flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: [MENTOR] InstallApacheFlex AIR app related questions
Date Wed, 18 Jul 2012 03:07:55 GMT

On Jul 16, 2012, at 4:55 PM, Dave Fisher wrote:

> On Jul 16, 2012, at 4:19 PM, Om wrote:
>> (Carol/Alex, please free to jump in as well)
>> This page http://people.apache.org/~bigosmallm/installapacheflex/ lets you
>> download a binary file.
>> For this discussion, the InstallApacheFlex AIR app = 'Installer'
>> 1.  Should the installer be signed in the same way as the Apache Flex SDK
>> binary is signed?  The process for signing AIR apps is described here
>> [1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html>]
>> How do we do this in the Apache way?
> There is no established way to do this at this time. But that does not mean that these
needs are not being discussed. The proper way to proceed is to subscribe to infrastructure-dev@apache.org
(a private list)

Sorry not a private list. The apache public lists are archived here:


Sorry about my mistake. At least it was in the acceptable direction. This community does understand
how to avoid private discussions which should be avoided and limited to personnel / explicitly
private matters.

> and then send an email with the subject: "Apache Flex: Digitally Signing Air Applications"
and include this information. This path won't be quick, but Flex is not alone, other projects
like OpenOffice are asking a similar question. The likely process will involve a buildbot
under the control of Apache Infrastructure - this will involve an Apache.org certificate and
the keys will be very closely held. Project specific certs are one possibility.

The recommendation is to sign this binary convenience package in the same way as the binary
packages are signed - as pgp detached signature. You can follow the digital signing discussions
on infrastructure-dev in either the archives or by joining the list.

> Are there any dependencies to building this AIR app beyond those for Apache Flex?
> You could get a simpler answer from infra-dev than I think...
>> 2.  The installer downloads the binary distribution of the Apache Flex
>> sdk.  Should the installer programatically verify the downloaded binary
>> file's signature before uncompressing it?
> That is a good idea. If you retrieve a KEYS file (and I'm not sure if that is a good
idea) it must be from a different URL than the Binary.
>> 3.  I see that mirrors are preferred over downloading directly from Apache
>> servers.  Is there a standard list of mirror locations that I can access
>> from somewhere?  I think I will need to modify the installer to dynamically
>> select a mirror for downloading from, right?
> Yes. Take a look at http://incubator.apache.org/odftoolkit/downloads.html
> Note the use of closer.cgi - this helps select an appropriate mirror from the Apache
Mirror network.
> With the appropriate parameters you cause it return the url. This will hide the details
of the Apache Mirror network allowing the mirror operators to make whatever changes are needed
as operators are added and removed.
> Regards,
> Dave
>> [1]
>> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html
>> Thanks,
>> Om

View raw message