Bug#763520: Including LibreJS add-on as proposed by GNU and Free Software Foundation in later Iceweasel Versions
Tomasz Nitecki
tnnn at tnnn.pl
Wed Oct 1 22:54:59 UTC 2014
Hey,
On 01/10/14 04:35, Lakshmikanth Kammath b wrote:
> I visited ftp://ftp.gnu.org/gnu/librejs/. But when I try to install
> librejs-5.4.1.xpi as suggested by you, a window pops up warning the
> Author not verified. Just being a novice user, I have 2 basic questions
> in my mind.
Ok, there two separate issues here. One is package verification, the
other is package source verification.
Iceweasel add-ons can be 'signed' just as any computer code can be [1].
Long story short, by verifying signature you are making sure that you
are using the package that was not modified by anyone else than the
author. Your Iceweasel is complaining about it ('Author not verified')
because it cannot verify this signature. Most likely, LibreJS author
simply didn't sign his add-on in a way that would work with Iceweasel
verification mechanism [2]. To be honest, many packages aren't signed
this way. However, LibreJS author did sign his add-on by using GnuPG [3]
(signature file; you will need both this file and the original .xpi
file). You can use that .sig file to manually verify the add-on. Some
pointers on how to do it can be found here [4]. That was the package
verification part.
[1] https://en.wikipedia.org/wiki/Code_signing
[2] https://developer.mozilla.org/en/docs/Signing_a_XPI
[3] ftp://ftp.gnu.org/gnu/librejs/librejs-5.4.1.xpi.sig
[4]
http://sparewotw.wordpress.com/2012/10/31/how-to-verify-signature-using-sig-file/
> 1. I know that the "https://" string in address bar verifies a web URL
> is secure.
> How will I verify/type a secure FTP server address? Does something
> like a
> validation certificate exist for a secure FTP connection?
That is the source verification part. 'https://' confirms that you are
connecting to the server you were supposed to and that your
communication can't be eavesdropped. In case of simple FTP it is not
easily possible. If you trust the authors key and you successfully
verified package signature, add-on source doesn't really matter that
much (at least when it comes to add-on integrity).
You can also download the LibreJS add-on from official mozzila site. It
has a valid ssl certificate so you will download it from 'https://'
site. Just go to [5] and select 'Add to Firefox' (Version 5.4.1).
[5] https://addons.mozilla.org/en-US/firefox/addon/librejs/versions/
> 2. Are files with .xpi format treated in the same way as generic Iceweasel
> add-ons? Are they removable?
Yes. Those files are, in fact, generic Iceweasel/Firefox add-ons (zipped
packages to be exact). If you install a new add-on through any web page
(like official mozilla add-on site [6]), you are just downloading and
opening .xpi file in a browser. You can read a little more about it here
[7].
And yes, you can easily remove them, just as you would remove any other
Iceweasel/Firefox add-on.
[6] https://addons.mozilla.org
[7] https://developer.mozilla.org/en/docs/XPI
Regards,
T.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20141002/2996942c/attachment.sig>
More information about the pkg-mozilla-maintainers
mailing list