I know all you extension authors out there have been understandably miffed at the add-on update security bits landing before you could do anything about it, so I’ve pushed hard and we can now make an early version of McCoy available.
McCoy is the tool to use if you are hosting your own add-ons and for whatever reason cannot use SSL to secure the updates. If you haven’t yet heard about the new security restrictions that will be in Firefox 3 or you don’t quite understand them yet then why not skip on over to the vastly improved add-on updates documentation and take particular note of the security section.
So what are you waiting for? Grab your copy of McCoy and get to work securing your add-ons.
I should point out that this is an early version, there are a bunch of improvements that we’d like to make so keep an eye on the homepage and here for updated releases. Also massive thanks to Mark Finkle for getting through the code reviews so quickly.
If you happen to hit any issues using McCoy or just have some ideas for it’s future then please file a bug (searching for dupes first of course!). Given that this is an early release there’s a number of issues already on file.
Yes, finally after months of twiddling my thumbs waiting for approval to land the zipwriter component has gone into trunk, and is enabled for all applications (some apps might need to add the interface to their packages list). If you want to use check out the interface, it’s fairly well documented I think. That magic contract ID you need is “@mozilla.org/zipwriter;1”.
It’s been quite a long process both writing the code, getting reviewed and getting agreement for it to appear in Firefox so I hope all you extension authors and application developers are going to make good use out of it in your projects. Let me know what you come up with.
I have just checked in Bug 378216, and wanted to give a quick heads up on it.
What this means is that we are now enforcing a security restriction on all add-ons. To be specific, if an add-on does not provide a secure method of auto-updating then by default Firefox will refuse to install the add-on. If you have add-ons already installed that are insecure in this way then they will be automatically disabled.
The good news is that addons.mozilla.org already uses SSL for it’s updates, so any add-ons you have installed from there will be unaffected by this change. Equally any add-on authors who use SSL on their site, their add-ons will be unaffected. Personally I found 2 of my add-ons were disabled by it, that’s 2 out of nearly 20, so hopefully you won’t see a major impact.
For add-on authors there is an alternate way to provide secure updates without investing in an SSL key involving digital signatures, unfortunately we’ve had to hold off on providing the software to make that possible until the backend changes were complete and reviewed. I hope to have something usable available not too long after M8 is released. Keep an eye on this blog for an update on that.
If you want to see more of the specifics the best place to look is probably at the wiki page. This is all based around the discussions I started on various forums and newsgroups. Hopefully it’s not too much of a surprise to the add-on authors out there, if it is then I apologise, I tried to get the word out as best I could.