[arch-general] Firefox without signature checking
Kyle Terrien
kyleterrien at gmail.com
Sat Jan 2 23:26:59 UTC 2016
On 01/02/2016 02:50 PM, Doug Newgard wrote:
> On Sat, 2 Jan 2016 15:35:01 -0700
> Leonid Isaev <leonid.isaev at jila.colorado.edu> wrote:
>
>> On Sat, Jan 02, 2016 at 02:06:05PM -0800, Kyle Terrien wrote:
>>> Thank you! I was tempted to reopen it, but it looks like the general
>>> consensus is that an AUR package will be submitted.
>>
>> You can only request to reopen...
>
> And that request would be denied unless you can bring new info to the table. So
> far, I haven't seen any.
The new info I have is that Mozilla is creating a walled garden. There
is no way to override it besides rebuilding Firefox.
The Fedora bugreport I pointed at earlier [0] compares this to package
signing in RPM (or in our case pacman). The difference with package
signing is that a user can add his own key and use that key to sign
packages. In Firefox 44, you can do no such thing. You are at
Mozilla's mercy.
And Mozilla's add-on checker isn't perfect either [1].
These two reasons are why I believe that Mozilla's signature policy is a
step in the wrong direction.
On the other hand, I fully understand why we would want to follow
upstream--less work for packaging and testing, as well as official
sanctioning via branding.
But I'm not affected much anyway because I'm on Pale Moon (using their
official builds).
--Kyle Terrien
[0] https://fedorahosted.org/fesco/ticket/1518
[1] http://danstillman.com/2015/11/23/firefox-extension-scanning-is-security-theater
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20160102/b33d9bc5/attachment.asc>
More information about the arch-general
mailing list