desktop-packages team mailing list archive

[Benjamin Drung <bdrung@xxxxxxxxx>]

Why?

Firefox introduces Tivoization for all extensions (like ubufox) and does
not provide more security. Everyone who can write to
/usr/{lib,share}/mozilla/extensions can probably also modify the system
files of Firefox to introduce malicious code there.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1532484

Title:
  Don't warn about unsigned extension installed via Debian packages

Status in firefox package in Ubuntu:
  Opinion
Status in iceweasel package in Debian:
  Unknown

Bug description:
  "Mozilla is in the progress of requiring extensions to be signed, which I think is a good thing.  However, for Debian packages we
  already have it signed by the Developer uploading it, I see no need to have Mozilla also sign it.  I suggest we don't warn / disable about extensions installed on the system, but do require the signature for those that are installed by browser itself." [1]

  Shipping signed extensions in Debian packages is no options, because
  then we could only ship unmodified, pre-build extensions. That
  contradicts the Debian Free Software Guidelines (DFSG) #3 and signed
  extensions are not the preferred source for modification.

  So, please allow unsigned extensions installed in the system
  directory. Debian already applied a patch for it (see Debian bug
  #800150). Everyone having write access to the system directory would
  probably also have access to the files of Firefox and could tinker
  with it.

  This severity of this bug will raise when Mozilla will reject unsigned
  extensions (planned for Firefox 44).

  [1] https://bugs.debian.org/800150

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1532484/+subscriptions