Talk:Extension Manager:Addon Update Security: Difference between revisions

Revision as of 19:26, 5 July 2007

No more «version bumping» ?

What about already-existing extensions whose code (I'm talking of the fundamentals here, not about signing, hashing, or even "declared" version compatibility) happens to be already compatible with Fx3 / Tb3 / Sm2 / etc.? What about existing extensions, possibly tested with Minefield, which already declare themselves "compatible with Fx3" but include no crypto signature? What about the well-known practice of «version bumping» (unzip the xpi, change the maxVersion upwards, don't change anything else, rezip)? Tonymec 18:04, 1 July 2007 (PDT)

There should not be any add-ons already marking themselves as compatible with Firefox 3, if there are then they are in error. It has always been the case that add-ons should not mark themselves as compatible with a version unless it has been tested on it (or at least an RC of it). If there are any such add-ons that don't meet the requirements for secure updates then they will likely be disabled Mossop

I intend to work something out to allow some kind of version bumping to go on but the exact plans for this haven't been finalised Mossop

Non-conforming Add-ons

I understand why add-ons that provide update functionality must do so securely, but why does this proposal require that add-ons provide update functionality?--Np 17:31, 2 July 2007 (PDT)

There is not requirement that add-ons provide update functionality, only that if they do so that it is secure. If no updateURL is specified in the add-on's install.rdf then the add-on will install (since that makes it default to using AMO for updates which already meets the criteria for secure updates) Mossop

@@ Line 2: / Line 2: @@
 What about already-existing extensions whose code (I'm talking of the fundamentals here, not about signing, hashing, or even "declared" version compatibility) happens to be already compatible with Fx3 / Tb3 / Sm2 / etc.? What about existing extensions, possibly tested with Minefield, which already declare themselves "compatible with Fx3" but include no crypto signature? What about the well-known practice of «version bumping» (unzip the xpi, change the maxVersion upwards, don't change anything else, rezip)? [[User:Tonymec|Tonymec]] 18:04, 1 July 2007 (PDT)
+* There should not be any add-ons already marking themselves as compatible with Firefox 3, if there are then they are in error. It has always been the case that add-ons should not mark themselves as compatible with a version unless it has been tested on it (or at least an RC of it). If there are any such add-ons that don't meet the requirements for secure updates then they will likely be disabled [[User:Mossop|Mossop]]
+* I intend to work something out to allow some kind of version bumping to go on but the exact plans for this haven't been finalised [[User:Mossop|Mossop]]
 == Non-conforming Add-ons ==
 I understand why add-ons that provide update functionality must do so securely, but why does this proposal require that add-ons provide update functionality?--[[User:Np|Np]] 17:31, 2 July 2007 (PDT)
+* There is not requirement that add-ons provide update functionality, only that if they do so that it is secure. If no updateURL is specified in the add-on's install.rdf then the add-on will install (since that makes it default to using AMO for updates which already meets the criteria for secure updates) [[User:Mossop|Mossop]]

Talk:Extension Manager:Addon Update Security: Difference between revisions

Revision as of 19:26, 5 July 2007

No more «version bumping» ?

Non-conforming Add-ons

Navigation menu

Search