Rob Hudson wrote:
> Would the app ID and version be a part of the "mini-manifest"? Or
> would it be part of the app manifest that is contained within the
> package? I'm assuming inside the package since you've said,
> "given two JAR files, and no other information".
Your understanding is correct. It has to be inside the JAR, because that is the
only thing that is signed.
Now, should it be in the app manifest or somewhere else inside the app? Now, I
know almost nothing about how the appstore works, but I think it would be very
good if the appstore *never* modified the manifest.webapp or other
author-created entries within the JAR. Instead, if there is additional metadata
that the appstore needs to supply itself, then that metadata should be in some
other manifest within META-INF/. (We are reserving all of META-INF/ for our own
internal use.)
Cheers,
Brian
>
> Thanks,
> Rob
>
> Brian Smith wrote:
> > Rob Hudson wrote:
> >> Brian Smith wrote:
> >>> #2 is important so that nobody can trick the web server into
> >>> asking
> >>> the user to replace one app with another (unrelated) app that the
> >>> marketplace has signed.
> >> The way the "v1" blocklisting was spec'd, this is required to
> >> blocklist apps.
> >
> > Let's say the app is "Chess" and that the marketplace generates a
> > UUID for the app of 702e8e70-81a1-4eed-8d81-dc4c84ac2cfd. Then,
> > the first version of the app released in the marketplace would be:
> > (702e8e70-81a1-4eed-8d81-dc4c84ac2cfd, 1)
> >
> > Then, let's say we blocklist "Chess." Then we'd update the
> > mini-manifest to point to a new version of the app package that
> > contains the contents of the "this app is blocklisted" app, using
> > the same UUID and a higher version:
> > (702e8e70-81a1-4eed-8d81-dc4c84ac2cfd, 2).
> >
> > Then, let's say "Chess" is updated and we un-blacklist it. Then,
> > the new mini-manifest would point to the new version of the app
> > package that would have the same UUID and a higher version number:
> > (702e8e70-81a1-4eed-8d81-dc4c84ac2cfd, 3).
> >
> > Now, let's say that the maker of "chess" renames it to "Chess with
> > Imaginary Friends". Then, the renamed app "Chess with Imaginary
> > Friends" would be:
> > (702e8e70-81a1-4eed-8d81-dc4c84ac2cfd, 4).
> >
> > Now, let's say that somebody else publishes an app called "Chess".
> > That app would be:
> > {325e56eb-f207-4c36-82d7-da17671baa07, 1}.
> >
> > (NOTE: I use UUIDs here but the app ID wouldn't necessarily have to
> > be a UUID; just something unique per appstore.)
> >
> > Cheers,
> > Brian
>
_______________________________________________
dev-webapps mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-webapps
