Open magicgoose opened 2 months ago
What is the easiest way, that an (almost) non-technical user can also do, to install this add-on while guaranteeing that the build will correspond to the published source code?
There is nothing you need to do to ensure the build matches the published source code. Almost any build of the extension will work, the verification that happens is not tied to the specific extension build, but the build of the website and that verification will be done by the extension for any build that we release.
The reason why I say almost any, is because we sometimes add additional verification checks, that only work on version of the extension where we add that support or subsequent releases. The only thing you should be concerned about is keeping the extension up to date. We should handle the rest.
Hmm I am not sure we are talking about the same thing. I was trying to ask about verifying the add-on itself - verifying the assumption that it is made out of the code at git@github.com:facebookincubator/meta-code-verify.git with no other concealed changes on top of it. Which is not obvious when installing it from https://addons.mozilla.org/nl/firefox/addon/code-verify Like, for example, if the Mozilla account that uploads the addon is hacked, there will be no way for the user to notice? Or is there some signature check in place that will prevent publishing altered code using stolen credentials of Mozilla account?
The addon is distributed via e.g. addons.mozilla.org, this is great. However, on their page, as an uneducated user, I see "This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing." and there is no clear path to "make sure I trust it".
Scoring the "recommended" status by Mozilla (like, for example, any of these) would be fantastic, but in the meantime:
What is the easiest way, that an (almost) non-technical user can also do, to install this add-on while guaranteeing that the build will correspond to the published source code?