On Fri, Jun 22, 2012 at 11:05 PM, Scott Deboy <[email protected]> wrote: > I've posted a question to the infra-dev mailing list on the best location > for the jnlp file and jars (the only infra requirement is a mime type > mapping for jnlp files), we'll see what response we get. > > The other half of the issue is for new releases of Chainsaw, we need a new > code signing cert, preferably provided and managed by infra. > > I filed (INFRA-3991) Request for code signing certificate about nine months > ago, with no feedback. Today, Sam Ruby responded that we need to provide an > actionable plan for how the code signing could take place. > > After discussing with Tony on #asfinfra, infra would like to build binaries > themselves and sign them, after being given a path and svn revision and > proof of the vote. > > I also suggested we provide them with hashes so they can verify that what we > reviewed matches what they are signing. > > Infra would be responsible for retrieving the code from subversion and > building and signing the artifacts using code signing keys that they managed > securely. > > How they manage their keys belongs under infra's domain, but we need to > provide an actionable process that they could adopt otherwise. > > Does what I describe above sound ok? Any suggestions, comments or changes to > the above-described process? >
Sounds great and fantastic Job. Thank you Scott for dealing that out. Basically what I read from above is: - we open a Jira issue with a link to a logging wiki page what needs to be done (instructions how to build and probably some notes how to sign), the svn repository tag and a reference to the vote. - we also let them know the hashes of the artifacts we voted on to confirm we speak of the same - infra builds the code, signs it and uploads it to a location which is to be named - Once uploaded, Chainsaw users get a nice suprise :-) So, the last thing we need to do is to create instructions how to build? Lets do it! I really thought it would be more difficult. Cheers Christian > Thanks > > Scott > > > > On Fri, Jun 22, 2012 at 9:12 AM, Christian Grobmeier <[email protected]> > wrote: >> >> On Fri, Jun 22, 2012 at 6:10 PM, Scott Deboy <[email protected]> >> wrote: >> > I actually used to track this from the downloads and JNLP was used quite >> > extensively, haven't checked in a while, but I bet if we deployed the >> > latest >> > developer snapshot that would be the most frequently used path. We >> > pinged >> > infra a while back on this but didn't get back a good response (Paul had >> > to >> > sign the jars himself, and somehow JNLP was served correctly from where >> > it >> > is now). >> > >> > I'll ping #infra on freenode, but I really don't want to drop JNLP >> > support. >> >> OK understood. If infra is fine with that, I am too and we can publish >> the jnlp via the CMS. >> Just the dmg/zip file - shouldn't we put these on the mirroring system? >> >> >> >> > Scott >> > >> > >> > On Fri, Jun 22, 2012 at 8:46 AM, Ivan Habunek <[email protected]> >> > wrote: >> >> >> >> I'll take care of log4php next week. On holidays this week. >> >> >> >> Regards, >> >> Ivan >> >> >> >> On 22 June 2012 17:05, Christian Grobmeier <[email protected]> wrote: >> >> > On Fri, Jun 22, 2012 at 4:43 PM, Ralph Goers <[email protected]> >> >> > wrote: >> >> >> So where does this leave us in moving the site over? >> >> > >> >> > I think we could simply commit the chainsaw binary into the cms >> >> > folders. >> >> > >> >> > But actually I believe infra will eat us if they ever find out we >> >> > distribute binaries from the CMS folder. Therefore I would say we >> >> > make >> >> > up a regular download page and reference to the dmg and the zip only >> >> > (dropping the jnlp) and use the mirroring system. >> >> > >> >> > Scott, its your domain- what do you say to that? >> >> > >> >> > Cheers >> >> > Christian >> >> > >> >> >> >> >> >> Ralph >> >> >> >> >> >> On Jun 21, 2012, at 12:51 AM, Scott Deboy <[email protected]> >> >> >> wrote: >> >> >> >> >> >> I believe we bypass the mirror system because the mirror system >> >> >> doesn't >> >> >> support the jnlp protocol (handling the mime type).. >> >> >> >> >> >> Scott >> >> >> >> >> >> On Thu, Jun 21, 2012 at 12:49 AM, Scott Deboy >> >> >> <[email protected]> >> >> >> wrote: >> >> >>> >> >> >>> An icon is usually added to the user's start menu and/or desktop, >> >> >>> which >> >> >>> launches javaws and uses the jnlp protocol, so they don't need to >> >> >>> go >> >> >>> back to >> >> >>> the link to get the benefit of autoupdates. >> >> >>> >> >> >>> >> >> >>> On Wed, Jun 20, 2012 at 10:45 PM, Christian Grobmeier >> >> >>> <[email protected]> wrote: >> >> >>>> >> >> >>>> On Thu, Jun 21, 2012 at 7:40 AM, Scott Deboy >> >> >>>> <[email protected]> >> >> >>>> wrote: >> >> >>>> > The benefit of webstart is updates are automatically downloaded >> >> >>>> > and >> >> >>>> > installed. The link actually tries to check jars each time you >> >> >>>> > start >> >> >>>> > the >> >> >>>> > app and will update automatically if there are new ones. >> >> >>>> >> >> >>>> yes understood. >> >> >>>> >> >> >>>> Does the user (i am a webstart noob) always need to click on our >> >> >>>> webpage to start the app? >> >> >>>> And, do we actually bypass the mirror system here or am I wrong >> >> >>>> with >> >> >>>> my assumption? Not sure if that is really relevant because I don't >> >> >>>> know about the user base >> >> >>>> >> >> >>>> Cheers >> >> >>>> Christian >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> > Scott >> >> >>>> > >> >> >>>> > >> >> >>>> > On Wed, Jun 20, 2012 at 10:36 PM, Christian Grobmeier >> >> >>>> > <[email protected]> >> >> >>>> > wrote: >> >> >>>> >> >> >> >>>> >> On Wed, Jun 20, 2012 at 4:31 PM, Scott Deboy >> >> >>>> >> <[email protected]> >> >> >>>> >> wrote: >> >> >>>> >> > I think the gotcha there had something to do with making sure >> >> >>>> >> > the >> >> >>>> >> > jnlp >> >> >>>> >> > file mapping was correctly supported. It has been about eight >> >> >>>> >> > years, >> >> >>>> >> > but >> >> >>>> >> > that is my recollection. >> >> >>>> >> > >> >> >>>> >> > That and the stupid maven template support would not allow us >> >> >>>> >> > to >> >> >>>> >> > use >> >> >>>> >> > an >> >> >>>> >> > image as the link (a 'launch' webstart graphical button as >> >> >>>> >> > the >> >> >>>> >> > link) >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> Is there something speaking against downloading an exe/dmg/zip >> >> >>>> >> via >> >> >>>> >> the >> >> >>>> >> usual download system? >> >> >>>> >> Or is webstart the killer feature for chainsaw? :-) >> >> >>>> >> >> >> >>>> >> Cheers >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> > >> >> >>>> >> > Scott >> >> >>>> >> > >> >> >>>> >> > >> >> >>>> >> > >> >> >>>> >> > On Jun 20, 2012, at 2:46 AM, Christian Grobmeier >> >> >>>> >> > <[email protected]> >> >> >>>> >> > wrote: >> >> >>>> >> > >> >> >>>> >> >> On Wed, Jun 20, 2012 at 7:07 AM, Ralph Goers >> >> >>>> >> >> <[email protected]> wrote: >> >> >>>> >> >>> I believe all the hard work on the logging site is >> >> >>>> >> >>> completed >> >> >>>> >> >>> however >> >> >>>> >> >>> some of the sub projects are yet to be published. I would >> >> >>>> >> >>> like to >> >> >>>> >> >>> have >> >> >>>> >> >>> infra convert loggingtest.apache.org to logging.apache.org >> >> >>>> >> >>> but >> >> >>>> >> >>> I >> >> >>>> >> >>> don't want >> >> >>>> >> >>> to get 404s on those sub projects. >> >> >>>> >> >>> >> >> >>>> >> >>> I looked at chainsaw and the download page will certainly >> >> >>>> >> >>> break if >> >> >>>> >> >>> I >> >> >>>> >> >>> were to just copy the content. I'm not sure about the >> >> >>>> >> >>> others. >> >> >>>> >> >>> >> >> >>>> >> >>> Any ideas? >> >> >>>> >> >> >> >> >>>> >> >> Just added log4cxx to loggingtest.a.o. Its using the >> >> >>>> >> >> download >> >> >>>> >> >> script >> >> >>>> >> >> which generates a list of mirrors so no problem here. In >> >> >>>> >> >> addition I >> >> >>>> >> >> completed the branding requirements for log4cxx so we can >> >> >>>> >> >> leave >> >> >>>> >> >> that >> >> >>>> >> >> untouched for a while now. >> >> >>>> >> >> >> >> >>>> >> >> I am not sure on the chainsaw one. It seems to bypass the >> >> >>>> >> >> mirroring >> >> >>>> >> >> system which is kind a bad. Instead we should change the >> >> >>>> >> >> site >> >> >>>> >> >> to >> >> >>>> >> >> use >> >> >>>> >> >> the download script imho. Maybe Scott can comment here. >> >> >>>> >> >> >> >> >>>> >> >> That being said, the chainsaw site needs an appropriate >> >> >>>> >> >> footer. >> >> >>>> >> >> Basically the maven.vm template could be used in chainsaw >> >> >>>> >> >> too. >> >> >>>> >> >> So >> >> >>>> >> >> we >> >> >>>> >> >> have 2 tasks here, update to branding and use the mirror >> >> >>>> >> >> system. >> >> >>>> >> >> >> >> >>>> >> >> cheers >> >> >>>> >> >> Christian >> >> >>>> >> >> >> >> >>>> >> >>> >> >> >>>> >> >>> Ralph >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> -- >> >> >>>> >> >> http://www.grobmeier.de >> >> >>>> >> >> https://www.timeandbill.de >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> -- >> >> >>>> >> http://www.grobmeier.de >> >> >>>> >> https://www.timeandbill.de >> >> >>>> > >> >> >>>> > >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> -- >> >> >>>> http://www.grobmeier.de >> >> >>>> https://www.timeandbill.de >> >> >>> >> >> >>> >> >> >> >> >> > >> >> > >> >> > >> >> > -- >> >> > http://www.grobmeier.de >> >> > https://www.timeandbill.de >> > >> > >> >> >> >> -- >> http://www.grobmeier.de >> https://www.timeandbill.de > > -- http://www.grobmeier.de https://www.timeandbill.de
