Request for quick review of passbolt extension

kevin · May 17, 2017, 6:34am

Hello.

We have a major release of passbolt (open source password manager for teams) planned to go out today. It would be great if one reviewer could have a quick look at our extension and approve it if possible. With the release, some of our users might suffer from backward compatibility issues which we’d like to avoid. Even though it’s a major release, the changes on the extension are minor, so the review process should be pretty straightforward.

We know that you are all super busy, but maybe @erosman or @sylvaing in case one of you guys would have 5 minutes to spare ? We understand if it’s not possible.

Thank you very much for your work and continued support!

Kevin & passbolt team.

erosman · May 17, 2017, 6:49am

What is the AMO URL (not the developer link) of the addon ?

kevin · May 17, 2017, 6:52am

This is the link: https://addons.mozilla.org/en-US/firefox/addon/passbolt/

Thanks.

erosman · May 17, 2017, 7:18am

The review will not be available to me for another 24 hours.

As a suggestion (maybe for next upgrade), it would be better to move the JSON Object for privateKey to a dedicated JSON file.

Please consider storing your objects/patterns in non-executable local JSON files and load and parse via XHR or similar API (if applicable).

The included data/vendors/jquery.min.js does not match our hash checksum either.

remy · May 17, 2017, 9:26am

Hello @erosman,

Thank you very much for having a look on such short notice and for your suggestions. We will delay the release until tomorrow.

Concerning the jquery.min.js hash for
openssl dgst -sha256 -binary jquery.min.js | openssl base64 -A
i’m getting
sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44=
Which is the same hash advertised for version 2.2.4 on Jquery website. What hash do you got? Maybe since there is no version mentionned your tool is expecting version 3?

I also wanted to reply to hear more about your suggestions. Our plan for the next release is to make the firefox plugin compatible with webextension. It is my understanding file system access is not a standard feature, so could you clarify how you envision storing the JSON files? Would you recommend using: https://wiki.mozilla.org/WebExtensions/Filesystem to store such files or did you had something else in mind?

Thanks a lot for your inputs,

erosman · May 17, 2017, 9:39am

AMO has started to remove older libraries from the acceptable hashes. It is best to use the more recent ones (eg JQuery 3.*).

AFA JSON, the one I referred to was including the JSON in the addon so there is no need to save anything.

If you need to save/store data, the the storage API is the only one available at the moment (it has a 5mb JSON limit). There is an indexedDB planned.

remy · May 17, 2017, 9:46am

Gotcha, you were talking about the objects we use like for the debug screen in profiles.js.
Noted, we’ll do that.

kevin · May 18, 2017, 10:05am

Hello @erosman .

Is there any chance that our extension will be approved today ? Just to know if we should wait for it before we do our launch. If it’s not possible, no issues, we’ll organize accordingly and do the launch in 2 parts.

Many thanks!

erosman · May 18, 2017, 11:14am

I dont know. I had a quick look at the time and it is not a minor upgrade. There are a lot of extra code which would take time to review. You can try the IRC to see if anyone is free to do it today.