On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trmač wrote:
> or simply exempt signature checking if
> the extension is on disk. They should check on download only.
That would defeat the entire purpose; malware is very commonly sideloading extensions.
Malware can easily binary patch firefox to ignore verification, I do not
think trying to defeat sideloading with this kind of verification makes
much sense.
Of course you may decide to exempt only extensions in non-user-writable
locations, if you are on Linux and the Firefox binary is read-only for
the user.
Simo.
--
Simo Sorce * Red Hat, Inc * New York