I've posted a question to the infra-dev mailing list on the best location for the jnlp file and jars (the only infra requirement is a mime type mapping for jnlp files), we'll see what response we get. 

The other half of the issue is for new releases of Chainsaw, we need a new code signing cert, preferably provided and managed by infra.

I filed (INFRA-3991) Request for code signing certificate about nine months ago, with no feedback.  Today, Sam Ruby responded that we need to provide an actionable plan for how the code signing could take place.

After discussing with Tony on #asfinfra, infra would like to build binaries themselves and sign them, after being given a path and svn revision and proof of the vote. 

I also suggested we provide them with hashes so they can verify that what we reviewed matches what they are signing.

Infra would be responsible for retrieving the code from subversion and building and signing the artifacts using code signing keys that they managed securely.

How they manage their keys belongs under infra's domain, but we need to provide an actionable process that they could adopt otherwise.

Does what I describe above sound ok? Any suggestions, comments or changes to the above-described process?

Thanks

Scott


On Fri, Jun 22, 2012 at 9:12 AM, Christian Grobmeier <grobmeier@gmail.com> wrote:
On Fri, Jun 22, 2012 at 6:10 PM, Scott Deboy <scott.deboy@gmail.com> wrote:
> I actually used to track this from the downloads and JNLP was used quite
> extensively, haven't checked in a while, but I bet if we deployed the latest
> developer snapshot that would be the most frequently used path.  We pinged
> infra a while back on this but didn't get back a good response (Paul had to
> sign the jars himself, and somehow JNLP was served correctly from where it
> is now).
>
> I'll ping #infra on freenode, but I really don't want to drop JNLP support.

OK understood. If infra is fine with that, I am too and we can publish
the jnlp via the CMS.
Just the dmg/zip file - shouldn't we put these on the mirroring system?



> Scott
>
>
> On Fri, Jun 22, 2012 at 8:46 AM, Ivan Habunek <ivan.habunek@gmail.com>
> wrote:
>>
>> I'll take care of log4php next week. On holidays this week.
>>
>> Regards,
>> Ivan
>>
>> On 22 June 2012 17:05, Christian Grobmeier <grobmeier@gmail.com> wrote:
>> > On Fri, Jun 22, 2012 at 4:43 PM, Ralph Goers <rgoers@apache.org> wrote:
>> >> So where does this leave us in moving the site over?
>> >
>> > I think we could simply commit the chainsaw binary into the cms folders.
>> >
>> > But actually I believe infra will eat us if they ever find out we
>> > distribute binaries from the CMS folder. Therefore I would say we make
>> > up a regular download page and reference to the dmg and the zip only
>> > (dropping the jnlp) and use the mirroring system.
>> >
>> > Scott, its your domain- what do you say to that?
>> >
>> > Cheers
>> > Christian
>> >
>> >>
>> >> Ralph
>> >>
>> >> On Jun 21, 2012, at 12:51 AM, Scott Deboy <scott.deboy@gmail.com>
>> >> wrote:
>> >>
>> >> I believe we bypass the mirror system because the mirror system doesn't
>> >> support the jnlp protocol (handling the mime type)..
>> >>
>> >> Scott
>> >>
>> >> On Thu, Jun 21, 2012 at 12:49 AM, Scott Deboy <scott.deboy@gmail.com>
>> >> wrote:
>> >>>
>> >>> An icon is usually added to the user's start menu and/or desktop,
>> >>> which
>> >>> launches javaws and uses the jnlp protocol, so they don't need to go
>> >>> back to
>> >>> the link to get the benefit of autoupdates.
>> >>>
>> >>>
>> >>> On Wed, Jun 20, 2012 at 10:45 PM, Christian Grobmeier
>> >>> <grobmeier@gmail.com> wrote:
>> >>>>
>> >>>> On Thu, Jun 21, 2012 at 7:40 AM, Scott Deboy <scott.deboy@gmail.com>
>> >>>> wrote:
>> >>>> > The benefit of webstart is updates are automatically downloaded and
>> >>>> > installed.  The link actually tries to check jars each time you
>> >>>> > start
>> >>>> > the
>> >>>> > app and will update automatically if there are new ones.
>> >>>>
>> >>>> yes understood.
>> >>>>
>> >>>> Does the user (i am a webstart noob) always need to click on our
>> >>>> webpage to start the app?
>> >>>> And, do we actually bypass the mirror system here or am I wrong with
>> >>>> my assumption? Not sure if that is really relevant because I don't
>> >>>> know about the user base
>> >>>>
>> >>>> Cheers
>> >>>> Christian
>> >>>>
>> >>>>
>> >>>>
>> >>>> > Scott
>> >>>> >
>> >>>> >
>> >>>> > On Wed, Jun 20, 2012 at 10:36 PM, Christian Grobmeier
>> >>>> > <grobmeier@gmail.com>
>> >>>> > wrote:
>> >>>> >>
>> >>>> >> On Wed, Jun 20, 2012 at 4:31 PM, Scott Deboy
>> >>>> >> <scott.deboy@gmail.com>
>> >>>> >> wrote:
>> >>>> >> > I think the gotcha there had something to do with making sure
>> >>>> >> > the
>> >>>> >> > jnlp
>> >>>> >> > file mapping was correctly supported. It has been about eight
>> >>>> >> > years,
>> >>>> >> > but
>> >>>> >> > that is my recollection.
>> >>>> >> >
>> >>>> >> > That and the stupid maven template support would not allow us to
>> >>>> >> > use
>> >>>> >> > an
>> >>>> >> > image as the link (a 'launch' webstart graphical button as the
>> >>>> >> > link)
>> >>>> >>
>> >>>> >>
>> >>>> >> Is there something speaking against downloading an exe/dmg/zip via
>> >>>> >> the
>> >>>> >> usual download system?
>> >>>> >> Or is webstart the killer feature for chainsaw? :-)
>> >>>> >>
>> >>>> >> Cheers
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> >> >
>> >>>> >> > Scott
>> >>>> >> >
>> >>>> >> >
>> >>>> >> >
>> >>>> >> > On Jun 20, 2012, at 2:46 AM, Christian Grobmeier
>> >>>> >> > <grobmeier@gmail.com>
>> >>>> >> > wrote:
>> >>>> >> >
>> >>>> >> >> On Wed, Jun 20, 2012 at 7:07 AM, Ralph Goers
>> >>>> >> >> <ralph.goers@dslextreme.com> wrote:
>> >>>> >> >>> I believe all the hard work on the logging site is completed
>> >>>> >> >>> however
>> >>>> >> >>> some of the sub projects are yet to be published.  I would
>> >>>> >> >>> like to
>> >>>> >> >>> have
>> >>>> >> >>> infra convert loggingtest.apache.org to logging.apache.org but
>> >>>> >> >>> I
>> >>>> >> >>> don't want
>> >>>> >> >>> to get 404s on those sub projects.
>> >>>> >> >>>
>> >>>> >> >>> I looked at chainsaw and the download page will certainly
>> >>>> >> >>> break if
>> >>>> >> >>> I
>> >>>> >> >>> were to just copy the content.  I'm not sure about the others.
>> >>>> >> >>>
>> >>>> >> >>> Any ideas?
>> >>>> >> >>
>> >>>> >> >> Just added log4cxx to loggingtest.a.o. Its using the download
>> >>>> >> >> script
>> >>>> >> >> which generates a list of mirrors so no problem here. In
>> >>>> >> >> addition I
>> >>>> >> >> completed the branding requirements for log4cxx so we can leave
>> >>>> >> >> that
>> >>>> >> >> untouched for a while now.
>> >>>> >> >>
>> >>>> >> >> I am not sure on the chainsaw one. It seems to bypass the
>> >>>> >> >> mirroring
>> >>>> >> >> system which is kind a bad. Instead we should change the site
>> >>>> >> >> to
>> >>>> >> >> use
>> >>>> >> >> the download script imho. Maybe Scott can comment here.
>> >>>> >> >>
>> >>>> >> >> That being said, the chainsaw site needs an appropriate footer.
>> >>>> >> >> Basically the maven.vm template could be used in chainsaw too.
>> >>>> >> >> So
>> >>>> >> >> we
>> >>>> >> >> have 2 tasks here, update to branding and use the mirror
>> >>>> >> >> system.
>> >>>> >> >>
>> >>>> >> >> cheers
>> >>>> >> >> Christian
>> >>>> >> >>
>> >>>> >> >>>
>> >>>> >> >>> Ralph
>> >>>> >> >>
>> >>>> >> >>
>> >>>> >> >>
>> >>>> >> >> --
>> >>>> >> >> http://www.grobmeier.de
>> >>>> >> >> https://www.timeandbill.de
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> >> --
>> >>>> >> http://www.grobmeier.de
>> >>>> >> https://www.timeandbill.de
>> >>>> >
>> >>>> >
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> http://www.grobmeier.de
>> >>>> https://www.timeandbill.de
>> >>>
>> >>>
>> >>
>> >
>> >
>> >
>> > --
>> > http://www.grobmeier.de
>> > https://www.timeandbill.de
>
>



--
http://www.grobmeier.de
https://www.timeandbill.de