Mobile/Projects/APK Factory/Meeting 2013 12 5

From MozillaWiki
Jump to: navigation, search

12/5 Developer Meeting

Use unixtimestamp or date as the version number versions - non negative integrs version_code - integer version - string (manifest version) Fennec Aurora - dev server okay Fennec Beta - Mid march - Google Play store, must be production aurora, beta could append to package name or users could un-install an App 12/5 APK certificat

  • Trunion or HSM doesn't work out of the box
  • Evaluate Sec level of these certs
 * rforbes - Should be in existing Trunion web service or a seperate one?
  • read vs write access to HSM

It won’t work for you out of the box, you’ll need to build something or alter the existing product. I think its worth questioning that it may or may not be desirable from a security point of view for the APK signing service to be in the same repo or instance as Trunion. It might be good to say “all these things are really high security” or “these things are high security levels, but different security levels, so should be separated”. Raymond and other sec people might want to be able to help. You’ve mentioned here that the developer keys are stored in the HSM. Currently Trunion has read only access to the HSM. Having write access to the HSM from Trunion seems scary from any server to me. That certainly should factor into security choices. Personally from a developer point of view, having one server doing all signing using similar APIs seems appealing. Less moving parts and all that.


  • best user experience - integration with app manager in Firefox Desktop, push to device

conenct Fx dev tools to it simple, few clicks, GUI no new tools Unknowns on how tha twould get implmented Probably lots of work

  • Acceptable solution

Sufficient V1 experience few more steps CLI we provide Android SDK push to device Desktop Firefox dev tools Not many unknowns we can get there fast End of January - Deadline for APK Factory Service APK Factory CLI work to be done --- It's a better solution than having a debug APK Factory Service. This is a client side solution Reviewer Signing - we need a 2nd server

Command line tool - download and install - build an APK (CLI to the service) Fx 29 - 4/29 End of January - developer generation Feb 2nd or 3rd - merge from nightly to aurora Fx 29 Jan 31st Friday - drop dead date on client dev major stuff Jan 15th... realistically End to end testing - Early Feb dogfooding

no fennec hacking for pre-developer ...(?)

  • assumption - we can make app under development look like a hosted or packaged app
  • because - that is all we support

Pre-release app hosted app, not available on a public server url - good requirement

Newb... develpoers could install software - android SDK Easier androdi sdk - fancy version of wget - adb fancy wput, put apk on your web server to download and install Edit/Build/Run cycle is outside of apk geneation (one time) for hosted apps - packaged apps - edit/build/run is more complicated