On Tue, 2020-12-29 at 18:54 +0000, Gary Buhrmaster wrote:
On Tue, Dec 15, 2020 at 11:45 PM Adam Williamson
<adamwill(a)fedoraproject.org> wrote:
> I wrote in the update that in my opinion the solution for this bug
> can't involve expecting add-ons to suddenly get re-signed en masse, or
> users to change their local configuration. It needs to keep working as
> it did before. If the policy is ahead of the real world, the policy
> needs to be loosened.
It was my (possibly failing) recollection that Mozilla
has been signing add-ons with SHA2 (and SHA1
for compatibility) for a few years now. Is this just
an issue because Mozilla has not re-signed existing
add-ons (which while is obviously not something to
be taken lightly, because they do control the primary
distribution point(*) should be at least theoretically
possible to do a bulk re-signing, and probably a
good thing to do to avoid needing to downgrade
their security stance), or is Mozilla not signing
with SHA2 as I thought?
Well, installing uBlock Origin (which is a pretty frequently updated
addon) on a fresh VM fails, with the change. So I suspect it's the
latter.
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net