<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: tahoma,new york,times,serif; font-size: 10pt; color: #000000'>Hi Jason,<br>There has been some confusion regarding v1.0.1 (Shira) CF blockers. Per Andreas, only Shira+ bugs have to be closed by 2/15. Work will continue on TEF+ after 2/15. <br><br>Michael<br><br><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Jason Smith" <jsmith@mozilla.com><br><b>To: </b>b2g-release-drivers@mozilla.org<br><b>Cc: </b>"Packaged Apps" <packagedapps@mozilla.org><br><b>Sent: </b>Tuesday, February 12, 2013 6:04:44 PM<br><b>Subject: </b>Switching to marketplace's production cert on b2g devices (tef+ blocker) vs. Producing a MWC golden build by this Friday - Risk?<br><br>
Hi B2G Release Drivers,<br>
<br>
In talking in #packagedapps, a group of us have discovered a
potential conflict of objectives of meeting "zero" tef+ blockers by
Feb 15th and producing a MWC golden build for FF OS demos by this
Friday. The problem in summary is the following:<br>
<br>
QA has a requirement that we have to produce a golden build for MWC
demos by this Friday for FF OS. However, we also have a tef+ blocker
(bug 822944) and related marketplace bugs (bug 819053 & bug
840782) that when landed, will change what certificate we check
against when we install a privileged packaged app. As a result, when
all three of these bugs have landed, if I grabbed an older build of
FF OS without the prod certs, you won't be able to install a
privileged app.<br>
<br>
The big potential risk in the following:<br>
<br>
The golden build QA signs off for FF OS does not include production
certs. However, we then land the three bugs to switch over the prod
certs. As a result, the golden build can no longer be used to
install privileged packaged apps. We would then need to generate new
builds containing the production certs to be able to install those
apps. However, generating a new build injects the risk that the
build hasn't been vetted for in QA signoff, resulting in quality
risks to various FF OS MWC demos.<br>
<br>
I'd like some insight to address the following question:<br>
<br>
When should we switch over to the production certs taking into
account the problem and risk stated above?<br>
<br>
Thoughts?<br>
<br>
References:<br>
<ul>
<li><a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=822944" target="_blank">https://bugzilla.mozilla.org/show_bug.cgi?id=822944</a> - Replace
marketplace cert with final version (with production key) = tef+<br>
</li>
<li><a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=819053" target="_blank">https://bugzilla.mozilla.org/show_bug.cgi?id=819053</a> - Create
public certificate for signing apps on prod = marketplace
related bug</li>
<li><a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=840782" target="_blank">https://bugzilla.mozilla.org/show_bug.cgi?id=840782</a> - Re-sign
apps once official cert is in place = marketplace related bug<br>
</li>
</ul>
<pre class="moz-signature">--
Sincerely,
Jason Smith
Desktop QA Engineer
Mozilla Corporation
<a class="moz-txt-link-freetext" href="https://quality.mozilla.com" target="_blank">https://quality.mozilla.com</a></pre>
<br>_______________________________________________<br>B2g-release-drivers mailing list<br>B2g-release-drivers@mozilla.org<br>https://mail.mozilla.org/listinfo/b2g-release-drivers<br></div><br></div></body></html>