Benjamin Smedberg wrote: > Gervase Markham wrote: > >> This seems like the right solution to me. In fact, I had assumed it was >> already the case, and that we were trying to solve the other half of the >> problem. > > We already support hashes specified by the upate.rdf for the XPI, and AMO > uses this to serve the XPIs over http. However, the issue at hand is when > the extension has nothing to do with AMO, and serves the update.rdf over > HTTP or the XPI over HTTP without specifying a hash. > > --BDS
Indeed, the issue is with add-on authors who do not want to host on AMO (for a variety of quite valid reasons). A compromise allowing authors to host their xpis on their own sites but the update.rdf on AMO or some other Mozilla provided secure site might be a potential solution, but I think even this is not ideal from both author's and Mozilla's point of view. Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
