FS#50269 - [firefox] Arch build does not enforce addons' signature verification
Attached to Project:
Arch Linux
Opened by Chih-Hsuan Yen (yan12125) - Friday, 05 August 2016, 15:01 GMT
Last edited by Jan Alexander Steffens (heftig) - Sunday, 07 August 2016, 13:56 GMT
Opened by Chih-Hsuan Yen (yan12125) - Friday, 05 August 2016, 15:01 GMT
Last edited by Jan Alexander Steffens (heftig) - Sunday, 07 August 2016, 13:56 GMT
|
Details
Description:
Upstream Firefox 48 enforces signature verification. In Firefox's build system, forcing signature verification requires defining `MOZ_REQUIRE_SIGNING` in mozconfig. In Mozilla's official builds, this setting is in `build/mozconfig.common` and indirectly imported by `browser/config/mozconfigs/linux64/release`, the (seemingly) mozconfig file for official builds. However, Arch's mozconfig [1] does not include this setting, so Arch's version does not follow upstream's configurations in this case. I choose severity high as I think it's a "less critical security issue". Sorry if I'm I misunderstand what the Wiki says. [1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/mozconfig?h=packages/firefox Additional info: extra/firefox 48.0-1 Steps to reproduce: * Theoretical way: Run `7z x /usr/lib/firefox/omni.ja modules/addons/AddonConstants.jsm`, and check the value of `REQUIRE_SIGNING` in AddonConstants.jsm. Firefox's mozpack format causes errors and warnings in 7z. Those are non-fatal for just viewing files. * Practical way: Install an unverified addon and check whether it works in Arch's build or not |
This task depends upon
Closed by Jan Alexander Steffens (heftig)
Sunday, 07 August 2016, 13:56 GMT
Reason for closing: Fixed
Additional comments about closing: firefox 48.0-2 enforces signatures, as intended for branded release builds.
Sunday, 07 August 2016, 13:56 GMT
Reason for closing: Fixed
Additional comments about closing: firefox 48.0-2 enforces signatures, as intended for branded release builds.
> Giving users the freedom to install unfinished addons if they want to test them is what Arch is all about.
That is also my opinion. Most Arch users should be familiar with security and many are developer who might work on own add-ons. However people decided in
FS#45900that Arch should follow the decisions of Mozilla.ac_add_options --enable-update-channel=release
is necessary? In my understanding this would show update notifications inside of Firefox.
The update channel actually affects more things, like whether jemalloc assertions are fatal, whether shutdown check violations get recorded, whether "extensions.checkCompatibility.nightly" works.
Most other things are affected by the RELEASE_BUILD and NIGHTLY_BUILD defines, which get set depending on the version inside config/milestone.txt. This is static depending on the branch you build.
The configuration system is a goddamn mess.