Having a low reputation score means IE throws a warning when you try and download the file, which says: "This file is not commonly downloaded and may harm your computer." and does its best to stop you from running it anyway.
I was approached by a Microsoft engineer from this team at a conference who said that he didn't _want_ IE to throw up scary warnings for people downloading Firefox and Thunderbird nightlies, but as we don't sign our nightlies, it makes it very hard to avoid it. Each one is a new file with a new hash, and starts with zero reputation.
However, bhearsum rapidly resolved it as WONTFIX, said that this was a conscious decision, and that to get it changed, we needed to have a discussion here.
Why don't we sign our nightlies, what would it take to get us to do so, and do we care that IE tells everyone they might be dangerous?
> Why don't we sign our nightlies, what would it take to get us to do so, > and do we care that IE tells everyone they might be dangerous?
Part of it is technical: We (currently) have no way to automatically sign builds, which makes signing anything on a nightly basis prohibitively time consuming. There's some work underway to fixing this (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's fixed, there'd be no technical reason why we couldn't.
> Having a low reputation score means IE throws a warning when you try and > download the file, which says: > "This file is not commonly downloaded and may harm your computer." > and does its best to stop you from running it anyway.
> I was approached by a Microsoft engineer from this team at a conference > who said that he didn't _want_ IE to throw up scary warnings for people > downloading Firefox and Thunderbird nightlies, but as we don't sign our > nightlies, it makes it very hard to avoid it. Each one is a new file > with a new hash, and starts with zero reputation.
> I asked him to file a bug about it (knowing this might be politically > difficult for him) and was slightly surprised and very pleased when he > did: https://bugzilla.mozilla.org/show_bug.cgi?id=663055 .
> However, bhearsum rapidly resolved it as WONTFIX, said that this was a > conscious decision, and that to get it changed, we needed to have a > discussion here.
> Why don't we sign our nightlies, what would it take to get us to do so, > and do we care that IE tells everyone they might be dangerous?
> Gerv
In one sense, it may be a good thing for IE to throw this kind of warning. Users who know anything about FF will see this as a nasty dig at FF from MS. Kind of reverse psychology.
> Having a low reputation score means IE throws a warning when you try and > download the file, which says: > "This file is not commonly downloaded and may harm your computer." > and does its best to stop you from running it anyway.
> I was approached by a Microsoft engineer from this team at a conference > who said that he didn't _want_ IE to throw up scary warnings for people > downloading Firefox and Thunderbird nightlies, but as we don't sign our > nightlies, it makes it very hard to avoid it. Each one is a new file > with a new hash, and starts with zero reputation.
> I asked him to file a bug about it (knowing this might be politically > difficult for him) and was slightly surprised and very pleased when he > did: https://bugzilla.mozilla.org/show_bug.cgi?id=663055 .
> However, bhearsum rapidly resolved it as WONTFIX, said that this was a > conscious decision, and that to get it changed, we needed to have a > discussion here.
> Why don't we sign our nightlies, what would it take to get us to do so, > and do we care that IE tells everyone they might be dangerous?
If people don't have an intimate knowledge of nightly builds, shouldn't they be on Aurora or Beta (or stable?).
I'd say nightlies are for people actively involved in the project, given our new channels -this partially mitigates for Firefox, but not Thunderbird.
On Thu, 2011-06-09 at 08:42 -0400, Ben Hearsum wrote: > On 06/09/11 08:35 AM, Gervase Markham wrote:
> > Why don't we sign our nightlies, what would it take to get us to do so, > > and do we care that IE tells everyone they might be dangerous?
> Part of it is technical: We (currently) have no way to automatically > sign builds, which makes signing anything on a nightly basis > prohibitively time consuming. There's some work underway to fixing this > (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's > fixed, there'd be no technical reason why we couldn't.
Looks more like the other bug should depend on this one instead of being WONTFIXed. I'm a bit troubled that bugs about making it easier for people to run test builds get WONTFIXed so easily.
> On Thu, 2011-06-09 at 08:42 -0400, Ben Hearsum wrote: >> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>> Why don't we sign our nightlies, what would it take to get us to do so, >>> and do we care that IE tells everyone they might be dangerous?
>> Part of it is technical: We (currently) have no way to automatically >> sign builds, which makes signing anything on a nightly basis >> prohibitively time consuming. There's some work underway to fixing this >> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's >> fixed, there'd be no technical reason why we couldn't.
> Looks more like the other bug should depend on this one instead of being > WONTFIXed. I'm a bit troubled that bugs about making it easier for > people to run test builds get WONTFIXed so easily.
If we come to the consensus that we *want* to sign our nightly builds, sure.
> On Thu, 2011-06-09 at 08:42 -0400, Ben Hearsum wrote: >> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>> Why don't we sign our nightlies, what would it take to get us to do so, >>> and do we care that IE tells everyone they might be dangerous?
>> Part of it is technical: We (currently) have no way to automatically >> sign builds, which makes signing anything on a nightly basis >> prohibitively time consuming. There's some work underway to fixing this >> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's >> fixed, there'd be no technical reason why we couldn't.
> Looks more like the other bug should depend on this one instead of being > WONTFIXed. I'm a bit troubled that bugs about making it easier for > people to run test builds get WONTFIXed so easily.
If we come to the consensus that we *want* to sign our nightly builds, sure.
On Thu, Jun 9, 2011 at 9:43 AM, Henri Sivonen <hsivo...@iki.fi> wrote: > Another bug in this general area > (https://bugzilla.mozilla.org/show_bug.cgi?id=655667) was INCOMPLETEd. > Should I bring it up here or email to a driver address in order to try > to get it reopened?
FWIW, I agree with Benjamin there that this bug should be a feature page and not just a bug. At the moment, I just have the Profile Manager come up every time I run Firefox, but that's suboptimal so I agree with you that doing *something* there would be good. But, Benjamin's point is that the change there is not necessarily obvious because different people will have different expectations and desires.
There may be some overlap between the feature you're looking for and this one:
> On 06/09/11 09:43 AM, Henri Sivonen wrote: >> On Thu, 2011-06-09 at 08:42 -0400, Ben Hearsum wrote: >>> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>>> Why don't we sign our nightlies, what would it take to get us to do so, >>>> and do we care that IE tells everyone they might be dangerous?
>>> Part of it is technical: We (currently) have no way to automatically >>> sign builds, which makes signing anything on a nightly basis >>> prohibitively time consuming. There's some work underway to fixing this >>> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's >>> fixed, there'd be no technical reason why we couldn't.
>> Looks more like the other bug should depend on this one instead of being >> WONTFIXed. I'm a bit troubled that bugs about making it easier for >> people to run test builds get WONTFIXed so easily.
> If we come to the consensus that we *want* to sign our nightly builds, sure.
Modulo the work in bug 509158 that you mention above, are there other concerns you have or are aware of that would keep us from wanting to do so?
J
--- Johnathan Nightingale Director of Firefox Engineering john...@mozilla.com
> On 2011-06-09, at 9:47 AM, Ben Hearsum wrote: >> On 06/09/11 09:43 AM, Henri Sivonen wrote: >>> On Thu, 2011-06-09 at 08:42 -0400, Ben Hearsum wrote: >>>> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>>>> Why don't we sign our nightlies, what would it take to get us to do so, >>>>> and do we care that IE tells everyone they might be dangerous?
>>>> Part of it is technical: We (currently) have no way to automatically >>>> sign builds, which makes signing anything on a nightly basis >>>> prohibitively time consuming. There's some work underway to fixing this >>>> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's >>>> fixed, there'd be no technical reason why we couldn't.
>>> Looks more like the other bug should depend on this one instead of being >>> WONTFIXed. I'm a bit troubled that bugs about making it easier for >>> people to run test builds get WONTFIXed so easily.
>> If we come to the consensus that we *want* to sign our nightly builds, sure.
> Modulo the work in bug 509158 that you mention above, are there other concerns you have or are aware of that would keep us from wanting to do so?
I'm not aware of any. I don't think it's a discussion we've ever had until now, though!
> On 2011-06-09, at 9:47 AM, Ben Hearsum wrote: >> On 06/09/11 09:43 AM, Henri Sivonen wrote: >>> On Thu, 2011-06-09 at 08:42 -0400, Ben Hearsum wrote: >>>> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>>>> Why don't we sign our nightlies, what would it take to get us to do so, >>>>> and do we care that IE tells everyone they might be dangerous?
>>>> Part of it is technical: We (currently) have no way to automatically >>>> sign builds, which makes signing anything on a nightly basis >>>> prohibitively time consuming. There's some work underway to fixing this >>>> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's >>>> fixed, there'd be no technical reason why we couldn't.
>>> Looks more like the other bug should depend on this one instead of being >>> WONTFIXed. I'm a bit troubled that bugs about making it easier for >>> people to run test builds get WONTFIXed so easily.
>> If we come to the consensus that we *want* to sign our nightly builds, sure.
> Modulo the work in bug 509158 that you mention above, are there other concerns you have or are aware of that would keep us from wanting to do so?
I'm not aware of any. I don't think it's a discussion we've ever had until now, though!
>> Why don't we sign our nightlies, what would it take to get us to do so, >> and do we care that IE tells everyone they might be dangerous?
> Part of it is technical: We (currently) have no way to automatically > sign builds, which makes signing anything on a nightly basis > prohibitively time consuming. There's some work underway to fixing this > (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's > fixed, there'd be no technical reason why we couldn't.
What's the other part?
Are there any specific reasons why would you *not* want to sign them, assuming you had the technical capability of doing so?
> Le 09/06/2011 14:42, Ben Hearsum a écrit : >> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>> Why don't we sign our nightlies, what would it take to get us to do so, >>> and do we care that IE tells everyone they might be dangerous?
>> Part of it is technical: We (currently) have no way to automatically >> sign builds, which makes signing anything on a nightly basis >> prohibitively time consuming. There's some work underway to fixing this >> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's >> fixed, there'd be no technical reason why we couldn't.
> What's the other part?
> Are there any specific reasons why would you *not* want to sign them, > assuming you had the technical capability of doing so?
I would say the other part is finding the cycles for someone to do the work. So if part I is technical, part II is human resources.
> Le 09/06/2011 14:42, Ben Hearsum a écrit : >> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>> Why don't we sign our nightlies, what would it take to get us to do so, >>> and do we care that IE tells everyone they might be dangerous?
>> Part of it is technical: We (currently) have no way to automatically >> sign builds, which makes signing anything on a nightly basis >> prohibitively time consuming. There's some work underway to fixing this >> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's >> fixed, there'd be no technical reason why we couldn't.
> What's the other part?
> Are there any specific reasons why would you *not* want to sign them, > assuming you had the technical capability of doing so?
and part III is that this conversation needed to happen in a large group (or long email thread) to determine the priority something like this should have.
What does it mean to have a binary signed by Mozilla's code key? Do we want to stamp the nightlies with the same level of endorsement? Do we want to sign unbranded builds?
What are our current key-management practices for the signing key, and how would they need to change in order to accommodate hands-off signing? Does putting something in the right directory on an internet-connected host get it signed? If we use a different key, how is it different from the user's perspective?
I also have some prioritization concerns.
Given that this characteristic of IE9 only affects the initial download and not subsequent nightlies, I think I would prioritize it below signing our *release* binaries on Mac. Because of non-SSL intermediaries and third-party mirrors, there's basically no way for someone to tell if they got the right bits.
There are lots of things many of us could do to improve the "test a nightly" experience, though typically we just insist that it be someone else's top priority when it's not our own. I agree that they're not really germane to the primary topic of this thread.
If we're going to do work on the signing mechanism, though, I think we should be very careful about what it means to be "signed with mozilla's key", and I think that the complete lack of Mac signing should be a higher priority.
Mike On Jun 9, 2011 10:06 AM, "Johnathan Nightingale" <john...@mozilla.com> wrote:
> If we're going to do work on the signing mechanism, though, I think we should be very careful about what it means to be "signed with mozilla's key", and I think that the complete lack of Mac signing should be a higher priority.
In case I have seemed to suggest otherwise by asking questions earlier, I wanted to say that I agree wholeheartedly with both of these. I think the priority of any work here is low, well below the Mac release signing piece as well as several other things I know releng to be working on. I can well imagine that we could come up with answers to satisfy Shaver's other (important, and hard!) questions here, and still not find the effect to be worth the costs.
J --- Johnathan Nightingale Director of Firefox Engineering john...@mozilla.com
On 6/9/2011 11:54 AM, Johnathan Nightingale wrote:
> On 2011-06-09, at 1:00 PM, Mike Shaver wrote: >> If we're going to do work on the signing mechanism, though, I think we should be very careful about what it means to be "signed with mozilla's key", and I think that the complete lack of Mac signing should be a higher priority.
> In case I have seemed to suggest otherwise by asking questions earlier, I wanted to say that I agree wholeheartedly with both of these. I think the priority of any work here is low, well below the Mac release signing piece as well as several other things I know releng to be working on. I can well imagine that we could come up with answers to satisfy Shaver's other (important, and hard!) questions here, and still not find the effect to be worth the costs.
> J
In the meantime I'm going to reopen the bug, set the dependency properly, note that it hasn't yet been fully evaluated, and point to this thread.
> What does it mean to have a binary signed by Mozilla's code key? Do we want > to stamp the nightlies with the same level of endorsement? Do we want to > sign unbranded builds?
> What are our current key-management practices for the signing key, and how > would they need to change in order to accommodate hands-off signing? Does > putting something in the right directory on an internet-connected host get > it signed? If we use a different key, how is it different from the user's > perspective?
> I also have some prioritization concerns.
> Given that this characteristic of IE9 only affects the initial download and > not subsequent nightlies, I think I would prioritize it below > signing our *release* binaries on Mac. Because of non-SSL intermediaries and > third-party mirrors, there's basically no way for someone to tell if they > got the right bits.
> There are lots of things many of us could do to improve the "test a nightly" > experience, though typically we just insist that it be someone else's top > priority when it's not our own. I agree that they're not really germane to > the primary topic of this thread.
> If we're going to do work on the signing mechanism, though, I think we > should be very careful about what it means to be "signed with mozilla's > key", and I think that the complete lack of Mac signing should be a higher > priority.
> Mike > On Jun 9, 2011 10:06 AM, "Johnathan Nightingale" <john...@mozilla.com> > wrote: > _______________________________________________ > dev-planning mailing list > dev-plann...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-planning
> I'd just like to point out that the lack of signedness rears its ugly > head each time nightly updates itself in the form of an orange UAC > prompt.
> I would also expect that any new improved non-admin updater that might > be in the pipeline would check signatures.
Possibly but not necessarily. For the updater to patch a file it can't be modified so the signature must be intact and when the updater replaces a file it will be intact.
> On 10 June 2011 03:00, Mike Shaver<mike.sha...@gmail.com> wrote: >> I have some concerns.
>> What does it mean to have a binary signed by Mozilla's code key? Do we want >> to stamp the nightlies with the same level of endorsement? Do we want to >> sign unbranded builds?
>> What are our current key-management practices for the signing key, and how >> would they need to change in order to accommodate hands-off signing? Does >> putting something in the right directory on an internet-connected host get >> it signed? If we use a different key, how is it different from the user's >> perspective?
>> I also have some prioritization concerns.
>> Given that this characteristic of IE9 only affects the initial download and >> not subsequent nightlies, I think I would prioritize it below >> signing our *release* binaries on Mac. Because of non-SSL intermediaries and >> third-party mirrors, there's basically no way for someone to tell if they >> got the right bits.
>> There are lots of things many of us could do to improve the "test a nightly" >> experience, though typically we just insist that it be someone else's top >> priority when it's not our own. I agree that they're not really germane to >> the primary topic of this thread.
>> If we're going to do work on the signing mechanism, though, I think we >> should be very careful about what it means to be "signed with mozilla's >> key", and I think that the complete lack of Mac signing should be a higher >> priority.
>> Mike >> On Jun 9, 2011 10:06 AM, "Johnathan Nightingale"<john...@mozilla.com> >> wrote: >> _______________________________________________ >> dev-planning mailing list >> dev-plann...@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-planning
> What does it mean to have a binary signed by Mozilla's code key?
I would say: "This software comes from Mozilla".
This is the debate (also to be had in the realm of SSL certificates) as to whether signing means "this website/code is bound to a certain identity" or "this website/code is nice, happy, pretty and full of cute kittens".
I am in favour of the former interpretation (given that implementing the latter is near-impossible), which leads me to advocate code-signing for anything we release.
Keeping builds away from people who shouldn't be running them is a task not to be achieved with IE warning boxes.
> What are our current key-management practices for the signing key, and how > would they need to change in order to accommodate hands-off signing? Does > putting something in the right directory on an internet-connected host get > it signed? If we use a different key, how is it different from the user's > perspective?
Good questions.
> I also have some prioritization concerns.
> Given that this characteristic of IE9 only affects the initial download and > not subsequent nightlies,
You mean because they are updated using Firefox's auto-updater? If so, then yes. But every nightly download downloaded using IE will have this problem.
Gervase Markham wrote: > On 09/06/11 18:00, Mike Shaver wrote: >> > I have some concerns.
>> > What does it mean to have a binary signed by Mozilla's code key? > I would say: "This software comes from Mozilla".
> This is the debate (also to be had in the realm of SSL certificates) as > to whether signing means "this website/code is bound to a certain > identity" or "this website/code is nice, happy, pretty and full of cute > kittens".
> I am in favour of the former interpretation (given that implementing the > latter is near-impossible), which leads me to advocate code-signing for > anything we release.
> Keeping builds away from people who shouldn't be running them is a task > not to be achieved with IE warning boxes.
I think a middle solution would be to sign the nightlies with a dedicated certificate whose name hints that that software received no QA and can fail badly.
