[Project_owners] McCoy for extension signing
Michael Vincent van Rantwijk, MultiZilla
mv_van_rantwijk at yahoo.com
Wed Sep 19 06:49:41 PDT 2007
Nickolay Ponomarev wrote:
> On 9/19/07, Michael Vincent van Rantwijk, MultiZilla
> <mv_van_rantwijk at yahoo.com> wrote:
>> Nickolay Ponomarev wrote:
>>> On 9/19/07, Michael Vincent van Rantwijk, MultiZilla
>>> <mv_van_rantwijk at yahoo.com> wrote:
>>>> McCoy is a XULRunner application enables you to update your software in a more secure
>>>> way, but the initial installation stays as is, and thus unprotected. In other words
>>>> we're not able to offer the same level of security (this compared with
>>>> a.m.o).
>>>>
>>> I'm sure this was mentioned in previous threads, but you can use
>>> InstallTrigger with a hash:
>>>
>>> http://developer.mozilla.org/en/docs/Installing_Extensions_and_Themes_From_Web_Pages#Hash
>>>
>>> Nickolay
>> Which is only used to prevent file corruption i.e. this hash is not
>> security related. Why else have a McCoy tool in the first place?
>>
> Let me check.. are you concerned about mozdev.org's own pages not
> being https? That's the only difference (that matters) from AMO I see.
>
> Nickolay
No, the problem is that the initial installation from mozdev.org is
insecure. Only the updates are secured, but even these not 100%.
--
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member (ActiveState Training Partner)
- iPhone Application Developer
More information about the Project_owners
mailing list