> On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> > A better way would be to add a "Fedora Signature" in addition to
> > mozilla's and use that for packaged extensions.
> > But that would require work on the build system (koji) side.
>
> The RPMs deploying the packaged extension are already signed and those
> signatures are checked at time of package install. So it seems like
> firefox merely needs to be taught that the pre-packaged extensions
> deployed by RPM are pre-verified, so it can skip its verification
> for those, while still doing verification for stuff that is live
> downloaded
Yes, that does seem like the most practical way and reasonably secure way to
handle this; it might make Mozilla unhappy anyway.
Firefox is really doing this to fight malware that has probably actually
received (possibly unintended) permission from the user to install itself into
the system, which often includes getting Administrator rights. So, to mirror
that Mozilla intent exactly, even RPM-deployed extensions should require a
Mozilla signature.
OTOH, once you give malware root rights, it can in principle modify Firefox to
skip the check, so this is only a hurdle, not a reliable feature. Equally,
verifying the RPM extension contents against the RPM database and checking the
RPM signature would be useless because the malware can just add its key to the
keys RPM uses for verification.
The Mozilla blog also mentions some “third option” for “extensions that will
never be publicly distributed and will never leave an internal network”,
presumably bypassing the need to have them signed by Mozilla. Could that be
used by Fedora?
Mirek
--
devel mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
