|
|
Subscribe / Log in / New account

Easy solution

Easy solution

Posted Dec 24, 2015 10:18 UTC (Thu) by mokki (subscriber, #33200)
Parent article: Iceweasel for Fedora?

Fedora creates a new signing key and signs all official fedora built extensions with it.

Mozilla approves change to Firefox to load public verification keys from build time configured directory.

Result: all fedora built extensions work and user can install their own keys without modifying Firefox

As an extra: if the addons public key is also in that directory users/organizations can remove that trust if they want to

to post comments

Easy solution

Posted Dec 24, 2015 13:12 UTC (Thu) by alankila (guest, #47141) [Link] (4 responses)

Result 2: Any malware-containing packages can also be signed with Fedora's key and loaded into Firefox processes on Fedora systems without complaint. It is necessary to provide these keys to everybody as part of the freedoms given to users of free software.

Easy solution

Posted Dec 24, 2015 14:24 UTC (Thu) by javispedro (guest, #83660) [Link] (1 responses)

This is yet another common GPLv3 misunderstanding. (it's on the FAQ iirc, even)

If you allow for a way to load your own keys on the system and binaries loaded using these keys have the same privileges as binaries loaded using the Fedora key, then you do not need to distribute the Fedora private key.

But Firefox, currently, violates even that.

"[...] authorization keys, or other information required to install and execute modified versions [...]. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made."

Easy solution

Posted Dec 24, 2015 16:08 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

You can modify Firefox to replace the keys, so there's no conflict here.

Easy solution

Posted Dec 24, 2015 16:11 UTC (Thu) by mokki (subscriber, #33200) [Link]

I do not think the keys used to sign Fedora rpms are public. As you said that would remove the security.

Easy solution

Posted Jan 5, 2016 0:03 UTC (Tue) by davidstrauss (guest, #85867) [Link]

> Any malware-containing packages can also be signed with Fedora's key and loaded into Firefox processes on Fedora systems without complaint.

If you have Fedora's signing key, it's possible to compromise Fedora-based systems without any involvement by Firefox.

> It is necessary to provide these keys to everybody as part of the freedoms given to users of free software.

That is not the case.

Easy solution

Posted Dec 25, 2015 9:34 UTC (Fri) by tzafrir (subscriber, #11501) [Link] (1 responses)

Almost. Not good enough for my use-case (I use Debian and not Fedora, but anyway) - I'd like to deploy a locally-built extension.

* Currently: works well.
* After the Mozilla "fixes" - it's impossible.
* With your suggestion: possible, but requires me to maintain a locally-built Firefox/Iceweasel package.

Easy solution

Posted Dec 30, 2015 13:10 UTC (Wed) by tao (subscriber, #17563) [Link]

The Debian-version of Firefox (Iceweasel) v43 has already been patched to disable signing for locally installed extensions.

See bugs #808228 and #800150.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds