Re: Extension security?

From: Pauli Virtanen <pav iki fi>
To: gnome-shell-list gnome org
Subject: Re: Extension security?
Date: Sat, 17 Dec 2011 13:36:28 +0100

17.12.2011 03:04, Jasper St. Pierre kirjoitti:

If the website is hacked, the attacker has the GPG key anyway, so they
can sign a rogue extension. Unless I'm not understanding how the
website is supposed to automatically sign extensions after they've
been approved.

I don't understand where GPG comes into this discussion, if the Gnomeshell client, which downloads and installs the extension does not checkany signatures?

The point with cryptographic signatures would be that the extensionswould *not* be signed automatically on the machine where the web serviceruns. Rather, after review, an extensions.gnome.org maintainer (whomight not be the same person as the reviewer) would use a different,non-public, machine where the private key is kept, and do the signingthere. More work, yes, more secure, yes.

But it seems this was discussed previously, and Gnome shell authorsdecided not to do it this way (why?).


--
Pauli Virtanen

Follow-Ups:
- Re: Extension security?
  - From: Olav Vitters
- Re: Extension security?
  - From: Jasper St. Pierre

References:
- RE: Extension security?
  - From: Jonathan Wilkes
- Re: Extension security?
  - From: Pauli Virtanen
- Re: Extension security?
  - From: Jonathan Wilkes
- Re: Extension security?
  - From: Olav Vitters
- Re: Extension security?
  - From: Pauli Virtanen
- Re: Extension security?
  - From: Jasper St. Pierre

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]