Re: Notes on extensions.gnome.org security
- From: Stef Walter <stefw collabora co uk>
- To: "Jasper St. Pierre" <jstpierre mecheye net>, Owen Taylor <otaylor redhat com>
- Cc: gnome-shell-list gnome org, desktop-devel-list gnome org
- Subject: Re: Notes on extensions.gnome.org security
- Date: Thu, 01 Sep 2011 07:34:06 +0200
On 08/31/2011 11:16 PM, Jasper St. Pierre wrote:
Right now you pass the plugin an URL to a "manifest file", so it's not
hardcoded to seek out the URL based on extensions.gnome.org. The idea
here was that if we needed to offload the servers with the extension
data to a CDN, we wouldn't have to make the users upgrade their
distributions.
It seems to me either you have to:
a) limit extensions from downloading from a known encrypted source
(extensions.gnome.org). This precludes putting parts of the
extension on other locations like a CDN.
b) cryptographically sign the extensions (and all data), this allows
you to place the extension and its parts on CDNs.
As Alan brought up, option b with keys not directly located on
extensions.gnome.org also has a good security story when it comes to
hacks on the web server.
Cheers,
Stef
[Date Prev][
Date Next] [Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
