<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Or Brian Smith just beat me to it.<br>
<pre class="moz-signature" cols="72">Sincerely,
Jason Smith
Desktop QA Engineer
Mozilla Corporation
<a class="moz-txt-link-freetext" href="https://quality.mozilla.com">https://quality.mozilla.com</a></pre>
On 2/13/2013 12:57 PM, Jason Smith wrote:<br>
</div>
<blockquote cite="mid:511BFE46.1010105@mozilla.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Sounds good. I'll get the bugs filed.<br>
<pre class="moz-signature" cols="72">Sincerely,
Jason Smith
Desktop QA Engineer
Mozilla Corporation
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://quality.mozilla.com">https://quality.mozilla.com</a></pre>
On 2/13/2013 12:17 PM, Alex Keybl wrote:<br>
</div>
<blockquote
cite="mid:E1674507-7493-4418-B98B-C5995725295A@mozilla.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Andreas has already noted that
<div><br>
</div>
<div>
<blockquote type="cite">We can always switch certs later. We
don't need that by 2/15.</blockquote>
<br>
</div>
<div>So we need a tef+ bug (this impacts v1.0.0 as well) on file
for having 2 certs active at once, and a tef+ bug on file to
remove the pre-release cert.</div>
<div><br>
</div>
<div>-Alex</div>
<div><br>
<div>
<div>On Feb 13, 2013, at 12:14 PM, Ryan Tilder <<a
moz-do-not-send="true" href="mailto:rtilder@mozilla.com">rtilder@mozilla.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Does the build due for
Friday have requirements that it be a general
availability/gold release for use by every day
consumers? If so, having the test certificate
installed on the device is a possible attack vector
and hence subwonderful. If that is not a requirement
then I see no problem with multiple certs. I was
under the impression that the Shira build for the 15th
did have such a requirement.<br>
<br>
--Ryan<br>
<br>
<br>
On 2/13/13 11:54 AM, Jason Smith wrote:<br>
</div>
<blockquote cite="mid:511BEF5F.9000802@mozilla.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">One comment inline.<br>
<pre class="moz-signature" cols="72">Sincerely,
Jason Smith
Desktop QA Engineer
Mozilla Corporation
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://quality.mozilla.com/">https://quality.mozilla.com</a></pre>
On 2/13/2013 10:47 AM, Caitlin Galimidi wrote:<br>
</div>
<blockquote
cite="mid:1400320584.1048140.1360781251054.JavaMail.root@mozilla.com"
type="cite">
<style type="text/css">p { margin: 0; }</style>
<div style="font-family: arial, helvetica,
sans-serif; font-size: 10pt; ">Bsmith - like your
approach here. I want to make sure we're clear for
both builds: Shira Feb 15th and MWC.<br>
<br>
Here is my understanding. <br>
jsmith, bsmith, rtilder, robhudson: please blast
me where I'm wrong.<br>
<br>
<u><b>Apps on Current Builds: <br>
</b></u><br>
(Shira - Feb 15)<br>
- Nokia Maps needs production cert<br>
- Gaia Calculator needs production cert<br>
<br>
MWC<br>
- Nokia Maps will be demo'd in the Nokia booth,
currently has test cert<br>
- Gaia Calculator though not for demo, should work
at MWC. currently has test cert<br>
<br>
<br>
<u><b>Proposed Solution:</b></u><br>
<br>
(Shira - Feb 15)<br>
- replace test cert with production cert on Nokia
Maps and Gaia Calculator<br>
- remove test cert from device<br>
- Marketplace ensures production certs on Nokia
Maps and Gaia Calculator<br>
<br>
MWC:<br>
- add production cert to phone, Nokia Maps and
Gaia Calculator, do not remove test cert<br>
- Marketplace can complete work on packaged apps
without impact to apps on MWC<br>
</div>
</blockquote>
<br>
Not exactly. If marketplace moves forward and resigns
the apps, that opens up a new, untested path to
installing of signed privileged packaged apps. I'd
rather stray away from even doing this.<br>
<br>
I want a "low to zero risk" situation preferably that
does not mess around with things close to a MWC demo,
so that we don't get surprised in case we need to:<br>
<ol>
<li>Install privileged packaged apps in Barcelona</li>
<li>Recover from a packaged app getting into a bad
state - uninstall and install it again</li>
<li>etc of other possible worst case situations</li>
</ol>
<p>I'd do the following:<br>
</p>
<ol>
<li>Move forward with putting both certs on the
device (test & prod) asap<br>
</li>
<li>Hold on resigning marketplace packaged apps to
the prod cert until after MWC<br>
</li>
<li>After MWC, resign marketplace packaged apps to
prod cert - get sanity testing checks by the QA
guys</li>
<li>After #3, Yank the test cert off the devices -
get more sanity testing checks by the QA guys</li>
</ol>
<br>
</blockquote>
<br>
</div>
_______________________________________________<br>
Packagedapps mailing list<br>
<a moz-do-not-send="true"
href="mailto:Packagedapps@mozilla.org">Packagedapps@mozilla.org</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://mail.mozilla.org/listinfo/packagedapps">https://mail.mozilla.org/listinfo/packagedapps</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Packagedapps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Packagedapps@mozilla.org">Packagedapps@mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/packagedapps">https://mail.mozilla.org/listinfo/packagedapps</a>
</pre>
</blockquote>
<br>
</body>
</html>