flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harbs <gavha...@gmail.com>
Subject Re: RSLs and signing
Date Sun, 10 Feb 2013 16:19:11 GMT

On Feb 10, 2013, at 6:13 PM, Alex Harui wrote:

> On 2/10/13 8:00 AM, "Harbs" <gavharbs@gmail.com> wrote:
>> This is degenerating into a discussion that should probably move to the user
>> list, but...
>> TLF is a must, but the whole TLF library shouldn't be more than 180-190 KB.
>> Nothing like Datagrid is being used. I have a bunch of RichEditableText
>> components that I will probably factor out. That might help... On an aside, it
>> seems to me that the text components (even the spark ones) are pretty bloated
>> and over-engineered. I'm thinking of making some lightweight components for my
>> own purposes. Does anyone else see a need for lightweight versions?
>> The only two mx components being used is ColorPicker and Alert. With the
>> newest release, I should be able to replace those two. I do have one Canvas
>> component in use because I couldn't get the behavior I needed with
>> BorderContainer. Maybe I'll revisit that. The odd thing was that switching to
>> "Spark only" did not bring up any errors for the Canvas component.
> And the first screen of your demo app doesn't seem to use multi-line text,
> so I would make sure Label is being used for all text which does not require
> TLF so you can load it later.

That's a no-go. TLF is required for rendering of the text on the page…

>> On Feb 10, 2013, at 5:47 PM, Nicholas Kwiatkowski wrote:
>>> The caching rules of RSLs and SWFs are for the most part, are the same.
>>> Depending on your IDE, you may be able to build a dependency tree, which
>>> should help you determine where your bulk is coming from.  I find that
>>> certain components (mx:DataGrid, for example), add in about 250k just for
>>> being there because of all the things it depends on.  Some of the Spark
>>> text components are equally as heavy because of their dependence on the TLF
>>> stuff.  If you could stop using all of the halo components, you will
>>> probably be much better off as well.
>>> -Nick
>>> On Sun, Feb 10, 2013 at 10:41 AM, Harbs <harbs.lists@gmail.com> wrote:
>>>> The numbers were for release.
>>>> The debug size using RSLs is about 1 MB.
>>>> I'm not really sure if modules can help. There are not many modular
>>>> components in the app. Maybe I can load the image browser as a module, but
>>>> I don't know how much of a difference that will make. There are a number
>>>> palettes that might be candidates. I'll see what I can do on that front,
>>>> but I don't have high hopes. My bigger concern is really the Flex libs
>>>> which have more bulk than the whole app... Is there a good way of figuring
>>>> out where the bulk is coming from?
>>>> If I'm reading you right, the caching of swfs is actually more persistent
>>>> than the caching of unsigned RSLs. Right?
>>>> On Feb 10, 2013, at 5:19 PM, Alex Harui wrote:
>>>>> The only advantage to un-signed RSLs is if you serve more than one SWF
>>>> that
>>>>> uses them from your domain.  SWFs end up on disk in a browser cache (if
>>>>> there is one and within the limitations of that cache) so then there
is a
>>>>> probability you won't have to download some code.
>>>>> Apache Flex will hopefully release often.  The Framework RSLs were
>>>>> version-specific, so releasing often further lowers your chances of any
>>>>> benefit even if we did have a way to serve cross-domain RSLs.
>>>>> I suppose we could try to host RSLs at some known place, but browser
>>>> cache
>>>>> limitations would still apply, and you'd want a custom domain name
>>>> otherwise
>>>>> you'd expose yourself to cross-domain scripting.
>>>>> Are your SWF size numbers for release mode or debug mode?  Using modules
>>>>> carefully can lower the size of the initial load.
>>>>> On 2/10/13 6:54 AM, "Harbs" <harbs.lists@gmail.com> wrote:
>>>>>> Okay. Like you said this sucks.
>>>>>> I'm looking to moving from Flex 4.5 to 4.9 in the next few weeks.
I just
>>>>>> changed my compile settings to merge instead of using RSLs and the
>>>> went
>>>>>> from a little over 600 KB to 1.4 MB. :-(
>>>>>> I clearly have a lot of work to do removing dependency on a lot of
>>>> classes and
>>>>>> getting rid of dependency on mx components (I have a very few in
>>>> but the
>>>>>> ones that I'm using will be hard to replace with Spark.)
>>>>>> I'm still not sure why Flash can't cache  third party signed RSLs,
>>>> there's
>>>>>> not much to be gained by kvetching about it. I doubt they'll add
>>>> as a
>>>>>> feature to FlashŠ
>>>>>> Harbs
>>>>>> On Feb 10, 2013, at 4:37 PM, Nicholas Kwiatkowski wrote:
>>>>>>> When I say signed, I'm meaning signed by Adobe.  There really
>>>>>>> little benefit to sign an RSL with our certificates, as they
are in
>>>> the web
>>>>>>> of trust of the Flash Player.
>>>>>>> From what I've been told, unless it is signed by Adobe, it is
not in
>>>>>>> the persistent cache, so it is not cached on disk, period.  This
>>>>>>> regardless of the domain that it is on.
>>>>>>> This came up VERY early on (maybe even at the Tech Summit --
I don't
>>>> know,
>>>>>>> I wasn't there), and Adobe was pretty straight forward that this
>>>> going
>>>>>>> to be the case.  Questions came up about having them sign it,
but they
>>>> did
>>>>>>> not want to dedicated the resources to do it. Looking back, it
>>>> have
>>>>>>> been a pain to have to submit our releases to Adobe for their
>>>>>>> review before we could do anything -- potentially holding back
>>>> releases
>>>>>>> weeks or months.
>>>>>>> It was seen as a majority of the Flex work was moving to mobile.
>>>> AIR
>>>>>>> with mobile, there is no concept of RSLs (everything is embedded
>>>> within the
>>>>>>> final executable), so it was seen as less of an issue.
>>>>>>> -Nick
>>>>>>> On Sun, Feb 10, 2013 at 9:27 AM, Harbs <harbs.lists@gmail.com>
>>>>>>>> Bah! So they're totally useless.
>>>>>>>> swfs are also cached by the browser for that session. Correct?
>>>>>>>> Is there any logic to not caching RSLs for the domain that
>>>> them?
>>>>>>>>> Only signed RSLs are cached on disk.
>>>>>>>> Signed meaning signed by Adobe. Right? There's no way to
sign a RSL
>>>> with
>>>>>>>> an SSL or code signing certificate. Is there?
>>>>>>>> On Feb 10, 2013, at 4:19 PM, Nicholas Kwiatkowski wrote:
>>>>>>>>> They are downloaded once per domain, per session.  If
you visit
>>>> domain
>>>>>>>>> x.comtwice in a session (as defined by your browser),
then it will
>>>>>>>>> stay in
>>>>>>>>> memory.  If you close your session (typically by closing
>>>> browser),
>>>>>>>>> then it will be cleared from memory.
>>>>>>>>> Only signed RSLs are cached on disk.
>>>>>>>>> -Nick
>>>>>>>>> On Sun, Feb 10, 2013 at 9:01 AM, Harbs <harbs.lists@gmail.com>
>>>> wrote:
>>>>>>>>>> I apparently missed this. Yes. It does suck. Are
RSLs reloaded every
>>>>>>>> time
>>>>>>>>>> for a specific domain, or is it just a cross-domain
>>>>>>>>>> If I use RSLs for Flex 4.9 and I update my main app,
do the RSLs get
>>>>>>>>>> downloaded every time, or will the RSLs from my domain
be reused? Is
>>>>>>>> there
>>>>>>>>>> any point in using RSLs at all?
>>>>>>>>>> On Feb 10, 2013, at 3:56 PM, Nicholas Kwiatkowski
>>>>>>>>>>> Adobe has (had?) a pretty good explanation on
their Flash
>>>> Whitepaper.
>>>>>>>> It
>>>>>>>>>>> boils down to this :
>>>>>>>>>>> - They are no longer in control of Flex
>>>>>>>>>>> - They are no longer doing security reviews of
the source code
>>>>>>>>>>> - They have to sign the Flex package with their
>>>> certificate in
>>>>>>>>>>> order for it to be stored in the Flash RSL Cache
>>>>>>>>>>> - They won't sign it anymore because they would
be responsible for
>>>> any
>>>>>>>>>>> security issues that may come out of it.
>>>>>>>>>>> Yes, it sucks, but unfortunately, we have to
live with it.
>>>>>>>>>>> -Nick
>>>>>>>>>>> On Sun, Feb 10, 2013 at 8:49 AM, christofer.dutz@c-ware.de
>>>>>>>>>>> christofer.dutz@c-ware.de> wrote:
>>>>>>>>>>>> I have to admit, that I don't quite understand
what the inability
>>>> to
>>>>>>>>>>>> create signed rsls has to do with the usage
of rsls themselves.
>>>>>>>>>>>> The problem is that the Flashplayer is able
to install rsls that
>>>> are
>>>>>>>>>>>> signed by Adobe. Usually the Adobe FDK rsls
were also available in
>>>>>>>>>> signed
>>>>>>>>>>>> versions (swz files). These were dynamically
loaded the first time
>>>>>>>> they
>>>>>>>>>>>> were needed and installed by the Flashplayer.
The second time the
>>>> libs
>>>>>>>>>> were
>>>>>>>>>>>> needed the installed versions were used reducing
the download time
>>>>>>>>>>>> dramatically. Now the problem is that Adobe
won't sign Apache
>>>> SWCs as
>>>>>>>>>> they
>>>>>>>>>>>> are no longer in charge of the libs code
(Understandable). Giving
>>>>>>>>>> Apache a
>>>>>>>>>>>> key to be able to also create signed RSLs
would eventually open
>>>>>>>> serious
>>>>>>>>>>>> security problems because a signed manipulated
swz would be used
>>>> by
>>>>>>>>>> every
>>>>>>>>>>>> other website using the same version of a
given lib.
>>>>>>>>>>>> Coming back to the RSLs ... The difference
between a signed and an
>>>>>>>>>>>> unsigned RSL is just, that the unsigned rsl
is loaded on every
>>>> visit
>>>>>>>> of
>>>>>>>>>> a
>>>>>>>>>>>> user. As far as I know there is no other
difference. So I don't
>>>> quite
>>>>>>>>>>>> understand why the lack of availability of
signed rsls should
>>>> have any
>>>>>>>>>>>> effect on built applications and the default
linking type.
>>>>>>>>>>>> Chris
>>>>>>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>>>>>>> Von: Harbs [mailto:harbs.lists@gmail.com]
>>>>>>>>>>>> Gesendet: Sonntag, 10. Februar 2013 14:19
>>>>>>>>>>>> An: dev@flex.apache.org
>>>>>>>>>>>> Betreff: RSLs and signing
>>>>>>>>>>>> I did not realize that Apache Flex does not
use RSLs by default.
>>>>>>>>>>>> What's the story with signing? Is that an
issue with cross-domain
>>>>>>>>>>>> security? Is there any way to get an Apache
signature approved for
>>>>>>>>>> Flash?
>>>>>>>>>>>> Either way, I'd imagine I'd want RSLs for
the simple reason that
>>>>>>>>>> updating
>>>>>>>>>>>> apps should result in a smaller download.
>>>>>>>>>>>> Harbs
>>>>>>>>>>>> On Feb 9, 2013, at 9:00 AM, Alex Harui wrote:
>>>>>>>>>>>>> The default setting for Apache Flex is
to not use RSLs because
>>>> Adobe
>>>>>>>>>>>>> cannot sign the Apache Flex RSLs.  That's
probably why your SWF
>>>> is
>>>>>>>>>>>> bigger.
>>>>>>>>>>>>> On 2/8/13 10:31 PM, "grimmwerks" <grimm@grimmwerks.com>
>>>>>>>>>>>>> Hey all - long time listener first time
>>>>>>>>>>>>> I've taken a project that was originally
4.6 and I flipped it to
>>>>>>>> 4.9;
>>>>>>>>>>>>> comparing the same code on two computers
- when I build with
>>>> the 4.6
>>>>>>>>>>>>> sdk I get a swf of 304k (with all the
other extraneous libraries
>>>>>>>> such
>>>>>>>>>>>>> as osmf, mx, sparkspins, etc) -- whereas
with 4.9 the main sf is
>>>>>>>>>>>>> 1.1mb -- that's a huge difference with
no other changes in code
>>>> no?
>>>>>>>>>>>>> Garry Schafer
>>>>>>>>>>>>> grimmwerks
>>>>>>>>>>>>> grimm@grimmwerks.com
>>>>>>>>>>>>> portfolio: www.grimmwerks.com/
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Alex Harui
>>>>>>>>>>>>> Flex SDK Team
>>>>>>>>>>>>> Adobe Systems, Inc.
>>>>>>>>>>>>> http://blogs.adobe.com/aharui
>>>>> --
>>>>> Alex Harui
>>>>> Flex SDK Team
>>>>> Adobe Systems, Inc.
>>>>> http://blogs.adobe.com/aharui
> -- 
> Alex Harui
> Flex SDK Team
> Adobe Systems, Inc.
> http://blogs.adobe.com/aharui

View raw message