<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Does the build due for Friday have
requirements that it be a general availability/gold release for
use by every day consumers? If so, having the test certificate
installed on the device is a possible attack vector and hence
subwonderful. If that is not a requirement then I see no problem
with multiple certs. I was under the impression that the Shira
build for the 15th did have such a requirement.<br>
<br>
--Ryan<br>
<br>
<br>
On 2/13/13 11:54 AM, Jason Smith wrote:<br>
</div>
<blockquote cite="mid:511BEF5F.9000802@mozilla.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">One comment inline.<br>
<pre class="moz-signature" cols="72">Sincerely,
Jason Smith
Desktop QA Engineer
Mozilla Corporation
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://quality.mozilla.com">https://quality.mozilla.com</a></pre>
On 2/13/2013 10:47 AM, Caitlin Galimidi wrote:<br>
</div>
<blockquote
cite="mid:1400320584.1048140.1360781251054.JavaMail.root@mozilla.com"
type="cite">
<style type="text/css">p { margin: 0; }</style>
<div style="font-family: arial,helvetica,sans-serif; font-size:
10pt; color: #000000">Bsmith - like your approach here. I want
to make sure we're clear for both builds: Shira Feb 15th and
MWC.<br>
<br>
Here is my understanding. <br>
jsmith, bsmith, rtilder, robhudson: please blast me where I'm
wrong.<br>
<br>
<u><b>Apps on Current Builds: <br>
</b></u><br>
(Shira - Feb 15)<br>
- Nokia Maps needs production cert<br>
- Gaia Calculator needs production cert<br>
<br>
MWC<br>
- Nokia Maps will be demo'd in the Nokia booth, currently has
test cert<br>
- Gaia Calculator though not for demo, should work at MWC.
currently has test cert<br>
<br>
<br>
<u><b>Proposed Solution:</b></u><br>
<br>
(Shira - Feb 15)<br>
- replace test cert with production cert on Nokia Maps and
Gaia Calculator<br>
- remove test cert from device<br>
- Marketplace ensures production certs on Nokia Maps and Gaia
Calculator<br>
<br>
MWC:<br>
- add production cert to phone, Nokia Maps and Gaia
Calculator, do not remove test cert<br>
- Marketplace can complete work on packaged apps without
impact to apps on MWC<br>
</div>
</blockquote>
<br>
Not exactly. If marketplace moves forward and resigns the apps,
that opens up a new, untested path to installing of signed
privileged packaged apps. I'd rather stray away from even doing
this.<br>
<br>
I want a "low to zero risk" situation preferably that does not
mess around with things close to a MWC demo, so that we don't get
surprised in case we need to:<br>
<ol>
<li>Install privileged packaged apps in Barcelona</li>
<li>Recover from a packaged app getting into a bad state -
uninstall and install it again</li>
<li>etc of other possible worst case situations</li>
</ol>
<p>I'd do the following:<br>
</p>
<ol>
<li>Move forward with putting both certs on the device (test
& prod) asap<br>
</li>
<li>Hold on resigning marketplace packaged apps to the prod cert
until after MWC<br>
</li>
<li>After MWC, resign marketplace packaged apps to prod cert -
get sanity testing checks by the QA guys</li>
<li>After #3, Yank the test cert off the devices - get more
sanity testing checks by the QA guys</li>
</ol>
<br>
</blockquote>
<br>
</body>
</html>