You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by Om <bi...@gmail.com> on 2012/07/17 06:26:07 UTC
Apache Flex: Digitally Signing Air Applications
Hi,
As the first release of Apache Flex is being worked on, we are planning to
put out an installer application written in Flex + AIR as a convenience
utility. This page
http://people.apache.org/~bigosmallm/installapacheflex/lets you
download a binary file which is the installer.
Should the installer be signed in the same way as the Apache Flex SDK
binary is signed? The process for signing AIR apps is described here
[1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html>]
How do we do this in the Apache way?
[1]
http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
Thanks,
Om
Apache Flex PPMC Member
Re: Apache Flex: Digitally Signing Air Applications
Posted by OmPrakash Muppirala <om...@gmail.com>.
On Jul 18, 2012 1:43 AM, "Tony Stevenson" <pc...@apache.org> wrote:
>
> Om wrote on Wed, Jul 18, 2012 at 01:39:10AM -0700:
> > On Wed, Jul 18, 2012 at 12:02 AM, Tony Stevenson <pc...@apache.org>
wrote:
> >
> > > Daniel Shahaf wrote on Wed, Jul 18, 2012 at 01:25:38AM +0100:
> > > > PGP-sign it as well, then. That's the standard way all artifacts
are
> > > > signed (and centrally verified).
> > > >
> > > > For future reference infra-dev@ is a public list, why didn't you CC
> > > flex-dev@?
> > > >
> > > > Om wrote on Mon, Jul 16, 2012 at 21:26:07 -0700:
> > > > > Hi,
> > > > >
> > > > > As the first release of Apache Flex is being worked on, we are
> > > planning to
> > > > > put out an installer application written in Flex + AIR as a
convenience
> > > > > utility. This page
> > > > > http://people.apache.org/~bigosmallm/installapacheflex/lets you
> > > > > download a binary file which is the installer.
> > >
> > > Hi,
> > >
> > > You should NOT be using this machine to host installers. This is not
> > > the correct location, to start with it is not intended for this
purpose;
> > > it should be part of the installer/download process which uses the
> > > mirrors.
> > >
> > >
> > Tony,
> >
> > We are using this location for testing purposes only. Please take a
look
> > at this thread:
> >
http://markmail.org/thread/eggrgs42a5idjyxc#query:+page:1+mid:s3srogtcgomskn3d+state:results
.
> >
> >
> > I understand that when we promote it for the actual release, it should
be
> > downloaded only from the mirrors.
> >
> > Please let me know if the
> > people.apache.org/~bigosmallm/installapacheflex/page should not be
> > used for the purpose of testing of the installers by the
> > flex-dev developers, I will take it down right away.
>
> Testing for developers is fine, but for any live/production/release/etc
> it should never be pointed at people.a.o for anything, not even an html
> page with embdedded swf file that points you away to elsewhere.
>
Got it!
Thanks,
Om
> Thanks.
>
> >
> > In that case, can you please suggest an appropriate place for us to host
> > and test the installers?
> >
> > Thanks,
> > Om
>
> --
> Cheers,
> Tony
>
> ---------------------------------------------------------------
> Tony Stevenson
>
> tony@pc-tony.com // pctony@apache.org // tony@caret.cam.ac.uk
> GPG: 1024D/51047D66
> http://www.pc-tony.com
> ---------------------------------------------------------------
>
Re: Apache Flex: Digitally Signing Air Applications
Posted by Tony Stevenson <pc...@apache.org>.
Om wrote on Wed, Jul 18, 2012 at 01:39:10AM -0700:
> On Wed, Jul 18, 2012 at 12:02 AM, Tony Stevenson <pc...@apache.org> wrote:
>
> > Daniel Shahaf wrote on Wed, Jul 18, 2012 at 01:25:38AM +0100:
> > > PGP-sign it as well, then. That's the standard way all artifacts are
> > > signed (and centrally verified).
> > >
> > > For future reference infra-dev@ is a public list, why didn't you CC
> > flex-dev@?
> > >
> > > Om wrote on Mon, Jul 16, 2012 at 21:26:07 -0700:
> > > > Hi,
> > > >
> > > > As the first release of Apache Flex is being worked on, we are
> > planning to
> > > > put out an installer application written in Flex + AIR as a convenience
> > > > utility. This page
> > > > http://people.apache.org/~bigosmallm/installapacheflex/lets you
> > > > download a binary file which is the installer.
> >
> > Hi,
> >
> > You should NOT be using this machine to host installers. This is not
> > the correct location, to start with it is not intended for this purpose;
> > it should be part of the installer/download process which uses the
> > mirrors.
> >
> >
> Tony,
>
> We are using this location for testing purposes only. Please take a look
> at this thread:
> http://markmail.org/thread/eggrgs42a5idjyxc#query:+page:1+mid:s3srogtcgomskn3d+state:results.
>
>
> I understand that when we promote it for the actual release, it should be
> downloaded only from the mirrors.
>
> Please let me know if the
> people.apache.org/~bigosmallm/installapacheflex/page should not be
> used for the purpose of testing of the installers by the
> flex-dev developers, I will take it down right away.
Testing for developers is fine, but for any live/production/release/etc
it should never be pointed at people.a.o for anything, not even an html
page with embdedded swf file that points you away to elsewhere.
Thanks.
>
> In that case, can you please suggest an appropriate place for us to host
> and test the installers?
>
> Thanks,
> Om
--
Cheers,
Tony
---------------------------------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org // tony@caret.cam.ac.uk
GPG: 1024D/51047D66
http://www.pc-tony.com
---------------------------------------------------------------
Re: Apache Flex: Digitally Signing Air Applications
Posted by Om <bi...@gmail.com>.
On Wed, Jul 18, 2012 at 12:02 AM, Tony Stevenson <pc...@apache.org> wrote:
> Daniel Shahaf wrote on Wed, Jul 18, 2012 at 01:25:38AM +0100:
> > PGP-sign it as well, then. That's the standard way all artifacts are
> > signed (and centrally verified).
> >
> > For future reference infra-dev@ is a public list, why didn't you CC
> flex-dev@?
> >
> > Om wrote on Mon, Jul 16, 2012 at 21:26:07 -0700:
> > > Hi,
> > >
> > > As the first release of Apache Flex is being worked on, we are
> planning to
> > > put out an installer application written in Flex + AIR as a convenience
> > > utility. This page
> > > http://people.apache.org/~bigosmallm/installapacheflex/lets you
> > > download a binary file which is the installer.
>
> Hi,
>
> You should NOT be using this machine to host installers. This is not
> the correct location, to start with it is not intended for this purpose;
> it should be part of the installer/download process which uses the
> mirrors.
>
>
Tony,
We are using this location for testing purposes only. Please take a look
at this thread:
http://markmail.org/thread/eggrgs42a5idjyxc#query:+page:1+mid:s3srogtcgomskn3d+state:results.
I understand that when we promote it for the actual release, it should be
downloaded only from the mirrors.
Please let me know if the
people.apache.org/~bigosmallm/installapacheflex/page should not be
used for the purpose of testing of the installers by the
flex-dev developers, I will take it down right away.
In that case, can you please suggest an appropriate place for us to host
and test the installers?
Thanks,
Om
Re: Apache Flex: Digitally Signing Air Applications
Posted by Tony Stevenson <pc...@apache.org>.
Daniel Shahaf wrote on Wed, Jul 18, 2012 at 01:25:38AM +0100:
> PGP-sign it as well, then. That's the standard way all artifacts are
> signed (and centrally verified).
>
> For future reference infra-dev@ is a public list, why didn't you CC flex-dev@?
>
> Om wrote on Mon, Jul 16, 2012 at 21:26:07 -0700:
> > Hi,
> >
> > As the first release of Apache Flex is being worked on, we are planning to
> > put out an installer application written in Flex + AIR as a convenience
> > utility. This page
> > http://people.apache.org/~bigosmallm/installapacheflex/lets you
> > download a binary file which is the installer.
Hi,
You should NOT be using this machine to host installers. This is not
the correct location, to start with it is not intended for this purpose;
it should be part of the installer/download process which uses the
mirrors.
--
Cheers,
Tony
---------------------------------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org // tony@caret.cam.ac.uk
GPG: 1024D/51047D66
http://www.pc-tony.com
---------------------------------------------------------------
Re: Apache Flex: Digitally Signing Air Applications
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
sebb wrote on Wed, Jul 18, 2012 at 02:00:05 +0100:
> On 18 July 2012 01:46, Om <bi...@gmail.com> wrote:
> > On Tue, Jul 17, 2012 at 5:25 PM, Daniel Shahaf <d....@daniel.shahaf.name>wrote:
> >
> >> PGP-sign it as well, then. That's the standard way all artifacts are
> >> signed (and centrally verified).
> >>
> >>
> > To be clear, are you suggesting that I sign it twice, once using the AIR
> > signing process and then sign that artifact using the PGP-sign process?
> > Can you please point me to to some documentation for PGP-signing
> > artifacts? Is this typically done by the Release Manager, or can any
> > committer do this for a release?
> >
> >
> >> For future reference infra-dev@ is a public list, why didn't you CC
> >> flex-dev@?
> >>
> >
> > Apologies for the confusion. I was told by our PPMC mentor, Dave Fisher
> > (cc-ing him here) that infra-dev is a private list.
>
> One way to check this in future is to look at the mailing lists available here:
>
> http://mail-archives.apache.org/mod_mbox/
>
> That URL is available to all so all the lists shown there are public.
And vice-versa, i.e., all public lists are on that page. (provided they
have been posted to at least once)
Re: Apache Flex: Digitally Signing Air Applications
Posted by sebb <se...@gmail.com>.
On 18 July 2012 01:46, Om <bi...@gmail.com> wrote:
> On Tue, Jul 17, 2012 at 5:25 PM, Daniel Shahaf <d....@daniel.shahaf.name>wrote:
>
>> PGP-sign it as well, then. That's the standard way all artifacts are
>> signed (and centrally verified).
>>
>>
> To be clear, are you suggesting that I sign it twice, once using the AIR
> signing process and then sign that artifact using the PGP-sign process?
> Can you please point me to to some documentation for PGP-signing
> artifacts? Is this typically done by the Release Manager, or can any
> committer do this for a release?
>
>
>> For future reference infra-dev@ is a public list, why didn't you CC
>> flex-dev@?
>>
>
> Apologies for the confusion. I was told by our PPMC mentor, Dave Fisher
> (cc-ing him here) that infra-dev is a private list.
One way to check this in future is to look at the mailing lists available here:
http://mail-archives.apache.org/mod_mbox/
That URL is available to all so all the lists shown there are public.
> Thanks,
> Om
>
>
>> Om wrote on Mon, Jul 16, 2012 at 21:26:07 -0700:
>> > Hi,
>> >
>> > As the first release of Apache Flex is being worked on, we are planning
>> to
>> > put out an installer application written in Flex + AIR as a convenience
>> > utility. This page
>> > http://people.apache.org/~bigosmallm/installapacheflex/lets you
>> > download a binary file which is the installer.
>> >
>> > Should the installer be signed in the same way as the Apache Flex SDK
>> > binary is signed? The process for signing AIR apps is described here
>> > [1<
>> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
>> >]
>> > How do we do this in the Apache way?
>> >
>> > [1]
>> >
>> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
>> >
>> > Thanks,
>> > Om
>> > Apache Flex PPMC Member
>>
Re: Apache Flex: Digitally Signing Air Applications
Posted by Dave Fisher <da...@comcast.net>.
On Jul 17, 2012, at 5:46 PM, Om wrote:
> On Tue, Jul 17, 2012 at 5:25 PM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> PGP-sign it as well, then. That's the standard way all artifacts are
> signed (and centrally verified).
>
>
> To be clear, are you suggesting that I sign it twice, once using the AIR signing process and then sign that artifact using the PGP-sign process? Can you please point me to to some documentation for PGP-signing artifacts? Is this typically done by the Release Manager, or can any committer do this for a release?
>
> For future reference infra-dev@ is a public list, why didn't you CC flex-dev@?
>
> Apologies for the confusion. I was told by our PPMC mentor, Dave Fisher (cc-ing him here) that infra-dev is a private list.
And I gather I was confused. My apologies.
The PGP signature is detached from the artifact. We can restart this on flex-dev.
Regards,
Dave
>
> Thanks,
> Om
>
>
> Om wrote on Mon, Jul 16, 2012 at 21:26:07 -0700:
> > Hi,
> >
> > As the first release of Apache Flex is being worked on, we are planning to
> > put out an installer application written in Flex + AIR as a convenience
> > utility. This page
> > http://people.apache.org/~bigosmallm/installapacheflex/lets you
> > download a binary file which is the installer.
> >
> > Should the installer be signed in the same way as the Apache Flex SDK
> > binary is signed? The process for signing AIR apps is described here
> > [1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html>]
> > How do we do this in the Apache way?
> >
> > [1]
> > http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
> >
> > Thanks,
> > Om
> > Apache Flex PPMC Member
>
Re: Apache Flex: Digitally Signing Air Applications
Posted by Om <bi...@gmail.com>.
On Tue, Jul 17, 2012 at 5:25 PM, Daniel Shahaf <d....@daniel.shahaf.name>wrote:
> PGP-sign it as well, then. That's the standard way all artifacts are
> signed (and centrally verified).
>
>
To be clear, are you suggesting that I sign it twice, once using the AIR
signing process and then sign that artifact using the PGP-sign process?
Can you please point me to to some documentation for PGP-signing
artifacts? Is this typically done by the Release Manager, or can any
committer do this for a release?
> For future reference infra-dev@ is a public list, why didn't you CC
> flex-dev@?
>
Apologies for the confusion. I was told by our PPMC mentor, Dave Fisher
(cc-ing him here) that infra-dev is a private list.
Thanks,
Om
> Om wrote on Mon, Jul 16, 2012 at 21:26:07 -0700:
> > Hi,
> >
> > As the first release of Apache Flex is being worked on, we are planning
> to
> > put out an installer application written in Flex + AIR as a convenience
> > utility. This page
> > http://people.apache.org/~bigosmallm/installapacheflex/lets you
> > download a binary file which is the installer.
> >
> > Should the installer be signed in the same way as the Apache Flex SDK
> > binary is signed? The process for signing AIR apps is described here
> > [1<
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
> >]
> > How do we do this in the Apache way?
> >
> > [1]
> >
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
> >
> > Thanks,
> > Om
> > Apache Flex PPMC Member
>
Re: Apache Flex: Digitally Signing Air Applications
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
PGP-sign it as well, then. That's the standard way all artifacts are
signed (and centrally verified).
For future reference infra-dev@ is a public list, why didn't you CC flex-dev@?
Om wrote on Mon, Jul 16, 2012 at 21:26:07 -0700:
> Hi,
>
> As the first release of Apache Flex is being worked on, we are planning to
> put out an installer application written in Flex + AIR as a convenience
> utility. This page
> http://people.apache.org/~bigosmallm/installapacheflex/lets you
> download a binary file which is the installer.
>
> Should the installer be signed in the same way as the Apache Flex SDK
> binary is signed? The process for signing AIR apps is described here
> [1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html>]
> How do we do this in the Apache way?
>
> [1]
> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
>
> Thanks,
> Om
> Apache Flex PPMC Member