1203170 - redesign the distribution/ feature to support signing or search plugins with low startup impact

Status: RESOLVED WORKSFORME

(Firefox :: Search, defect, P4)

Description

[Florian Quèze [:florian]]

The current way search plugins can be changed using the distribution/ feature is too easy to hijack, we need to design something better that will require the engines to be signed (or somehow verified). This shouldn't negatively affect performance.

Comment 1

[:shell escalante]

putting low priority - but need to start with BD early and move up once impact/discussions have been had.  shell put on agenda for bi-weekly discussion.

Comment 2

[Mike Kaply [:mkaply]]

I've gone through the data, and we have very low cases of search engine hijacking via the distribution/searchplugins directory.

Access to that directory requires admin access and once the user has given that, anything in Firefox can be modified (including replacing omni.ja).

Comment 3

[:shell escalante]

Hi Florian,  Based on what Mike looked at - do we want to resolve this won't fix or just put as a P4.

Comment 4

[Florian Quèze [:florian]]

(In reply to :shell escalante from comment #3)
> Hi Florian,  Based on what Mike looked at - do we want to resolve this won't
> fix or just put as a P4.

Shell, the next step here is Mike and me discussing this in person in London. P4 is fine for now.

Comment 5

[Mark Banner (:standard8)]

Following on from the search configuration modernisation effort, we have now moved distribution handling into the central configuration, and the associated engines are shipped as app-provided engines.

As a result, we've also removed the old distribution loading functionality from the search service.