[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-gnuzilla] Firefox add-on signature verification failure
|
From: |
bill-auger |
|
Subject: |
Re: [Bug-gnuzilla] Firefox add-on signature verification failure |
|
Date: |
Sat, 18 May 2019 00:16:11 -0400 |
On Fri, 17 May 2019 03:16:21 +0000 Vipul wrote:
> add-on signature verification is an important security feature?
that would be important if one installs add-ons that they
acquired from third-party sources; for example, the mozilla
website - however, installing third-party software onto a
GNU/Linux distro is very much discouraged - if verification is a
high priority, then one should install only software provided by
their distro using the distro package manager - the package
manager will ensure the packages have been signed by one of your
distro developers, who you already trust implicitly
this latest fisco should make it obvious to everyone why it is
undesirable to require a single third-party authority to govern
which software you can or cannot install - that authority belongs
to the user - that feature is most useful for users of operating
systems that do not package the browser or add-ons, in which
case, mozilla would be their only validation authority -
however, if the person did not validate the signature of the
installer that they used to install the browser, then there is
dubious value in trusting the browser to verify add-ons when the
browser itself was not verified
users of GNU/Linux distros do not have that problem - most
distros package the browsers and the most popular add-ons - it is
always best to trust your distro software only; and if you find
some interesting software out in the wild, to ask your distro to
build it from source and package it properly