[SRU] xul-ext-mozvoikko isn't signed (cannot be loaded on Mozilla Firefox 41.0a2)

Bug #1482219 reported by Aminda Suomalainen
42
This bug affects 8 people
Affects Status Importance Assigned to Milestone
mozvoikko (Ubuntu)
Confirmed
High
Unassigned
Nominated for Precise by Timo Jyrinki
Nominated for Trusty by Timo Jyrinki
Nominated for Vivid by Timo Jyrinki
Nominated for Wily by Timo Jyrinki

Bug Description

[ Impact ]

Breaks all Voikko based spell-checking (in Ubuntu by default just Finnish, but more and more languages use the same extension) when Firefox 41 is released.

[ Test Case ]

Install Firefox 41, or alternatively use the current Firefox and check the extension warnings.

When installing a fixed package, the warning disappears in current Firefox / extension works in future Firefox. Update: it seems the future Firefox (at least from https://launchpad.net/~mozillateam/+archive/ubuntu/firefox-next/+packages) does _warn_ about the updated extension, but it does work after update.

Fixed packages for Ubuntu 15.10, 15.04, 14.04 LTS and 12.04 LTS at https://launchpad.net/~timo-jyrinki/+archive/ubuntu/voikkotest2/

To test the extension actually still works, enable spell-checking for a text area, set language to Finnish and copy-paste "tämä on testitekstia" to it. Firefox should underline the last word and offer "testitekstiä" instead (ä instead of a).

[ Regression Potential ]

Low, the extension is a simple non-compiled extension.

---

I have installed Mozilla Firefox 41.0a2 out of repositories, but this extension gets loaded on it too. Today this Firefox Developer Edition started complaining about the addon not being signed which prevents loading it for security reasons.

Even if this Firefox is out of repositories, when 41 becomes stable downstream Firefox is also going to suffer from this unless it has patches to disable this which would again be insecure and allow random extensions to be installed from anywhere.

Firefox Developer Edition gives "more details" which is link to <https://support.mozilla.org/fi/kb/add-on-signing-in-firefox?redirectlocale=en-US&as=u&redirectslug=add-ons-signing-firefox&utm_source=inproduct>.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: xul-ext-mozvoikko 2.0.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.1.0-3.3-generic 4.1.3
Uname: Linux 4.1.0-3-generic x86_64
NonfreeKernelModules: fglrx
AddonCompatCheckDisabled: False
ApportVersion: 2.18-0ubuntu5
Architecture: amd64
AudioDevicesInUse:
 KÄYTTÄJÄ PID ACCESS KÄSKY
 /dev/snd/controlC0: mikaela 1673 F.... pulseaudio
BuildID: 20150620063927
Channel: Unavailable
CurrentDesktop:

Date: Thu Aug 6 16:02:29 2015
DefaultProfileExtensions: extensions.sqlite corrupt or missing
DefaultProfileIncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
DefaultProfileLocales: extensions.sqlite corrupt or missing
DefaultProfileThemes: extensions.sqlite corrupt or missing
ForcedLayersAccel: False
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
InstallationDate: Installed on 2015-07-31 (6 days ago)
InstallationMedia: Ubuntu-MATE 15.10 "Wily Werewolf" - Alpha amd64 (20150729)
IpRoute:
 default via 172.16.0.1 dev wlo1 proto static metric 400
 10.0.3.0/24 dev lxcbr0 proto kernel scope link src 10.0.3.1
 169.254.0.0/16 dev wlo1 scope link metric 1000
 172.16.0.0/16 dev wlo1 proto kernel scope link metric 400
PackageArchitecture: all
Profile1Extensions: extensions.sqlite corrupt or missing
Profile1IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
Profile1Locales: extensions.sqlite corrupt or missing
Profile1PrefSources: prefs.js
Profile1Themes: extensions.sqlite corrupt or missing
Profiles:
 Profile0 (Default) - LastVersion=41.0a2/20150805004014 (Out of date)
 Profile1 - LastVersion=41.0a2/20150805004014 (Out of date)
RunningIncompatibleAddons: False
SourcePackage: mozvoikko
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 12/18/2011
dmi.bios.vendor: Hewlett-Packard
dmi.bios.version: F.48
dmi.board.asset.tag: Base Board Asset Tag
dmi.board.name: 3577
dmi.board.vendor: Hewlett-Packard
dmi.board.version: 24.4A
dmi.chassis.asset.tag: Chassis Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: Hewlett-Packard
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnHewlett-Packard:bvrF.48:bd12/18/2011:svnHewlett-Packard:pnPresarioCQ57NotebookPC:pvr068F110000204910000620100:rvnHewlett-Packard:rn3577:rvr24.4A:cvnHewlett-Packard:ct10:cvrChassisVersion:
dmi.product.name: Presario CQ57 Notebook PC
dmi.product.version: 068F110000204910000620100
dmi.sys.vendor: Hewlett-Packard

Related branches

Revision history for this message
Aminda Suomalainen (mikaela) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mozvoikko (Ubuntu):
status: New → Confirmed
Changed in mozvoikko (Ubuntu):
importance: Undecided → High
Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

Upstream has now released a 2.2 release together with signed XPI:

http://voikko.puimula.org/sources.html

I tested that just building a new deb package out of the new sources (with unmodified upstream) files does not get rid of the warning, ie it does not seem to be enough that the contents match to an extension that has been signed by Mozilla. What else should be done, or am I missing something?

Revision history for this message
Aminda Suomalainen (mikaela) wrote :

I think you need the signature file from Mozilla somehow.

summary: - xul-ext-mozvoikko isn't signed (cannot be loaded on Mozilla Firefox
- 41.0a2)
+ [SRU] xul-ext-mozvoikko isn't signed (cannot be loaded on Mozilla
+ Firefox 41.0a2)
description: updated
description: updated
description: updated
Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

I've tested https://launchpad.net/~timo-jyrinki/+archive/ubuntu/voikkotest2/ on 15.10 and 14.04 LTS, both seem to work fine. The "2" PPA corresponds to the bzr branches commits "Use a more proper install method and only use the signatures from the upstream xpi".

The extension seems both verified in Firefox UI and continues to work.

description: updated
description: updated
description: updated
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

I tested this and it doesn't work (note that the requirement for extension signing has been pushed back another Firefox release. If you're testing with Firefox 41, then you need to enable xpinstall.signatures.required). I suspect the addonhas only had a preliminary review, which is sufficient for addons that are installed via the addon manager UI (such as those hosted on addons.mozilla.org). "Side-loaded" addons (those dropped in to Firefox by external software) require a full review in order to pass the extension signing check.

Honestly, it would be better if this addon was just hosted on addons.mozilla.org like most other addons. The only reasons it remained in the archive when we removed every other Firefox addon were that it contained a binary component and that upstream didn't provide a downloadable version of the addon. Neither of these are applicable anymore (the addon is all JS, and there is a downloadable xpi that will run on every architecture and every Ubuntu release).

Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

The spellchecker is part of the default Ubuntu installation. Losing it from the archives would mean that 90%+ of the users would probably simply not have spell-checking, since average users are not familiar with extensions or that a spell-checking would be available from there, especially as it's not shown in Firefox's "get more dictionaries" functionality.

I don't see how it'd be better for the extension to be on AMO only other than for not needing to maintain it in Ubuntu. Unlike other extensions that were removed, this one is in main and part of the default installation - similar to ubufox.

But if AMO only is wanted, then mozvoikko should be removed from the archives for all Ubuntu versions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.