AMO/SigningService/Meetings
Contents
Add On Signing Team Meeting Minutes Archive
for questions or more information contact lshapiro@mozilla.com
June 5, 2015
WorkLife summary for meeting "Add-On Signing Weekly Check In"
View Full Details: https://app.worklife.com/meetings/5571aef27dcaa4128175c178
Time: Jun 5, 2015 9:30 AM - 10:00 AM
Larissa Shapiro's vidyo + MTV2 - 217 Star Trek, SFO7 - 740 7H Hotel Utah, TOR5
Attendees: Amy Tsay, Dave Townsend, Jorge Villalobos, Kev Needham, Kim Moir, Kris Maglione, Krupa Raj, Larissa Shapiro, Lisa Brewster, Marc Schifer, Mathieu Agopian, Mike Connor, Philipp Sackl, Rob Hudson, Ryan Tilder, Wil Clouser, Winston Bowden, dveditz
Agenda
- We've signed all the AMO add-ons and flipped all the flags. \o/
• are there outstanding issues anyone is seeing
• how is the review queue
• validator issues
• volume of submissions
- Fennec signing. When do we want to sign the fennec add-ons? which versions?
- We're preparing to do an outreach push to non-AMO add-on developers. What do people in this meeting think we need to know?
- 41 issues?
- AOB
Action Items
- dveditz/mossop think through process for unit test/shell script to validate signed addons, include wil c - jorge filing bugs against issues with add-on validation - Larissa set up a call for Monday to discuss validation failure issues (Larissa, Kev, Lisa, Jorge, Kris)
Notes
- Are we checking the state of addons after signing? Is it worth having a validation (not review, but state of addon after signing) step added to the process?
• it's not in the process now
• we could add a unit test / xpc shell front end to test for this
• needs to live in wil's team'sprocess, but the tool to do the test needs support from dveditz/mossop
- validator issues: things on AMO vs the validation issues for non-AMO addons, some of the validator issues will block signing. The way we present the UX is not very clear now, we present a big list of issues that both block and do not block signing, we need to change it so its very clear to devs what will allow their add-on to pass automatic signing.
- we still aren't fully staffed for reviews and the queue is growing. Andreas comes on June 16th. Any ideas on how to manage the queue. Success rate going through the automated validator so far? Do we want to reduce the standard temporarily? Do we have numbers? 13 have passed automatically, 29 didn't pass, we 8 have additional ones that requested full review because they want to be side-loaded. We would like to flag certain add-ons or certain validator issues as "ok". Things we can do now:
• collect common issues and document them and tell the developers about them do a first pass to see what the issues that we know will
- Fennec: client code is landing in nightly soon, then wilc's team needs to sign the unsigned addons
- 41 issues: Kim will be working on it early next week
May 29 2015
WorkLife summary for meeting "Add-On Signing Weekly Check In"
View Full Details: https://app.worklife.com/meetings/55685a288444a96c015c8572
Time: May 29, 2015 9:30 AM - 10:00 AM
Larissa Shapiro's vidyo + MTV2 - 217 Star Trek, SFO7 - 740 7H Hotel Utah, TOR5
Attendees: Dave Townsend, Jorge Villalobos, Kev Needham, Kim Moir, Kris Maglione, Krupa Raj, Larissa Shapiro, Lisa Brewster, Marc Schifer, Markus Jaritz, Mathieu Agopian, Mike Connor, Philipp Sackl, Rob Hudson, Ryan Tilder, Wil Clouser, Winston Bowden, dveditz
Agenda
- bugzilla.mozilla.org/show_bug.cgi?id=1169537 - open issues for June 1 launch of non-amo review queue - 41 issues? - AOB - krupa had failures when testing -- addons appeared corrupt
Action Items
- kev: talk to benjamin about signing experiments. (from last week) [Assigned: Kev Needham] - Kris determine how many add-ons have XP com binary components (AMO only?) (from last week) - Larissa will check in with UA - Kev to kick off initial roadmap for next phase for next Friday
Open Issues
- bugzilla.mozilla.org/show_bug.cgi?id=1169463 - bugzilla.mozilla.org/show_bug.cgi?id=1169537 - bugzilla.mozilla.org/show_bug.cgi?id=1169574
Notes
- 1169463 may not be a big deal (not compressing enough) - not a stop ship, but a good idea - 1169537 and 1169574 may be one bug or linked - case sensitivity issues on production boxes to do with MANIFEST files. code is being tested on stage now to support the correct files. We also need to get rid of .sf and .rsa files (even if they're upper case) - If we have the list of faulty addons, we can either resign them on top or we could unsign and resign (probably 92 addons) - below 40, they will only see an issue if they try to install an addon fresh. (until we get it resigned), in 40 and 41 it installs but counts as unsigned. - need to increase the version number somehow - bump version, we support infinite ... - Krupa had corruptions in addons for which we know no good reason. Worrying. Is there telemetry we could use to see if this is happening more? We have a bug to add signed state to FHR on file but it isnt done yet. - for June 1st, we are ready, though the validator needs QA so it will come up on the 3rd (as planned). Wil will cover the flags as Matthieu will be away. - On the list people are asking about a submission API for non-AMO developers. We don't have a plan for this now. Are we making a plan?
May 22 2015
WorkLife summary for meeting "Add-On Signing Weekly Check In"
View Full Details: https://app.worklife.com/meetings/555e598903b5d40b67a814f4
Time: May 22, 2015 9:30 AM - 10:00 AM
Larissa Shapiro's vidyo + MTV2 - 217 Star Trek, SFO7 - 740 7H Hotel Utah, TOR5
Attendees: Amy Tsay, Chris AtLee, Dave Townsend, Jorge Villalobos, Kev Needham, Kim Moir, Kris Maglione, Krupa Raj, Larissa Shapiro, Lisa Brewster, Marc Schifer, Markus Jaritz, Mathieu Agopian, Mike Connor, Philipp Sackl, Rob Hudson, Ryan Tilder, Wil Clouser, Winston Bowden, dveditz
Agenda
- docs.google.com/document/d/19Mf97JPXmU5PSMiw8or5Tbbd-m2fFL5MpabW61cKgoc/edit#heading=h.k5xmsi9kq5br - Impending update to developer agreement - review and close actions from last week (see action items section) - Status of releng work for 41? on track! Kim is on deck. - Any other 41 blockers? none mentioned. - Who owns deciding when to turn on signing requirements by default? - AOB? Add your topic!
Action Items
- Larissa talk to SUMO (in progress, working with Joni S.) - Larissa check in with Mika about developer agreement update (in progress) - Amy to submit bug for note to AMO devs to go live Monday/Tuesday following review (done?) - kev: talk to benjamin about signing experiments. - Kris determine how many add-ons have XP com binary components (AMO only?) - Pick a date to flip the pref default to require signing (June 15 proposed).
Open Issues
- Are we good archiving all of this meeting's notes to the public wiki? yes! - final icons for the UI changes are not back from shorlander yet. (Are they now?) - What needs uplift for 40 still? Dave provided this list: (and we are probably not uplifting the UX issues) bugzilla.mozilla.org/buglist.cgi?f1=cf_status_firefox40&o1=equals&o2=equals&query_format=advanced&f2=blocked&v1=affected&v2=1149654&list_id=12271529
Notes
- Schedule confirmation. Pulling from the DevComms doc, the following is our current plan:
- May 22: Golive date for updated developer policy (MDN)May 26: dev agreement goes live (submission), submission UI goes live (hidden), sign rest of test add-ons
- May 28: sign all AMO add-onsJune 1: All new AMO submissions get signed automatically
- June 1: Submission opens for non-AMO addons (Without validator for 3 days, reviewers will run validator on local machine)
- June 2: Firefox 38.0.5 \o/June 4: validator online + AMO pushJune 30: 40 Beta / 41 Aurora (signing enforced in 40 with pref to disable)Aug 11: 40 Release / 41 Beta (signing enforced with no pref except for ESR)
- Oct 6: 41 Release
- ???: Enterprise plan opens
May 15, 2015
WorkLife summary for meeting "Add-On Signing Weekly Check In"
View Full Details: https://app.worklife.com/meetings/5555e4273c2b7c39e491531a
Time: May 15, 2015 9:30 AM - 10:00 AM
Larissa Shapiro's vidyo + MTV2 - 217 Star Trek, SFO7 - 740 7H Hotel Utah, TOR5
Attendees: Amy Tsay, Dave Townsend, Jorge Villalobos, Kev Needham, Kim Moir, Kris Maglione, Krupa Raj, Larissa Shapiro, Lisa Brewster, Marc Schifer, Markus Jaritz, Mathieu Agopian, Mike Connor, Philipp Sackl, Rob Hudson, Ryan Tilder, Wil Clouser, Winston Bowden
Agenda
- 40 - any outstanding issues? - 41 -at risk for RelEng issues - what else? - Timing for opening the review queue for non-AMO add-ons and associated dev comms - AOB
Decisions
- See schedule strawman in notes
Action Items
- Larissa talk to SUMO (in progress, working with Joni S.) - Larissa check in with Mika about developer agreement update (in progress) - Larissa and Lisa to review Amys note to AMO devs today/Monday - Amy to submit bug for note to AMO devs to go live Monday/Tuesday following review
Open Issues
- Are we good archiving all of this meeting's notes to the public wiki?
Notes
- 41 - releng issues - removing pref is red for now pending furhter plans - AMO release May 21st will have the UI pieces on AMO front end - Automatic validation is awaiting review - june 1st as a public go-live for the review queue would mean May 21st-22nd are a reasonable timeframe for testing internally or with a limited beta group. We could do a soft launch the 1st, send out a formal launch on the 3rd... - Developer comms for AMO developers need to get moving asap. We may need a strategy switch and just message them when its happening. - Plan of attack: - Monday (18th) or Tuesday (depending on docs review and It) email to AMO-Developers warning them of impending signing - Thursday 21st - AMO release including all the UI for signing, may include Automated Validation if it is reviewed. - Friday 22nd/Monday the 25th - start internal testing for AMO signing with UI - Friday 22nd/Monday the 25th - send notice to known non-AMO add-on devs about signing process and timing for submitting for review - Monday (or Tuesday) 25th sign AMO add-ons (Larissa to confirm with RelMan that this is ok) - June 1 "soft launch" for opening the review queue for non-AMO addons to be signed. (Dependent on automated validation being online and tested, and the revised developer agreement being approved and live)
May 8, 2015
WorkLife summary for meeting "Add-On Signing Weekly Check In"
View Full Details: https://app.worklife.com/meetings/554ccc9f2da367f4b4123364
Time: May 8, 2015 9:30 AM - 10:00 AM
Larissa Shapiro's vidyo + MTV2 - 217 Star Trek, SFO7 - 740 7H Hotel Utah, TOR5
Attendees: Amy Tsay, Chris AtLee, Daniel Veditz, Dave Townsend, Jorge Villalobos, Kev Needham, Kim Moir, Kris Maglione, Krupa Raj, Larissa Shapiro, Lisa Brewster, Marc Schifer, Markus Jaritz, Mathieu Agopian, Mike Connor, Philipp Sackl, Rob Hudson, Ryan Tilder, Wil Clouser, Winston Bowden
Agenda
- Review of status for 40: any open issues, any surprises PLEASE speak now
- Plans for 41
• release engineering issues
• I'm concerned about doing bulk of our testing on builds that allow installation of unsigned addons - those aren't what we're shipping to most people. I'd like to re-visit signing the addons we use for testing.
• separate build for testing
• Developer Comms plans
• what is already planned and where is it documented? WIP: https://docs.google.com/document/d/19Mf97JPXmU5PSMiw8or5Tbbd-m2fFL5MpabW61cKgoc/edit
- Any other business
Decisions
- We are holding on signing more AMO addons till at least the 18th to not conflict with the 38 release. - We can use the same cert for experiemnts as for add-ons.
Action Items
- Larissa set up dev comms plan meeting for next week - kev: talk to benjamin about signing experiments. - Kris (?) determine how many add-ons have XP com binary components (AMO only?) - LS to set up mtg next week kev, dveditz, mconnor, larissa, catlee on releng issues and possibly turning on the alternate root - LS set up a meeting including Kev, Jorge, Amy, MConnor/Joanne, need to make sure it addresses the XP com issues for the AV companies in particular.
Open Issues
- hotfix patch needs review by dveditz but he is on PTO. Options: 1. he could do it over the weekend? 2. Someone else could do it and then dveditz could review after the fact. Dan will review tonight - final icons for the UI changes are not back from shorlander yet. - Who is going to own the signing certificate and sign when needed? Will says we can do it on the AMO signing servers. Needs confirmation that this will work.
Notes
- plan for hotfixes - new signing cert from the AMO root - will sign with those. Once we turn on requiring signing from AMO, it will only accept the new hotfix cert. If we sign for old versions, we may end up needing to produce two XPIs. - Update service on AMO can distinguish firefox versions so if we mark things correctly on the hotfixes that should work. We'll need to update the release process accordingly. - Experiments need to be signed but are not distributed by AMO, should we put a separate cert in the same place, or could we use the same cert? - We are holding on signing more AMO addons till at least the 18th to not conflict with the 38 release. - Benjamin's post about XP com components - are we doing this for 40? its a tight change. Is it Binary components only? (yes) in 40 we're not enforcing signing. Are people going to conflate the two issues? Understanding how many add-ons are impacted would be good. This should be in the comms plan. Intent is for XP com to be disabled for everyone but Mozilla. - Release engineering issues: plan was a parallel set of builds for 41, but this would mess up automation of release for builds we are shipping to users. Is the general consensus that rewriting the test suite for add-ons that arent getting signed on the fly is not feasible? Discussion needed. Right now we have a test root defined that is not enabled for final builds. We could enable it for final builds and sign things. - Comms Plan: this is a skeleton of the message and the audiences. Will set up a meeting including Kev, Jorge, Amy, MConnor/Joanne, need to make sure it addresses the XP com issues for the AV companies in particular.
April 17, 2015
WorkLife summary for meeting "Add-On Signing Weekly Check In"
View Full Details: https://app.worklife.com/meetings/55311eda86c026b9ec595e87
Time: Apr 17, 2015 9:30 AM - 10:00 AM
Larissa Shapiro's vidyo + MTV2 - 217 Star Trek, SFO7 - 740 7H Hotel Utah, TOR5
Attendees: Chris AtLee, Dave Townsend, Jorge Villalobos, Kev Needham, Kris Maglione, Krupa Raj, Larissa Shapiro, Lisa Brewster, Marc Schifer, Markus Jaritz, Mathieu Agopian, Mike Connor, Philipp Sackl, Rob Hudson, Ryan Tilder, Wil Clouser, dveditz
Agenda
- Tracking for Fx 40, review status worksheet: docs.google.com/spreadsheets/d/19uZqwiQbiZr6fnU6dLhvuj5cafjQ21a6if2W3h4S4JQ/edit#gid=0 - Blog post up? Next steps in DevRel? - Review open decisions and actions from last week. - AOB - Review testplans for Desktop client which were sent out
Decisions
- UX will move forward with decisions in bugs today and copy review Monday - RelEng can move forward for 40 with the override pref turned on - We are close to comfortable with go for 40 pending UX decisions, a marketing rep/comms plan - We need a go/no go plan and and sufficient releng resources to be go for 41.
Action Items
- From last week: Larissa to make sure decision happens for bugzilla.mozilla.org/show_bug.cgi?id=1151537Wil to coordinate signing existing AMO add-ons ahead of having submission UI ready - Kev to write up notes on go/no-go criteria - Wil Clouser - Hotfix addon bug will be fired for Thunderbird, duplicating that which exists for Firefox. (done?) - Need overview of signing process for all addons. What gets signed first, [lan for remainder. (Wil) - Need policy for signing experiments. Extensions only currently, and themes are excluded from checking and verification. - (product) Need decision on term we use for what a signed addon is (vs.
certified). Need product and copy involved to take discussion.
- Text and location for information page needs to be finalized for initial warning that links to unsigned addons. - (justin) Need reactive answer for why addon signing will not be enabled on Android for PR. - Larissa to speak to Eric about marketing/comms rep on team
Open Issues
- Need additional tests for what happens when the pref is on - devs are asking if there can be a bug for an upload API - not blocking but something we need to get onto a roadmap
Notes
- Blog post went up on Wednesday, yay! Reaction: not much volume, challenge to claim that there's nowhere on the machine that we can save signing info that malware can't get at. Mac has per app storage that can't be seen from other apps. Don't want to build custom solution for Mac because we're not that worried about Mac only malware.
April 13
WorkLife summary for meeting "Add-On Signing - open UX decisions"
View Full Details: https://app.worklife.com/meetings/552bb9a9f8827cfb6f914efc
Time: Apr 13, 2015 8:00 AM - 9:00 AM
Markus' Vidyo
Attendees: Dave Townsend, Kev Needham, Larissa Shapiro, Markus Jaritz, Mike Connor, dveditz
Agenda
- Working Dcument - how to phrase what we do? - explaination text - unsigned addons information page as menu item in addon manger
Action Items
- Kev and Larissa to work with copywriters - Kev to make and send flow chart of user process and associated actions
April 10
WorkLife summary for meeting "Add-On Signing Weekly Check In"
View Full Details: https://app.worklife.com/meetings/5526ed18da9eb457cec0d0b6
Time: Apr 10, 2015 9:30 AM - 10:00 AM
Larissa Shapiro's vidyo + MTV2 - 217 Star Trek, SFO7 - 740 7H Hotel Utah, TOR5
Attendees: Amy Tsay, Chris AtLee, Dave Townsend, Jorge Villalobos, Kev Needham, Kris Maglione, Krupa Raj, Larissa Shapiro, Lisa Brewster, Marc Schifer, Markus Jaritz, Mathieu Agopian, Mike Connor, Philipp Sackl, Rob Hudson, Ryan Tilder, Wil Clouser, dveditz
Agenda
- Review Open Issues and actions from last meeting - Who's gating on what? Are you waiting on a decision from someone else to complete your work? (UX, policy, process, etc) Are there items that you know need to be resolved before Add-on Signing can ship? Speak up. Please. Ties directly into below. - - - Review Status of pieces at: docs.google.com/spreadsheets/d/19uZqwiQbiZr6fnU6dLhvuj5cafjQ21a6if2W3h4S4JQ/edit#gid=0 (tune of "will we be ready for 40") - is this complete and accurate? - Blog post? Other community issues? - AOB - - New mana mana.mozilla.org/wiki/display/PM/Add-Ons+Overview - [UX] Installed add-on warning placement & text - [UX] Wording: certified or signed
Decisions
- AMO will split the signing part from the UI part and ship signing ASAP. (from last week)
Action Items
- From last week: Larissa to make sure decision happens for bugzilla.mozilla.org/show_bug.cgi?id=1151537Wil to coordinate signing existing AMO add-ons ahead of having submission UI ready - Kev to write up notes on go/no-go criteria - Jorge to add Dan to AMO blog - Wil Clouser - Hotfix addon bug will be fired for Thunderbird, duplicating that which exists for Firefox. - Need overview of signing process for all addons. What gets signed first, [lan for remainder. (Wil) - - Need policy for signing experiments. Extensions only currently, and themes are excluded from checking and verification. (Experiments are signed and validated - clients) - (product) Need decision on term we use for what a signed addon is (vs. certified). Need product and copy involved to take discussion. - Text and location for information page needs to be finalized for initial warning that links to unsigned addons. - (Justin) Need review from Marketing/PR on developer blog post. - (Kev) signing on Android - does anything need to be done? (mossop) will double-check Desktop changes will not impact Android. - (justin) Need reactive answer for why addon signing will not be enabled on Android for PR. - Follow up with mossop on Experiment signing - is anything required on the client side for Experiment validation support? - (mconnor, wil) - Review validator policy (gist.github.com/1100e14f74cdd05e6654)
Open Issues
- Plan for ESR - default block with pref? Defualt no block? Something else? - What are the releng dependencies?? - Open policy issues - Validator policies gist.github.com/1100e14f74cdd05e6654
Notes
- Wil Addon signign freezing today, waiting on Chris Maglione for ??? (need specifics). Zigbert addon being renamed because of multiple signing requirements. Sign all addons process to be finalized. Some addons being signed, need policy on addons - mozilla and reviewer-made addons first, follow-on for other addons policy needed - close to 1000 addons total. - List of bad addons on AMO being waited on from Yahoo - mconnor - need description of what constitutes bad and where list originates. Needs to be reconciled against Lisa's list. - Policy decision has been made in Jan (mconnor/jorge)Themes will not be signed (checked or enforced) as part of add-on signing. Really only Extension. - RelMgmt work - policy on what builds are going to be used for QA - if branded, need 6 weeks because of dependencies on generated and unsigned addons used as test harness. Policy on what builds are going to be used for testing - which builds will have addons that can be disabled? - Markus - Need decision on warning page, where it will be placed, how it will interact with all addons (themese/plugins/etc.) - Need decision on where warnings will be placed in addons section, what the specific text/language will be around how warnings are worded. Need a decision on whether we use certified or signed as the nomenclature. UI review in with Philip Sackl, and iconography in flight with shorlander. - Display of Uncertified Addons section - should it be persistent or only displayed when a user follows a warning. Add to open issue. - Use cases for when a doorhanger for unsigned addons should be displayed needs to be defined. - Where is current draft of blog post, and who owns it? - Moving google doc to mana page, with intent to move to public wiki that links all components (Platform, Client, AMO, RelMgmt, Legal/Security review, etc.) - QA team is waiting for UX mocks for Android - will there be mobile-specific mocks.
April 7
WorkLife summary for meeting "Add-On Signing Weekly Check In"
View Full Details: https://app.worklife.com/meetings/5523ece2142ea910fd5c4abd
Time: Apr 7, 2015 10:00 AM - 10:30 AM
Larissa Shapiro's vidyo + MTV2 - 217 Star Trek, SFO7 - 740 7H Hotel Utah, TOR5
Attendees: Amy Tsay, Chris AtLee, Daniel Veditz, Dave Townsend, Jorge Villalobos, Kev Needham, Kris Maglione, Krupa Raj, Larissa Shapiro, Lisa Brewster, Marc Schifer, Markus Jaritz, Mathieu Agopian, Mike Connor, Philipp Sackl, Rob Hudson, Ryan Tilder, Wil Clouser
Agenda
- Results of go/no go meeting for 39 and potential changes to process/schedule
- request for dependencies need for clarity on schedule (second page) at: docs.google.com/a/mozilla.com/document/d/1yZNz2Cz5kPvmqzCqD53lbezTzTjTDnxorSfpYe8yz2A/edit?userstoinvite=catlee@mozilla.com&actionButton=1
• List of non-AMO addons that need signing in development at: docs.google.com/a/mozilla.com/spreadsheets/d/1xLnFtXLcIfIXFZodj1sFYzyDdFJ1vR3CKYNb_n-g30c/edit#gid=0
- Is blog post ready? When do we want to post it?
- AOB
Action Items
- Larissa to make sure decision happens for bugzilla.mozilla.org/show_bug.cgi?id=1151537 - Make sure your dependencies are documented:
p, li { white-space: pre-wrap; }
docs.google.com/a/mozilla.com/document/d/1yZNz2Cz5kPvmqzCqD53lbezTzTjTDnxorSfpYe8yz2A/edit
Notes
- We decided yesterday we will not be ready to turn on phase one of the signing roll out for 39. We are estabilishing a full list of dependencies so we can make a better informed call for 40 and forward.
