<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">One comment inline.<br>
<pre class="moz-signature" cols="72">Sincerely,
Jason Smith
Desktop QA Engineer
Mozilla Corporation
<a class="moz-txt-link-freetext" href="https://quality.mozilla.com">https://quality.mozilla.com</a></pre>
On 2/13/2013 10:47 AM, Caitlin Galimidi wrote:<br>
</div>
<blockquote
cite="mid:1400320584.1048140.1360781251054.JavaMail.root@mozilla.com"
type="cite">
<style type="text/css">p { margin: 0; }</style>
<div style="font-family: arial,helvetica,sans-serif; font-size:
10pt; color: #000000">Bsmith - like your approach here. I want
to make sure we're clear for both builds: Shira Feb 15th and
MWC.<br>
<br>
Here is my understanding. <br>
jsmith, bsmith, rtilder, robhudson: please blast me where I'm
wrong.<br>
<br>
<u><b>Apps on Current Builds: <br>
</b></u><br>
(Shira - Feb 15)<br>
- Nokia Maps needs production cert<br>
- Gaia Calculator needs production cert<br>
<br>
MWC<br>
- Nokia Maps will be demo'd in the Nokia booth, currently has
test cert<br>
- Gaia Calculator though not for demo, should work at MWC.
currently has test cert<br>
<br>
<br>
<u><b>Proposed Solution:</b></u><br>
<br>
(Shira - Feb 15)<br>
- replace test cert with production cert on Nokia Maps and Gaia
Calculator<br>
- remove test cert from device<br>
- Marketplace ensures production certs on Nokia Maps and Gaia
Calculator<br>
<br>
MWC:<br>
- add production cert to phone, Nokia Maps and Gaia Calculator,
do not remove test cert<br>
- Marketplace can complete work on packaged apps without impact
to apps on MWC<br>
</div>
</blockquote>
<br>
Not exactly. If marketplace moves forward and resigns the apps, that
opens up a new, untested path to installing of signed privileged
packaged apps. I'd rather stray away from even doing this.<br>
<br>
I want a "low to zero risk" situation preferably that does not mess
around with things close to a MWC demo, so that we don't get
surprised in case we need to:<br>
<ol>
<li>Install privileged packaged apps in Barcelona</li>
<li>Recover from a packaged app getting into a bad state -
uninstall and install it again</li>
<li>etc of other possible worst case situations</li>
</ol>
<p>I'd do the following:<br>
</p>
<ol>
<li>Move forward with putting both certs on the device (test &
prod) asap<br>
</li>
<li>Hold on resigning marketplace packaged apps to the prod cert
until after MWC<br>
</li>
<li>After MWC, resign marketplace packaged apps to prod cert - get
sanity testing checks by the QA guys</li>
<li>After #3, Yank the test cert off the devices - get more sanity
testing checks by the QA guys</li>
</ol>
<blockquote
cite="mid:1400320584.1048140.1360781251054.JavaMail.root@mozilla.com"
type="cite">
<div style="font-family: arial,helvetica,sans-serif; font-size:
10pt; color: #000000"><br>
<br>
<br>
Did I understand correctly?<br>
<br>
<br>
<div>~pmpcat<span name="x"></span><br>
</div>
<br>
<hr id="zwchr">
<blockquote style="border-left:2px solid
#1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">Alex
Keybl wrote:<br>
> These are two separate goals. For MWC, we should be using
a<br>
> developer-built image so that last minute changes (like a
swap of<br>
> certs) can be made to the demo images.<br>
<br>
Keep in mind that the marketplace server must deliver packages
that have been signed with a certificate that the phone
trusts.<br>
<br>
Consider these scenerios:<br>
<br>
* We don't switch the certificate on the phone, Marketplace
doesn't re-sign all its apps with the new cert: Everything
works fine.<br>
<br>
* We DO switch the certificate on the phone, Marketplace does
re-sign all its apps with the new cert: Everything works fine.<br>
<br>
* We don't switch the certificate on the phone, Marketplace
does re-sign all the apps with the new cert: You won't be able
to install any packaged apps from the marketplace.<br>
<br>
* We DO switch the certificate on the phone, Marketplace
doesn't re-sign all the apps with the new cert: You won't be
able to install any packaged apps from the marketplace.<br>
<br>
Consider what happens if we don't switch the certificate
before the "Golden" MWC build. Then, if we want to demo
packaged app installation at MWC, we won't be able to have the
marketplace re-sign the apps in the marketplace until after
MWC. And, that would mean that we can't switch the certificate
on the phone until after MWC.<br>
<br>
The main risk is that we switch the certificate before the
Golden MWC build, but some problem comes up where the
marketplace cannot re-sign all its apps. Then we won't be able
to demo packaged app installation at MWC at all.<br>
<br>
I suggest that we solve this problem by installing the new
certificate on the phone TODAY, AND keep the old certificate
on the phone. Then the marketplace team will have maximum
flexibility in dealing with any issues that come up, because
the phone will trust apps signed with either certificate.
Then, once we are confident that the new cert is working and
all the apps have been re-signed, we can remove the old
certificate--perhaps even during MWC.<br>
<br>
Cheers,<br>
Brian<br>
_______________________________________________<br>
Packagedapps mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Packagedapps@mozilla.org">Packagedapps@mozilla.org</a><br>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/packagedapps">https://mail.mozilla.org/listinfo/packagedapps</a><br>
</blockquote>
<br>
</div>
</blockquote>
<br>
</body>
</html>