Otherwise it would be possible to create packages that download the extensions from Mozilla upon installation. This is the way the Flash Plugin works (not a good example, but still possible).
Trusting any extension from the system directory would break the system, and thus I suspect the patches to be quite difficult to maintain over time. 2015-11-08 23:17 GMT+01:00 Benjamin Drung <bdr...@debian.org>: > reassign 804266 iceweasel 40.0-1 > forcemerge 800150 804266 > thanks > > On Sun, 27 Sep 2015 14:01:08 +0200 Kurt Roeckx <k...@roeckx.be> wrote: > > Mozilla is in the progress of requiring extentions to be signed, > > which I think is a good thing. However, for Debian packages we > > already have it signed by the Developer uploading it, I see no > > need to have Mozilla also sign it. I suggest we don't warn / > > disable about extentions installed on the system, but do require > > the signature for those that are installed by browser itself. > > > > As I understand it it's possible to have Mozilla's signature > > installed by the Debian package, and I guess it would be nice to > > have packages do that, but I see no need to require them to do > > that and most don't seem to do that even though the upstream > > version has been signed by Mozilla already. > > Shipping signed extensions in Debian packages is no options, because > then we could only ship unmodified, pre-build extensions. That > contradicts the Debian Free Software Guidelines (DFSG) #3 and signed > extensions are not the preferred source for modification. > > So, please allow unsigned extensions installed in the system directory. > Everyone having write access to the system directory would probably > also have access to the files of Iceweasel and could tinker with it. > > This severity of this bug will raise when Mozilla will reject unsigned > extensions (planned for Firefox 44). > > -- > Benjamin Drung > Debian & Ubuntu Developer > > >
