensions would have to be listed which means they would go
through manual code review at mozilla.
> Mozilla states that they will be offering an unbranded binary (en_US only)
> for development and testing purposes.
For me this appears the only possibility and I suspect there are more
Fedora users like me maintaining their own Firefox extensions.
So will we get a firefox-unbranded package?
A better solution would be to add a mechanism that allows you to use
your own signing keys.
That way you have both 1) install self built extensions and 2) the
added security.