Closed Bug 275703 Opened 20 years ago Closed 20 years ago

All extensions should be signed on Mozilla Update

Categories

(addons.mozilla.org Graveyard :: Administration, defect)

Product:
addons.mozilla.org Graveyard
Component:
Administration
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX
Milestone:
Future

People

(Reporter: bugzilla, Assigned: Bugzilla-alanjstrBugs)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041116 Firefox/1.0 (Ubuntu) (Ubuntu package 1.0-2ubuntu3)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041116 Firefox/1.0 (Ubuntu) (Ubuntu package 1.0-2ubuntu3)

All extensions should be signed on update.mozilla.org to get posted there. If I
install Firefox 1.0 I expect to install any extension without warnings from
update.mozilla.org. This is not the case now.

Reproducible: Always

Steps to Reproduce:
1. Go to https://addons.update.mozilla.org/extensions/?application=firefox
2. Click FoxyTunes. Then install


Actual Results:  
You get a warning saying that this is an unsigned extension.

Expected Results:  
The extension should have been signed leading to a install with no warnings.
Well, from an administrative view, I don't believe we have the documentation or
the tools to enable authors to easily sign a mass number of installable
extensions that exist now. Who would sign them? mozilla.org? Or random author?
If it's random author, what difference does it make if they're signed or not?
Being told who the author is by a signed XPI doesn't provide you any more
information than the site does already. If you don't trust the add-on because
it's unsigned, you're not much more likely to trust it if its signed by an
author you're not familar with, which would be most.
So if mozilla.org is supposed to sign it, this brings into question things like
code review and quality standards. Do we have the manpower to code-review every
extension we host, and does mozilla.org want to de-facto endorse them just for
the sake of being signed? The concepts involved here, IMO, are quite a bit more
involved than "they should be signed, reject all those that aren't".

If I recall correctly, a signed extension won't bypass the warning dialogs. (Not
that I've actually encountered one in the wild.) As that dialog would be
informative in both cases.

I'm not sure this isn't a bug to be wontfixed, simply because the benefits are
outweighed by the politics and problems involved. Not saying it isn't valid.
Though its not something that can be done overnight, there's 275+ items in
Update's respository, that aren't signed, but have been accepted. Encouraging
signing is probably something that can certainly be done, but w/o answers to
some of the questions, I don't think Mozilla Update can enact a policy about
signed or unsigned extensions and whether or not they should or shouldn't be
allowed.

Because I'm not sure what should be done with this bug, i'm also not confirming it.
Component: Listings → Administration
OS: Linux → All
Hardware: PC → All
Target Milestone: 1.0 → Future
Assignee: nobody → mitchell
Component: Administration → Miscellaneous
Product: Update → mozilla.org
QA Contact: mozilla.update → mitchell
Target Milestone: Future → ---
Version: unspecified → other
Moving bug to the mozilla.org --> miscellaneous component. Since this is about
Mozilla.org organizational policy WRT one of its visitor facing websites.
Summary: All extensions should be signed → All extensions should be signed on Mozilla Update
Regarding comment #2:

I agree with you that this a complex issue. However, if it has not thought
through, why are signed extensions even supported ?

Why do I get a warning that the extension is unsigned and that I should not
install software from sources that I do not trust ?

It is not something that can be done overnight, but it must have an issue during
the development of Firefox till today.

I support that we make extensions something we can trust installing. Whether it
is done by signing or any other means, let's do it.
I agree with the point about manpower -- but every time I see that warning I
think 'well if I can't trust an extension from the mozilla site itself, where
can I trust one'?
It seems that this signing feature was developed without thinking of the backup
it would require to actually run.
Component: Miscellaneous → Administration
Product: mozilla.org → Update
Target Milestone: --- → Future
Version: other → unspecified
Assignee: mitchell → Bugzilla-alanjstrBugs
QA Contact: mitchell → mozilla.update
addons.mozilla.org is the only site on the whitelist.  The only reason I can
think of for mozilla.org to sign a package is that we've audited the source. 
With more than 500 extensions with new addons or addon versions coming in daily,
we'd want the signing to mean something.

You're asking for an absolute and that can never happen.  Perhaps you'd be
interested in bug 276003.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.