www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Thu, 16 Aug 2012 17:38:45 GMT

On Aug 16, 2012, at 12:08 AM, Jürgen Schmidt wrote:

> On 8/16/12 1:38 AM, Dave Fisher wrote:
>> Hi Tony,
>> 
>> The bounds are very tight. I thought that Jürgen was pretty clear about how the
reality of the current build makes it difficult to create a bot to do this. His proposal is
essentially special buildbots under infra's control.
>> 
>> Perhaps if AOO had all the various requested buildbots we might figure out how to
make the proposed special buildbot that only infra can control because it has these special
certificates.
>> 
> it can be a duplicate image of the Windows build bot where the
> certificate is installed. The builds have to be triggered by someone who
> have access to this machine. But we can of course automate it probably
> to simply start a script and give a revision as input

Exactly.

> 
> 
>> I think that Flex will want both Windows and Mac buildbots as well.
> 
> AOO in the future as well

Andrew is waiting for the Mac buildbot - here is the buildbot master JIRA for AOO - INFRA-4197
More Buildbots for Apache OpenOffice

> 
>> 
>> INFRA-4902 Create Mac buildbot
>> 
>> (I just entered perl / cpan hell and going into time machine due to a missing prerequisite
in the AOO 3.4.1 RC that we are voting on. A working buildbot would have caught this issue.)
> 
> What exactly are your problems, which system do you use, Mountian Lion?
> Until today I am note aware that anybody has built AOO on Mountain Lion
> and even on Lion it requires some work. Apple/MacOS is not really
> developer friendly if you don't walk inside the "closed" Apple world ;-)

I've got past this issue. cpan had its permissions changed removing the a+x.

I had to upgrade LWP::UserAgent in cpan. cpan install only saw I had LWP::UserAgent and this
was missing the show_progress method.

I'm on MacOSX 10.6.8

> 
>> 
>> BTW - Mountain Lion is requiring Signing Certs from Apple and not others. (It's what
I hear on the street, am I wrong Dean and Richard?)
> 
> that's true, signing from Apple or from a developer with a official and
> register Apple developer ID. I haven't analyzed the signing process on
> Mountain Lion in detail so far but that is on the list.

My newer Mac is on Lion w/a free Mountain Lion upgrade, but I haven't had the free time to
move everything around as I need more backup disk space first.

And yes this is a detail.

> 
> Juergen
> 
>> 
>> Does it make sense to proceed with platforms that are needed for CI and where the
signing solution would possibly "live."
>> 
>> Regards,
>> Dave 
>> 
>> On Aug 15, 2012, at 3:20 PM, Tony Stevenson wrote:
>> 
>>> 
>>> 
>>> Sent from my iPad
>>> 
>>> On 15 Aug 2012, at 23:09, Om <bigosmallm@gmail.com> wrote:
>>> 
>>>> On Thu, Jul 19, 2012 at 3:12 PM, Dave Fisher <dave2wave@comcast.net>
wrote:
>>>> 
>>>>> 
>>>>> On Jul 19, 2012, at 11:16 AM, Om wrote:
>>>>> 
>>>>> On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Richard_Hall@symantec.com>wrote:
>>>>> 
>>>>>> Hi Dave,
>>>>>> 
>>>>>> Our hosted signing service does not currently provide the ability
to sign
>>>>>> Air applications, but we do offer Code Signing certs for Adobe Air
from our
>>>>>> website:
>>>>>> 
>>>>>> http://www.symantec.com/verisign/code-signing/adobe-air
>>>>>> 
>>>>>> Would this work for you?  Please let us know if you have any questions.
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Rich
>>>>>> 
>>>>>> 
>>>>> Rich,
>>>>> 
>>>>> This would work perfectly fine for us.
>>>>> 
>>>>> 
>>>>> Om,
>>>>> 
>>>>> And now the question is for the Apache Infrastructure team. Assuming
that
>>>>> an apache.org certificate for signing AIr applications is purchased The
>>>>> ASF how will it be handled? And that is the other thread.
>>>>> 
>>>>> Thanks,
>>>>> Dave
>>>>> 
>>>>> 
>>>> Do we know if there has been any work/discussion on this?  We are preparing
>>>> our installer app for release and valid certificate would be very good to
>>>> have.
>>>> 
>>>> What should I (or infra) do to get this certificate approved and purchased
>>>> for us by us?  How can I help speed up this process?
>>>> 
>>>> Thanks,
>>>> Om
>>> 
>>> 
>>> Om, 
>>> 
>>> We, infra, are still waiting for someone to come to us with a proposal on how
to deploy this within the bounds we have laid out several times both here and in Jira. We
won't just randomly set something up. 
>>> 
>>> Unto, we are receipt of such, and we have had a chance to review the same we
won't be purchasing any such certificate, and no project should be going direct to any supplier
to do the same. There are very real concerns we have and we want to see them fully addressed
before proceeding. 
>>> 
>>> To be clear, this needs to stop at this juncture until we ae happy to proceed.
If you require this for delivery of a binary installer, can I suggest that you and your project,
perhaps in conjunction with another projects come up with this plan we have asked for.
>> 
> 


Mime
View raw message