On Tue, Dec 15, 2020 at 11:45 PM Adam Williamson
<adamwill(a)fedoraproject.org> wrote:
I wrote in the update that in my opinion the solution for this bug
can't involve expecting add-ons to suddenly get re-signed en masse, or
users to change their local configuration. It needs to keep working as
it did before. If the policy is ahead of the real world, the policy
needs to be loosened.
It was my (possibly failing) recollection that Mozilla
has been signing add-ons with SHA2 (and SHA1
for compatibility) for a few years now. Is this just
an issue because Mozilla has not re-signed existing
add-ons (which while is obviously not something to
be taken lightly, because they do control the primary
distribution point(*) should be at least theoretically
possible to do a bulk re-signing, and probably a
good thing to do to avoid needing to downgrade
their security stance), or is Mozilla not signing
with SHA2 as I thought?
(*) Yes, there are other distribution points for
add-ons other than Mozilla itself, and they, too,
would need to consider such re-signing.