info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Signing of enterprise Add-On which includes binary components
78 views
Skip to first unread message
Martin Hajduch
Jan 18, 2016, 12:40:22 PM1/18/16
to mozilla-addons-...@lists.mozilla.org
Hi!
My company develops enterprise Add-On which includes binary components - DLLs. This Add-On is not publicly available, only our customers with paid contracts receive it. And it should stay this way.
I am not sure if it is even possible to get a request to share source code with an external party through our legal department. And even if it would be, most likely a signature of some NDA by the actual reviewers would be requested, including a liability clause. Which we most likely won't get of course...
It may be possible to provide a short look via a Teamviewer session, would this be enough? Would someone even have time for that? How to proceed?
Are there any alternatives? Getting our customers to use nightly builds is not an option, as it makes then again vulnerable against any other malicious extensions out there :(.
I read somewhere: "For extensions that will never be publicly distributed and will never leave an internal network, there will be a third option. We?ll have more details available on this in the near future." - but cannot find any further details...
Right now we stick with ESR 38, but that is a solution which disappears soon. Or we (our customers) stay without security updates of any kind..
As to the reason 'why we use binary components?' -> the extension itself provides connectivity between web based application, and a local Cad/Cam application. This connectivity requires functionality written in C. Our extension is using C-types to call corresponding DLLs. We are talking here about hundreds of thousands of lines of code. Surely, there are technical solutions to externalize DLLs to a standalone application and use JavaScript-based communication to talk to it, but that means several man months investment at least..
Many thanks for any tips on how to proceed here..
Regards,
Martin Hajduch
Assyst GmbH
My company develops enterprise Add-On which includes binary components - DLLs. This Add-On is not publicly available, only our customers with paid contracts receive it. And it should stay this way.
I am not sure if it is even possible to get a request to share source code with an external party through our legal department. And even if it would be, most likely a signature of some NDA by the actual reviewers would be requested, including a liability clause. Which we most likely won't get of course...
It may be possible to provide a short look via a Teamviewer session, would this be enough? Would someone even have time for that? How to proceed?
Are there any alternatives? Getting our customers to use nightly builds is not an option, as it makes then again vulnerable against any other malicious extensions out there :(.
I read somewhere: "For extensions that will never be publicly distributed and will never leave an internal network, there will be a third option. We?ll have more details available on this in the near future." - but cannot find any further details...
Right now we stick with ESR 38, but that is a solution which disappears soon. Or we (our customers) stay without security updates of any kind..
As to the reason 'why we use binary components?' -> the extension itself provides connectivity between web based application, and a local Cad/Cam application. This connectivity requires functionality written in C. Our extension is using C-types to call corresponding DLLs. We are talking here about hundreds of thousands of lines of code. Surely, there are technical solutions to externalize DLLs to a standalone application and use JavaScript-based communication to talk to it, but that means several man months investment at least..
Many thanks for any tips on how to proceed here..
Regards,
Martin Hajduch
Assyst GmbH
Jorge Villalobos
Jan 18, 2016, 1:02:49 PM1/18/16
to mozilla-addons-...@lists.mozilla.org
Add-ons that are currently uploaded as unlisted[1] are being
automatically signed, and you don't need to provide the sources for your
components in that case. The review team might at some point in the
future decide to review your add-on code and will get in touch with you
in case there are any questions about the binary component it includes.
Regards,
Jorge
[1] https://developer.mozilla.org/en-US/Add-ons/Distribution
0 new messages