Closed
Bug 1070227
Opened 10 years ago
Closed 10 years ago
Write a script to sign all existing add-ons
Categories
(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect, P2)
addons.mozilla.org Graveyard
Admin/Editor Tools
Tracking
(Not tracked)
RESOLVED
FIXED
2015-01
People
(Reporter: clouserw, Unassigned)
References
Details
(Whiteboard: [qa-])
Once the signing infrastructure is in place we want to sign all of our existing add-ons. This should probably use celery since it will be long running.
This should be able to be re-run without breaking anything. Perhaps checking for a null serialnumber in the `files` table would be the best way to find add-ons which haven't been signed.
Note bug 1070191 which might have code this script can leverage or be combined with.
Updated•10 years ago
|
Assignee: nobody → olivier
Comment 2•10 years ago
|
||
PR: https://github.com/mozilla/olympia/pull/353
Fixed in https://github.com/mozilla/olympia/commit/6c72c7115419a1dd6d6fae099c436fa4d32a0e3f
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Whiteboard: [qa-]
Target Milestone: --- → 2015-01
Reporter | ||
Comment 3•10 years ago
|
||
I don't think the patch in comment 2 increments add-on versions. For this script we need to ensure that add-on versions get incremented so updates are recognized. Let me know if I missed that part and reclose this bug if I did. Thanks. From emails:
> Yes, we need to increment the version. Partly because of the CDN problems
> (but those can be worked around), but mostly because we're going to need
> to serve signed updates to prevent add-ons from being disabled when Firefox
> upgrades, and that won't happen if the version numbers aren't incremented.
>
> Essentially, Firefox has a very specific version number algorithm[1], and
> we need to make sure that we bump the version number in a way that it
> understands as a higher version number. Since it only recognizes
> 4-component version numbers, my suggestion is:
>
> 1) For version numbers with 3 or fewer components, add a 4th component of
> ".1". So, "3.1" becomes "3.1.0.1", and "3.5.2" becomes "3.5.2.1".
>
> 2) For version numbers with 4 components, bump the *number* portion of the
> 4th component. So, "3.1.0.1" becomes "3.1.0.2", "3.5.1.b" becomes
> "3.5.1.1b", and "3.5.1.2b" becomes "3.4.2.3b".
>
>
> [1] https://developer.mozilla.org/en-US/docs/Toolkit_version_format
Assignee: olivier → nobody
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 4•10 years ago
|
||
Jorge would like this to email the add-on developers and let them know about the change. Jorge - do you want to email just owners or everyone? What should the email say?
Flags: needinfo?(jorge)
Comment 5•10 years ago
|
||
We will do some mass mailing before this is run so developers are aware of what's coming. We should also notify developers (owner roles only) once their add-ons are signed so they can give the signed versions a try and make sure everything's okay.
I've been holding up on this because I haven't had time to write the email text yet. I'll try to get to it this week.
Flags: needinfo?(jorge)
Comment 6•10 years ago
|
||
Here's a draft of what I think we should send developers when they have their add-ons auto-signed: https://etherpad.mozilla.org/auto-sign-email
Comment 7•10 years ago
|
||
:jorgev maybe it needs a few modifications:
1/ in fact it's often multiple versions of addons that are signed: any version that is
- reviewed (prelim or full)
- compatible with firefox version 4 or more (if the addon is "default to compatible")
- compatible with firefox version 37 or more (if the addon is not "default to compatible")
2/ the versions are "signed in place": the current files are signed (we sign the files themselves, so the original file is overwritten with the signed one), the versions have their version bumped (with an added .1-signed)
3/ there's thus no repackaging or approval
There's one thing we have to take into consideration also: if we send a mail for each and every version that is signed, some addon owners will have a real mail bomb (some addons have hundreds of versions, not sure how many do qualify for an auto-signing though).
So I think we should only send one mail per addon (not one per version), and thus simply tell them about the ".1-signed" addition, not give them all the new version numbers.
What do you think?
Flags: needinfo?(jorge)
Reporter | ||
Comment 8•10 years ago
|
||
Definitely want one per add-on, not per-version. I think we should only send to the owners of the add-on, not anyone else on the list
Comment 9•10 years ago
|
||
I agree with Wil. Let's just send a single email. I'm also okay with the modified wording on https://github.com/mozilla/olympia/pull/525, modulo removing the second paragraph.
Flags: needinfo?(jorge)
Comment 10•10 years ago
|
||
PR for the email: https://github.com/mozilla/olympia/pull/525
Comment 11•10 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•