LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

GNOME shell extension security

GNOME shell extension security

Posted Sep 22, 2011 17:24 UTC (Thu) by otaylor (subscriber, #4190)
Parent article: Managing GNOME shell extensions

I think my opinion about extension signatures got a little confused here "Owen Taylor's preferred plan involves two signatures: one from each reviewer, and a separate one from the site — although he noted that the manual steps could constitute a weak spot." but if you read the mail that is linked to, you'll see that two-signature plan was just a thought experiment about ways we could use signatures that actually enhanced security beyond our current plans. And one that I didn't consider immediately practical.

The current security plans consist of: a) lock the code that does installation of extensions to extensions.gnome.org b) use https to maintain the integrity of the connection between the client and extensions.gnome.org c) have a thorough review process for extensions hosted on extensions.gnome.org d) take appropriate measures for the security of the web site and of the machine it's running on. We'll certainly be evaluating ways of making things better as we go along.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds