[libvoikko] Mozvoikko needs to be signed and reviewed at addons.mozilla.org

Marko Wallin marko.wallin at iki.fi
Tue Aug 18 22:54:32 EEST 2015


On 18.8.2015 22.10, Harri Pitkänen wrote:
> Hi!
>
> On Tuesday 18 August 2015 17:20:34 Timo Jyrinki wrote:
>> Starting with Firefox 41, mozvoikko would need to be signed by the
>> developer and reviewed at addons.mozilla.org. See downstream bug
>> report: https://bugs.launchpad.net/ubuntu/+source/mozvoikko/+bug/1482219
>
> Thanks for letting us know!
>
>> Mozilla's instructions are at
>> https://support.mozilla.org/fi/kb/add-on-signing-in-firefox
>>
>> Another extension http://pad.lv/1482346 was reportedly already fixed
>> "in the builds" (in a firefox-next package archive). When I asked
>> Chris about the details on #ubuntu-devel, he had this to say:
>>
>> 20150818|15:11 < chrisccoulson> the addon needs to be reviewed and
>> signed by the addons.mozilla.org team. The developer needs to do that
>> though
>>
>> I didn't get a further reply though so I'm not sure if the new Firefox
>> builds in Ubuntu then automatically allow any identical-to-addons.m.o
>> extension when it has been signed on the addons site. But I don't see
>> any indication that the downstream extension in question would have
>> been modified, so maybe this is the case that signing at addons would
>> only be needed.
>
> I really don't know yet how this will work. In theory for signing to be
> effective the signature would need to cover at least all code used by the
> extension and perhaps other resources too. And the problem is that the
> extension at addons.m.o will never have the identical code: JavaScript might
> be the same but it calls native code that is platform dependent and cannot be
> the same on Windows and Linux. The native code can do anything so if the
> signature does not cover that it would defeat the purpose of signing.
>
> Additionally there is one question and answer at
> https://wiki.mozilla.org/Addons/Extension_Signing that is understandable but
> perhaps a bit problematic for Linux distributions:
>
> ====
>
>   * Will I need to sign the custom version of an existing add-on I created with
> my own code changes, locale additions, etc.?
>
>     - If you use it on Release or Beta, yes. You will also need to change the
> add-on ID in order to submit it for signing.
>
> ====
>
> Since Mozvoikko has already been submitted to addons.mozilla.org (by Marko
> Wallin) I understand that nobody else can get a signature for an extension
> with the same identifier. So if for example I would want to sign my own
> version of Mozvoikko I would need to change the identifier.
>
> If this interpretation is correct we perhaps need to make the extension
> identifier easily configurable. This is not a difficult thing to do but I
> would first want to know if it is really needed. There is very little
> information available at the moment it seems.
>

The id for mozvoikko is already different in addons.mozilla.org 
(fi at dictionaries.addons.mozilla.org) than on Git 
({b676e3ff-cda7-4e0c-b2b8-74e4bb40a67a}).

Mozvoikko in AMO (addons.mozilla.org) is now for OS X and Windows and 
the Linux version could be added separately. The addon owner 
(yllapito at mozilla.fi) can add authors who can manage the files and 
submit the addon to be reviewed and signed.

The other option, what I understand, is to make new addon entry for 
Linux which is unlisted and not distributed on AMO. But the same author 
limitation still would exist, who can submit the addon to be signed.

// Marko


More information about the Libvoikko mailing list