[libvoikko] Mozvoikko needs to be signed and reviewed at addons.mozilla.org

Harri Pitkänen hatapitk at iki.fi
Tue Aug 18 22:10:04 EEST 2015 

Hi!

On Tuesday 18 August 2015 17:20:34 Timo Jyrinki wrote:
> Starting with Firefox 41, mozvoikko would need to be signed by the
> developer and reviewed at addons.mozilla.org. See downstream bug
> report: https://bugs.launchpad.net/ubuntu/+source/mozvoikko/+bug/1482219

Thanks for letting us know!

> Mozilla's instructions are at
> https://support.mozilla.org/fi/kb/add-on-signing-in-firefox
> 
> Another extension http://pad.lv/1482346 was reportedly already fixed
> "in the builds" (in a firefox-next package archive). When I asked
> Chris about the details on #ubuntu-devel, he had this to say:
> 
> 20150818|15:11 < chrisccoulson> the addon needs to be reviewed and
> signed by the addons.mozilla.org team. The developer needs to do that
> though
> 
> I didn't get a further reply though so I'm not sure if the new Firefox
> builds in Ubuntu then automatically allow any identical-to-addons.m.o
> extension when it has been signed on the addons site. But I don't see
> any indication that the downstream extension in question would have
> been modified, so maybe this is the case that signing at addons would
> only be needed.

I really don't know yet how this will work. In theory for signing to be 
effective the signature would need to cover at least all code used by the 
extension and perhaps other resources too. And the problem is that the 
extension at addons.m.o will never have the identical code: JavaScript might 
be the same but it calls native code that is platform dependent and cannot be 
the same on Windows and Linux. The native code can do anything so if the 
signature does not cover that it would defeat the purpose of signing.

Additionally there is one question and answer at 
https://wiki.mozilla.org/Addons/Extension_Signing that is understandable but 
perhaps a bit problematic for Linux distributions:

====

 * Will I need to sign the custom version of an existing add-on I created with 
my own code changes, locale additions, etc.?

   - If you use it on Release or Beta, yes. You will also need to change the 
add-on ID in order to submit it for signing.

====

Since Mozvoikko has already been submitted to addons.mozilla.org (by Marko 
Wallin) I understand that nobody else can get a signature for an extension 
with the same identifier. So if for example I would want to sign my own 
version of Mozvoikko I would need to change the identifier.

If this interpretation is correct we perhaps need to make the extension 
identifier easily configurable. This is not a difficult thing to do but I 
would first want to know if it is really needed. There is very little 
information available at the moment it seems.

Harri

More information about the Libvoikko mailing list