Re: Extension security?

From: "Jasper St. Pierre" <jstpierre mecheye net>
To: Pauli Virtanen <pav iki fi>
Cc: gnome-shell-list gnome org
Subject: Re: Extension security?
Date: Sat, 17 Dec 2011 23:05:34 -0500

On Sat, Dec 17, 2011 at 7:36 AM, Pauli Virtanen <pav iki fi> wrote:
> 17.12.2011 03:04, Jasper St. Pierre kirjoitti:
>
>> If the website is hacked, the attacker has the GPG key anyway, so they
>> can sign a rogue extension. Unless I'm not understanding how the
>> website is supposed to automatically sign extensions after they've
>> been approved.
>
>
> I don't understand where GPG comes into this discussion, if the Gnome shell
> client, which downloads and installs the extension does not check any
> signatures?
>
> The point with cryptographic signatures would be that the extensions would
> *not* be signed automatically on the machine where the web service runs.
> Rather, after review, an extensions.gnome.org maintainer (who might not be
> the same person as the reviewer) would use a different, non-public, machine
> where the private key is kept, and do the signing there. More work, yes,
> more secure, yes.

Chances are, it would be me who would do this work. I do not trust
myself to keep a signature private.

> But it seems this was discussed previously, and Gnome shell authors decided
> not to do it this way (why?).
>
>
> --
> Pauli Virtanen
>
> _______________________________________________
> gnome-shell-list mailing list
> gnome-shell-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-shell-list



-- 
  Jasper

References:
- RE: Extension security?
  - From: Jonathan Wilkes
- Re: Extension security?
  - From: Pauli Virtanen
- Re: Extension security?
  - From: Jonathan Wilkes
- Re: Extension security?
  - From: Olav Vitters
- Re: Extension security?
  - From: Pauli Virtanen
- Re: Extension security?
  - From: Jasper St. Pierre
- Re: Extension security?
  - From: Pauli Virtanen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]