On Jul 16, 2012, at 4:55 PM, Dave Fisher wrote: > > On Jul 16, 2012, at 4:19 PM, Om wrote: > >> (Carol/Alex, please free to jump in as well) >> >> This page http://people.apache.org/~bigosmallm/installapacheflex/ lets you >> download a binary file. >> For this discussion, the InstallApacheFlex AIR app = 'Installer' >> >> 1. Should the installer be signed in the same way as the Apache Flex SDK >> binary is signed? The process for signing AIR apps is described here >> [1<http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html>] >> How do we do this in the Apache way? > > There is no established way to do this at this time. But that does not mean > that these needs are not being discussed. The proper way to proceed is to > subscribe to infrastructure-...@apache.org (a private list)
Sorry not a private list. The apache public lists are archived here: http://mail-archives.apache.org/mod_mbox/ Sorry about my mistake. At least it was in the acceptable direction. This community does understand how to avoid private discussions which should be avoided and limited to personnel / explicitly private matters. > and then send an email with the subject: "Apache Flex: Digitally Signing Air > Applications" and include this information. This path won't be quick, but > Flex is not alone, other projects like OpenOffice are asking a similar > question. The likely process will involve a buildbot under the control of > Apache Infrastructure - this will involve an Apache.org certificate and the > keys will be very closely held. Project specific certs are one possibility. The recommendation is to sign this binary convenience package in the same way as the binary packages are signed - as pgp detached signature. You can follow the digital signing discussions on infrastructure-dev in either the archives or by joining the list. Regards, Dave > > Are there any dependencies to building this AIR app beyond those for Apache > Flex? > > You could get a simpler answer from infra-dev than I think... > >> >> 2. The installer downloads the binary distribution of the Apache Flex >> sdk. Should the installer programatically verify the downloaded binary >> file's signature before uncompressing it? > > That is a good idea. If you retrieve a KEYS file (and I'm not sure if that is > a good idea) it must be from a different URL than the Binary. > >> >> 3. I see that mirrors are preferred over downloading directly from Apache >> servers. Is there a standard list of mirror locations that I can access >> from somewhere? I think I will need to modify the installer to dynamically >> select a mirror for downloading from, right? > > Yes. Take a look at http://incubator.apache.org/odftoolkit/downloads.html > > Note the use of closer.cgi - this helps select an appropriate mirror from the > Apache Mirror network. > > With the appropriate parameters you cause it return the url. This will hide > the details of the Apache Mirror network allowing the mirror operators to > make whatever changes are needed as operators are added and removed. > > Regards, > Dave > >> >> [1] >> http://livedocs.adobe.com/flex/3/html/help.html?content=distributing_apps_4.html >> >> Thanks, >> Om >
