On Jul 16, 2012, at 4:19 PM, Om wrote: > (Carol/Alex, please free to jump in as well) > > This page http://people.apache.org/~bigosmallm/installapacheflex/ lets you > download a binary file. > For this discussion, the InstallApacheFlex AIR app = 'Installer' > > 1. Should the installer be signed in the same way as the Apache Flex SDK > binary is signed? The process for signing AIR apps is described here > [1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html>] > How do we do this in the Apache way?
There is no established way to do this at this time. But that does not mean that these needs are not being discussed. The proper way to proceed is to subscribe to infrastructure-...@apache.org (a private list) and then send an email with the subject: "Apache Flex: Digitally Signing Air Applications" and include this information. This path won't be quick, but Flex is not alone, other projects like OpenOffice are asking a similar question. The likely process will involve a buildbot under the control of Apache Infrastructure - this will involve an Apache.org certificate and the keys will be very closely held. Project specific certs are one possibility. Are there any dependencies to building this AIR app beyond those for Apache Flex? You could get a simpler answer from infra-dev than I think... > > 2. The installer downloads the binary distribution of the Apache Flex > sdk. Should the installer programatically verify the downloaded binary > file's signature before uncompressing it? That is a good idea. If you retrieve a KEYS file (and I'm not sure if that is a good idea) it must be from a different URL than the Binary. > > 3. I see that mirrors are preferred over downloading directly from Apache > servers. Is there a standard list of mirror locations that I can access > from somewhere? I think I will need to modify the installer to dynamically > select a mirror for downloading from, right? Yes. Take a look at http://incubator.apache.org/odftoolkit/downloads.html Note the use of closer.cgi - this helps select an appropriate mirror from the Apache Mirror network. With the appropriate parameters you cause it return the url. This will hide the details of the Apache Mirror network allowing the mirror operators to make whatever changes are needed as operators are added and removed. Regards, Dave > > [1] > http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html > > Thanks, > Om
