On Oct 19, 5:17 pm, Samuel Bronson <
naes...@gmail.com> wrote:
> On Oct 15, 8:53 pm, John J Barton <
johnjbar...@johnjbarton.com> wrote:
>
> > On Oct 15, 4:40 pm, skierpage <
skierp...@gmail.com> wrote:
>
> > > On Oct 15, 8:46 am, "Honza (Jan Odvarko)" <
odva...@gmail.com> wrote:
>
> > > >
http://blog.getfirebug.com/2010/10/15/firebug-1-6b2/
>
> > > I'm running Firefox 4.08bpre nightly with Firebug 1.6X.0b1, last
> > > updated 2010-08-24. Tools > Add-ons doesn't think there's an update
> > > available for it. Should I be offered 1.6b2 ?
>
> > We switched from signed xpis to https. Next week I'll see if we can
> > put up an update.rdf to migrate.
>
> Why did you switch?
Because the only tool I had to to build the signed xpis was too
difficult for others to use.
> That doesn't sound particularly safe (what if
> someone breaks into the site?),
If someone breaks into the site, updates of XPIs are not my most
immediate concern.
> and it also doesn't help at all for
> off-site copies of the XPI.
Well I guess you can create signed copies if you like. I invested a
lot of time building new tools for signing and maintaining our signing
system for almost three years. I tried multiple times to get others
interested in simple support for digital signatures. But in the end I
have to give up. The base tools for digital signatures are closely
guarded by obscurists who want you to think that normal humans should
not be allowed to work with them. You pretty much cannot get a
straight answer out of them. The technology is not that complicated
but it has a number of troublesome issues like absolute precision in
the bytes that are signed, the need to carry the signature outside of
but with the signed objects, the need to maintain the private key. But
most of all we need to pass the private key (a string) and the to-be-
signed document (another string) to a crypto algorithm to get the
signed results (the result string). It's amazing how obscure that API
can be made with a little effort.
jjb