Bug#800150: iceweasel: Don't warn about unsigned extension installed via Debian packages
Julien Aubin
julien.aubin at gmail.com
Mon Nov 9 05:53:11 UTC 2015
Otherwise it would be possible to create packages that download the
extensions from Mozilla upon installation. This is the way the Flash Plugin
works (not a good example, but still possible).
Trusting any extension from the system directory would break the system,
and thus I suspect the patches to be quite difficult to maintain over time.
2015-11-08 23:17 GMT+01:00 Benjamin Drung <bdrung at debian.org>:
> reassign 804266 iceweasel 40.0-1
> forcemerge 800150 804266
> thanks
>
> On Sun, 27 Sep 2015 14:01:08 +0200 Kurt Roeckx <kurt at roeckx.be> wrote:
> > Mozilla is in the progress of requiring extentions to be signed,
> > which I think is a good thing. However, for Debian packages we
> > already have it signed by the Developer uploading it, I see no
> > need to have Mozilla also sign it. I suggest we don't warn /
> > disable about extentions installed on the system, but do require
> > the signature for those that are installed by browser itself.
> >
> > As I understand it it's possible to have Mozilla's signature
> > installed by the Debian package, and I guess it would be nice to
> > have packages do that, but I see no need to require them to do
> > that and most don't seem to do that even though the upstream
> > version has been signed by Mozilla already.
>
> Shipping signed extensions in Debian packages is no options, because
> then we could only ship unmodified, pre-build extensions. That
> contradicts the Debian Free Software Guidelines (DFSG) #3 and signed
> extensions are not the preferred source for modification.
>
> So, please allow unsigned extensions installed in the system directory.
> Everyone having write access to the system directory would probably
> also have access to the files of Iceweasel and could tinker with it.
>
> This severity of this bug will raise when Mozilla will reject unsigned
> extensions (planned for Firefox 44).
>
> --
> Benjamin Drung
> Debian & Ubuntu Developer
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20151109/767b4387/attachment-0001.html>
More information about the pkg-mozilla-maintainers
mailing list