List Info

Thread: Secure installation of extensions, Project overview pages, and file release system
Secure installation of extensions, Project overview pages, and file release system
country flaguser name
United States		 2008-03-26 13:11:36 
Mozdev.org has released a number of new features to allow
projects to securely 
install their applications and allow users to find
information about projects 
easier.

Each project has an overview page that prominently displays
links to all of a 
projects tools as well as highlighting each of a project's
extensions and 
their latest releases.  Since this page is served from a
secure site the 
extensions linked from this page make use of InstallTrigger
to verify that 
the file is downloaded correctly by comparing the file's
hash.

Each project's overview page is at a URL with the following
format:
htt
ps://www.mozdev.org/projects/overview/PROJECT/
ex: https:/
/www.mozdev.org/projects/overview/www/

In order to have your extensions linked from this page,
you'll need to make 
use of our new file management tool to mark files as
released and verify the 
hash for the file (documentation [2]):
h
ttps://www.mozdev.org/profile/file_management.html

Mozdev will be linking to the new project overview page from
the main 
www.mozdev.org site in various locations such as the active
project list and 
top 50 page.

We hope this new feature brings both project owners and
users a new level of 
comfort knowing the extensions are installed properly and
enables users to 
find project information more quickly.

-Doug

[1] htt
ps://www.mozdev.org/bugs/show_bug.cgi?id=17302
[2] http://www.mozdev.org/drupal/wiki/MozdevDownloadReleases


-- 
Douglas E. Warner    <silfreedsilfreed.net>    Site
Developer
Mozdev.org           http://www.mozdev.org

_______________________________________________
Project_owners mailing list
Project_ownersmozdev.org
https://www.mozdev.org/mailman/listinfo/project_owners
Re: Secure installation of extensions, Project overview pages, and file release sys
country flaguser name
Netherlands		 2008-03-28 04:31:27 
Hi,

Can you add file_management.html url to the 
https://www
.mozdev.org/profile/index.html ?
And after submitting files, you end up in an empty 
file_managment_actions.php. It would be better to return to
the project 
selection page.

I don't really see why end-users would believe they now have
safe 
downloads. To the user, the only thing that has changed, is
that they 
can start the download from a secure website, but they can't
see that 
the file is also verified and they cannot verify the file
themselves, 
since you don't display the md5sum. The download itself is
still from an 
unsecure website, so the user could download another file
than he thinks.

Onno

Douglas E. Warner wrote:
> Mozdev.org has released a number of new features to
allow projects to securely 
> install their applications and allow users to find
information about projects 
> easier.
>
> Each project has an overview page that prominently
displays links to all of a 
> projects tools as well as highlighting each of a
project's extensions and 
> their latest releases.  Since this page is served from
a secure site the 
> extensions linked from this page make use of
InstallTrigger to verify that 
> the file is downloaded correctly by comparing the
file's hash.
>
> Each project's overview page is at a URL with the
following format:
> htt
ps://www.mozdev.org/projects/overview/PROJECT/
> ex: https:/
/www.mozdev.org/projects/overview/www/
>
> In order to have your extensions linked from this page,
you'll need to make 
> use of our new file management tool to mark files as
released and verify the 
> hash for the file (documentation [2]):
> h
ttps://www.mozdev.org/profile/file_management.html
>
> Mozdev will be linking to the new project overview page
from the main 
> www.mozdev.org site in various locations such as the
active project list and 
> top 50 page.
>
> We hope this new feature brings both project owners and
users a new level of 
> comfort knowing the extensions are installed properly
and enables users to 
> find project information more quickly.
>
> -Doug
>
> [1] htt
ps://www.mozdev.org/bugs/show_bug.cgi?id=17302
> [2] http://www.mozdev.org/drupal/wiki/MozdevDownloadReleases

>
>   
>
------------------------------------------------------------
------------
>
> _______________________________________________
> Project_owners mailing list
> Project_ownersmozdev.org
> https://www.mozdev.org/mailman/listinfo/project_owners

>   

_______________________________________________
Project_owners mailing list
Project_ownersmozdev.org
https://www.mozdev.org/mailman/listinfo/project_owners
Re: Secure installation of extensions, Project overview pages, and file release sys
country flaguser name
United States		 2008-03-28 08:03:25 
On Friday 28 March 2008 05:31:27 Onno Ekker wrote:
> Can you add file_management.html url to the
> https://www
.mozdev.org/profile/index.html ?

Done, thanks;  It was previously linked from the "All
Resources" page, but I 
missed this one.

> And after submitting files, you end up in an empty
> file_managment_actions.php. It would be better to
return to the project
> selection page.

This isn't the desired action, but I haven't been able to
duplicate it.  Could 
you send me some more details about your workflow off-list?

> I don't really see why end-users would believe they now
have safe
> downloads. To the user, the only thing that has
changed, is that they
> can start the download from a secure website, but they
can't see that
> the file is also verified and they cannot verify the
file themselves,
> since you don't display the md5sum. The download itself
is still from an
> unsecure website, so the user could download another
file than he thinks.

The security comes from using InstallTrigger which will
verify the hash 
against the downloaded file for the user automatically. 
This hash is served 
from a secure website, therefore the hash can be trusted. 
The file can then 
be downloaded from anywhere and compared against the trusted
hash.

-Doug

-- 
Douglas E. Warner    <silfreedsilfreed.net>    Site
Developer
Mozdev.org           http://www.mozdev.org

_______________________________________________
Project_owners mailing list
Project_ownersmozdev.org
https://www.mozdev.org/mailman/listinfo/project_owners
Re: Secure installation of extensions, Project overview pages, and file release sys
country flaguser name
United States		 2008-03-28 10:42:51 
On Friday 28 March 2008 11:04:21 Onno Ekker wrote:
> So it's for Installing only. And then probably only for
Firefox (and
> Seamonkey / Mozilla,...) extensions / themes, but not
for Thunderbird
> Extensions. The xpis I added and verified were
Thunderbird only
> extensions, so that will probably have very limited
use...

That's unfortunate that it doesn't help out Thunderbird.  If
you run across 
anything that points out how we could help with that let me
know.

-Doug

-- 
Douglas E. Warner    <silfreedsilfreed.net>    Site
Developer
Mozdev.org           http://www.mozdev.org

_______________________________________________
Project_owners mailing list
Project_ownersmozdev.org
https://www.mozdev.org/mailman/listinfo/project_owners
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )