Bug#800150: iceweasel: Don't warn about unsigned extension installed via Debian packages

[Benjamin Drung]

reassign 804266 iceweasel 40.0-1
forcemerge 800150 804266
thanks

On Sun, 27 Sep 2015 14:01:08 +0200 Kurt Roeckx <kurt at roeckx.be> wrote:
> Mozilla is in the progress of requiring extentions to be signed,
> which I think is a good thing.  However, for Debian packages we
> already have it signed by the Developer uploading it, I see no
> need to have Mozilla also sign it.  I suggest we don't warn /
> disable about extentions installed on the system, but do require
> the signature for those that are installed by browser itself.
> 
> As I understand it it's possible to have Mozilla's signature
> installed by the Debian package, and I guess it would be nice to
> have packages do that, but I see no need to require them to do
> that and most don't seem to do that even though the upstream
> version has been signed by Mozilla already.

Shipping signed extensions in Debian packages is no options, because
then we could only ship unmodified, pre-build extensions. That
contradicts the Debian Free Software Guidelines (DFSG) #3 and signed
extensions are not the preferred source for modification.

So, please allow unsigned extensions installed in the system directory.
Everyone having write access to the system directory would probably
also have access to the files of Iceweasel and could tinker with it.

This severity of this bug will raise when Mozilla will reject unsigned
extensions (planned for Firefox 44).

-- 
Benjamin Drung
Debian & Ubuntu Developer