Re: Extension security?

On Sat, Dec 17, 2011 at 7:36 AM, Pauli Virtanen <pav iki fi> wrote:
> 17.12.2011 03:04, Jasper St. Pierre kirjoitti:
>> If the website is hacked, the attacker has the GPG key anyway, so they
>> can sign a rogue extension. Unless I'm not understanding how the
>> website is supposed to automatically sign extensions after they've
>> been approved.
> I don't understand where GPG comes into this discussion, if the Gnome shell
> client, which downloads and installs the extension does not check any
> signatures?
> The point with cryptographic signatures would be that the extensions would
> *not* be signed automatically on the machine where the web service runs.
> Rather, after review, an maintainer (who might not be
> the same person as the reviewer) would use a different, non-public, machine
> where the private key is kept, and do the signing there. More work, yes,
> more secure, yes.

Chances are, it would be me who would do this work. I do not trust
myself to keep a signature private.

> But it seems this was discussed previously, and Gnome shell authors decided
> not to do it this way (why?).
> --
> Pauli Virtanen
> _______________________________________________
> gnome-shell-list mailing list
> gnome-shell-list gnome org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]