Benjamin Smedberg wrote: > We already support hashes specified by the upate.rdf for the XPI, and AMO > uses this to serve the XPIs over http. However, the issue at hand is when > the extension has nothing to do with AMO, and serves the update.rdf over > HTTP or the XPI over HTTP without specifying a hash.
Well, the latter we can just forbid - i.e. refuse to download the update. There's no reason not to put the hash in the XPI. It doesn't cost anything to get hash-generating tools :-) Let's look at scenarios here. Someone wants to make their extension available. They can either: - Host it on a.m.o, for free, taking advantage of the security infrastructure and download bandwidth - Host it themselves, and pay $40-$60 per year for a fixed IP and free/cheap SSL certificate, and some bandwidth to serve up the copies. Who are we not serving here? If people don't want to pay any money to put out an addon, a.m.o. is there for them. Why are we trying to solve this problem? Let's just make updates.rdf over HTTPS compulsory. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
