Re: Extension security?

[Olav Vitters <olav vitters nl>]

On Sat, Dec 17, 2011 at 01:36:28PM +0100, Pauli Virtanen wrote:
> 17.12.2011 03:04, Jasper St. Pierre kirjoitti:
> >If the website is hacked, the attacker has the GPG key anyway, so they
> >can sign a rogue extension. Unless I'm not understanding how the
> >website is supposed to automatically sign extensions after they've
> >been approved.
> 
> I don't understand where GPG comes into this discussion, if the
> Gnome shell client, which downloads and installs the extension does
> not check any signatures?

GPG: You brought up signatures.

GNOME shell checks the extensions.gnome.org certificate. If that website
is broken into, the certificate is pointless. As is any other signature
added by the website.

> The point with cryptographic signatures would be that the extensions
> would *not* be signed automatically on the machine where the web
> service runs. Rather, after review, an extensions.gnome.org
> maintainer (who might not be the same person as the reviewer) would
> use a different, non-public, machine where the private key is kept,
> and do the signing there. More work, yes, more secure, yes.

This is not what you initially suggested. What I commented on is that a
signature by itself on the website does not add much extra security.

What you're proposing now is something totally different than just a
signature.

> But it seems this was discussed previously, and Gnome shell authors
> decided not to do it this way (why?).

Because practically speaking it is a lot of hard work. Now suddenly
there has to be an entire infrastructure around handling signatures to
trust, revoking, authorizing, etc.

If you want to know why, suggest to read the archives. Search for
messages by Owen Taylor. My memory is too vague and why ask if you can
find the exact answers...
-- 
Regards,
Olav