Can signed XPIs be hosted on secure.informaction.com (in addition to AMO)?
I think they can be: I proposed how to do this above (in the work flow).
Since then, I have tried to see if there are any technical reasons why
my idea would fail to work.
I have used 7zip to open (copies of) "{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi",
the NoScript Extension,
that came from AMO and from the feed.
I used NoScript 2.6.9.35rc2
(which is signed by Mozilla - if it is 'collected from / installed from AMO')
The "install.rdf" has:
> <em:id>{73a6fe31-595d-460b-a920-fcc0f8843232}</em:id>
> <em:name>NoScript</em:name>
> <em:version>2.6.9.35rc2</em:version>
The ONLY difference I can see is the 'signed by Mozilla' version has a
META-INF subfolder.
All the other files seem to be identical (in content and number of bytes).
I can NOT find anything, inside the XPI, that would force an update
from any particular place.
In particular, I can't see an 'updateURL'.
So, for example, there is no reference that says, in effect,
'this series of XPIs must be installed from' e.g. secure.informaction.com (or from AMO).
I might be missing something.
Would it be a good idea to have signed XPIs be hosted on secure.informaction.com (in addition to AMO)?
I think so, because it would allow Fx 42 + Users (Release and Beta) to install 'old versions'
when AMO was unavailable.
I do appreciate that it would be extra work for Giorgio.
An archive of 'Mozilla signed XPIs' - hosted at secure.informaction.com - might be worth considering.
DJ-Leith
NoScript Not A Signed Add On (Yet)?
Re: NoScript Not A Signed Add On (Yet)?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Re: NoScript Not A Signed Add On (Yet)?
> The ONLY difference I can see is the 'signed by Mozilla' version has a
> META-INF subfolder.
Correct.
> All the other files seem to be identical (in content and number of bytes).
True.
> Would it be a good idea to have [AMO] signed XPIs be hosted on secure.informaction.com
> (in addition to AMO)?
Well if they're going to be here at all, then I would think it to be a good idea.
> META-INF subfolder.
Correct.
> All the other files seem to be identical (in content and number of bytes).
True.
> Would it be a good idea to have [AMO] signed XPIs be hosted on secure.informaction.com
> (in addition to AMO)?
Well if they're going to be here at all, then I would think it to be a good idea.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript Not A Signed Add On (Yet)?
I had already put creating a couple of scripts to synchronize signed XPIs as soon as they're available (it happens at unpredictable times, depending on editor's whim) in my TODO list.
I hope to find the time over this week-end.
I hope to find the time over this week-end.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0