Return-Path: X-Original-To: apmail-flex-dev-archive@www.apache.org Delivered-To: apmail-flex-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0BC34E88E for ; Mon, 11 Feb 2013 11:09:23 +0000 (UTC) Received: (qmail 37444 invoked by uid 500); 11 Feb 2013 11:09:22 -0000 Delivered-To: apmail-flex-dev-archive@flex.apache.org Received: (qmail 37411 invoked by uid 500); 11 Feb 2013 11:09:21 -0000 Mailing-List: contact dev-help@flex.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@flex.apache.org Delivered-To: mailing list dev@flex.apache.org Received: (qmail 37376 invoked by uid 99); 11 Feb 2013 11:09:20 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Feb 2013 11:09:20 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of mark.kessler.ctr@usmc.mil designates 138.162.128.21 as permitted sender) Received: from [138.162.128.21] (HELO usmcquanio03.nmci.usmc.mil) (138.162.128.21) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Feb 2013 11:09:12 +0000 Received: from gate24-quantico.nmci.usmc.mil (HELO mcusquaneg01v.mcdsus.mcds.usmc.mil) ([138.162.128.54]) by usmcquanio03.nmci.usmc.mil with ESMTP; 11 Feb 2013 02:55:32 -0500 Received: from mcusquanez26v.mcdsus.mcds.usmc.mil ([138.156.149.182]) by mcusquaneg01v.mcdsus.mcds.usmc.mil with Microsoft SMTPSVC(6.0.3790.4675); Mon, 11 Feb 2013 06:08:45 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: RSLs and signing Date: Mon, 11 Feb 2013 06:08:44 -0500 Message-ID: <0E7CF6486AC44249B0B674C6760449B404A574D4@mcusquanez26v.mcdsus.mcds.usmc.mil> In-Reply-To: <239B167A-491C-4F1F-BDE3-AD552A3AA882@gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: RSLs and signing Thread-Index: Ac4Hno00qh1fa5XeSuKf8XX0axdNcAAqX7lg References: <43BAB3D0-B0F5-4250-8042-BAAD06B12ABD@gmail.com> <66E38C42347D6446BF7FCB22C3D3878072EA2C71CA@ECCR06PUBLIC.exchange.local> <30220A6C-8671-47A1-8A77-03D0C6D1B489@gmail.com> <383FA12A-731D-402A-A74D-31071901B498@gmail.com> <239B167A-491C-4F1F-BDE3-AD552A3AA882@gmail.com> From: "Kessler CTR Mark J" To: X-OriginalArrivalTime: 11 Feb 2013 11:08:45.0785 (UTC) FILETIME=[28F0A490:01CE0848] X-Virus-Checked: Checked by ClamAV on apache.org Well you can still use RSLs if your user base will frequent your site = multiple times in a day. =20 -----Original Message----- From: Harbs [mailto:harbs.lists@gmail.com]=20 Sent: Sunday, February 10, 2013 9:54 AM To: dev@flex.apache.org Subject: Re: RSLs and signing Okay. Like you said this sucks. I'm looking to moving from Flex 4.5 to 4.9 in the next few weeks. I just = changed my compile settings to merge instead of using RSLs and the app = went from a little over 600 KB to 1.4 MB. :-( I clearly have a lot of work to do removing dependency on a lot of = classes and getting rid of dependency on mx components (I have a very = few in use, but the ones that I'm using will be hard to replace with = Spark.) I'm still not sure why Flash can't cache third party signed RSLs, but = there's not much to be gained by kvetching about it. I doubt they'll add = that as a feature to Flash... Harbs On Feb 10, 2013, at 4:37 PM, Nicholas Kwiatkowski wrote: > When I say signed, I'm meaning signed by Adobe. There really is > little benefit to sign an RSL with our certificates, as they are in = the web > of trust of the Flash Player. >=20 > From what I've been told, unless it is signed by Adobe, it is not in > the persistent cache, so it is not cached on disk, period. This is > regardless of the domain that it is on. >=20 > This came up VERY early on (maybe even at the Tech Summit -- I don't = know, > I wasn't there), and Adobe was pretty straight forward that this was = going > to be the case. Questions came up about having them sign it, but they = did > not want to dedicated the resources to do it. Looking back, it would = have > been a pain to have to submit our releases to Adobe for their complete > review before we could do anything -- potentially holding back our = releases > weeks or months. >=20 > It was seen as a majority of the Flex work was moving to mobile. On = AIR > with mobile, there is no concept of RSLs (everything is embedded = within the > final executable), so it was seen as less of an issue. >=20 > -Nick >=20 > On Sun, Feb 10, 2013 at 9:27 AM, Harbs wrote: >=20 >> Bah! So they're totally useless. >>=20 >> swfs are also cached by the browser for that session. Correct? >>=20 >> Is there any logic to not caching RSLs for the domain that loaded = them? >>=20 >>> Only signed RSLs are cached on disk. >>=20 >> Signed meaning signed by Adobe. Right? There's no way to sign a RSL = with >> an SSL or code signing certificate. Is there? >>=20 >> On Feb 10, 2013, at 4:19 PM, Nicholas Kwiatkowski wrote: >>=20 >>> They are downloaded once per domain, per session. If you visit = domain >>> x.comtwice in a session (as defined by your browser), then it will >>> stay in >>> memory. If you close your session (typically by closing your = browser), >>> then it will be cleared from memory. >>>=20 >>> Only signed RSLs are cached on disk. >>>=20 >>> -Nick >>>=20 >>> On Sun, Feb 10, 2013 at 9:01 AM, Harbs = wrote: >>>=20 >>>> I apparently missed this. Yes. It does suck. Are RSLs reloaded = every >> time >>>> for a specific domain, or is it just a cross-domain issue? >>>>=20 >>>> If I use RSLs for Flex 4.9 and I update my main app, do the RSLs = get >>>> downloaded every time, or will the RSLs from my domain be reused? = Is >> there >>>> any point in using RSLs at all? >>>>=20 >>>> On Feb 10, 2013, at 3:56 PM, Nicholas Kwiatkowski wrote: >>>>=20 >>>>> Adobe has (had?) a pretty good explanation on their Flash = Whitepaper. >> It >>>>> boils down to this : >>>>> - They are no longer in control of Flex >>>>> - They are no longer doing security reviews of the source code >>>>> - They have to sign the Flex package with their security = certificate in >>>>> order for it to be stored in the Flash RSL Cache >>>>> - They won't sign it anymore because they would be responsible for = any >>>>> security issues that may come out of it. >>>>>=20 >>>>> Yes, it sucks, but unfortunately, we have to live with it. >>>>>=20 >>>>> -Nick >>>>>=20 >>>>> On Sun, Feb 10, 2013 at 8:49 AM, christofer.dutz@c-ware.de < >>>>> christofer.dutz@c-ware.de> wrote: >>>>>=20 >>>>>> I have to admit, that I don't quite understand what the inability = to >>>>>> create signed rsls has to do with the usage of rsls themselves. >>>>>>=20 >>>>>> The problem is that the Flashplayer is able to install rsls that = are >>>>>> signed by Adobe. Usually the Adobe FDK rsls were also available = in >>>> signed >>>>>> versions (swz files). These were dynamically loaded the first = time >> they >>>>>> were needed and installed by the Flashplayer. The second time the = libs >>>> were >>>>>> needed the installed versions were used reducing the download = time >>>>>> dramatically. Now the problem is that Adobe won't sign Apache = SWCs as >>>> they >>>>>> are no longer in charge of the libs code (Understandable). Giving >>>> Apache a >>>>>> key to be able to also create signed RSLs would eventually open >> serious >>>>>> security problems because a signed manipulated swz would be used = by >>>> every >>>>>> other website using the same version of a given lib. >>>>>>=20 >>>>>> Coming back to the RSLs ... The difference between a signed and = an >>>>>> unsigned RSL is just, that the unsigned rsl is loaded on every = visit >> of >>>> a >>>>>> user. As far as I know there is no other difference. So I don't = quite >>>>>> understand why the lack of availability of signed rsls should = have any >>>>>> effect on built applications and the default linking type. >>>>>>=20 >>>>>> Chris >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> -----Urspr=FCngliche Nachricht----- >>>>>> Von: Harbs [mailto:harbs.lists@gmail.com] >>>>>> Gesendet: Sonntag, 10. Februar 2013 14:19 >>>>>> An: dev@flex.apache.org >>>>>> Betreff: RSLs and signing >>>>>>=20 >>>>>> I did not realize that Apache Flex does not use RSLs by default. >>>>>>=20 >>>>>> What's the story with signing? Is that an issue with cross-domain >>>>>> security? Is there any way to get an Apache signature approved = for >>>> Flash? >>>>>>=20 >>>>>> Either way, I'd imagine I'd want RSLs for the simple reason that >>>> updating >>>>>> apps should result in a smaller download. >>>>>>=20 >>>>>> Harbs >>>>>>=20 >>>>>> On Feb 9, 2013, at 9:00 AM, Alex Harui wrote: >>>>>>=20 >>>>>>> The default setting for Apache Flex is to not use RSLs because = Adobe >>>>>>> cannot sign the Apache Flex RSLs. That's probably why your SWF = is >>>>>> bigger. >>>>>>>=20 >>>>>>>=20 >>>>>>> On 2/8/13 10:31 PM, "grimmwerks" wrote: >>>>>>>=20 >>>>>>>> Hey all - long time listener first time caller. >>>>>>>>=20 >>>>>>>> I've taken a project that was originally 4.6 and I flipped it = to >> 4.9; >>>>>>>> comparing the same code on two computers - when I build with = the 4.6 >>>>>>>> sdk I get a swf of 304k (with all the other extraneous = libraries >> such >>>>>>>> as osmf, mx, sparkspins, etc) -- whereas with 4.9 the main sf = is >>>>>>>> 1.1mb -- that's a huge difference with no other changes in code = no? >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> Garry Schafer >>>>>>>> grimmwerks >>>>>>>> grimm@grimmwerks.com >>>>>>>> portfolio: www.grimmwerks.com/ >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>=20 >>>>>>> -- >>>>>>> Alex Harui >>>>>>> Flex SDK Team >>>>>>> Adobe Systems, Inc. >>>>>>> http://blogs.adobe.com/aharui >>>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>=20 >>>>=20 >>=20 >>=20