[HTTPS-Everywhere] Unsigned extension unable to install in Firefox Nightly
Jacob Hoffman-Andrews
jsha at eff.org
Mon Aug 10 14:07:17 PDT 2015
On 08/10/2015 01:35 PM, Claudio Moretti wrote:
> Are they at least telling you why it keeps getting flagged? :/
Yep, the automatic validator is open source
(https://github.com/mozilla/amo-validator) and its output is shown,
error by error, in the AMO console.
They've not told us exactly which amo-validator warnings cause a manual
review flag, but have offered to clarify that in future releases. The
most likely candidate is that the SSL Observatory code accesses the
ctypes global, which is necessary to access NSS in order to get certs to
upload. It turns out the issue is not just maliciousness, but the fact
that accessing ctypes is subtle and can cause extensions to be broken or
slow in various ways. The goal of addon signing is not only to prevent
malware, but to more generally clean up the addon ecosystem.
So, hopefully a future release of amo-validator (and the associated AMO
backend code) will be able to say "HTTPS Everywhere uses ctypes, and
that's fine," and we can get signatures in an automated way, as the
addon signing system was intended to work.
More information about the HTTPS-Everywhere
mailing list