On 8/26/2011 10:32 PM, NoOp wrote:
On 08/26/2011 06:46 PM, Justin Wood (Callek) wrote:
On 8/26/2011 8:49 PM, NoOp wrote:
On 08/26/2011 01:33 PM, Robert Kaiser wrote:
David E. Ross schrieb:
Is there an official, end-user release of SeaMonkey 2.3.1? I've seen
some discussion about it, but there has been no announcement here.
The surroundings have already been pointed out by Callek et al., and
http://www.seamonkey-project.org/ has it listed.
This is a very small update to 2.3, but important to install as the only
change is to ensure that we can still send future updates even once the
current certificate of our update server expires.
Robert Kaiser
That's more than a little disconcerting: "we can still send future
updates even once the current certificate of our update server expires".
If your certificate has expired then you *shouldn't* be sending *updates
at all*. You should *fix* your certificate instead!
Are you stating that SeaMonkey doesn't adhere to these:
http://www.mozilla.org/projects/security/certs/policy/
<http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html>
<http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html>
A bit overdramatic, (our release notes for 2.3.1 explicitly say what
change we made, with a link to the bug). But it was not in KaiRo's mail.
Let me briefly explain.
Actually *not* overdramatic at all given kairo's statement:
I would like to take this opportunity to apologize for my word
choice/tone. I meant to describe that the interpretation you came up
with, while perfectly acceptable of an interpretation given what Robert
said, was incorrect.
But we have addressed the substance of these concerns/issues throughout
this thread (I hope) and can move on.
Actually it's the 'Changes' page that points to the bug report *not* the
release notes:
I can see your distinction here, though I have always considered the
Changes page as part of the Release Notes, just a separate page. And
since this change has no bearing on most users of SeaMonkey, I felt it
was not important enough to list on the main release notes page, even
though it was important enough for us to do a .x release for it.
Listing it on the main page would likely confuse more users than it
would help.
Our current certificate will expire soon.
We have a new certificate that we would have already switched to if not
for this issue.
The two (old and new) certificates have a different CA Root.
SeaMonkey currently only accepts the *old* CA Root (and thus the new
certificate would never give current "SeaMonkey 2.1+" an update offer).
We are unable to renew the old certificate with the same CA Root, as
they no longer issue new certs with that root.
The change is simply *adding* our new root (and another backup root) to
our "acceptable certificate" list for our updates, we are *not* simply
serving updates without a certificate.
Sounds like a planning issue:
In the end, yes it was a planning issue.
We did not realize that our cert expired this quick. We did not catch a
meaningful warning about only having one cert in our application when it
was posted on our fixed bug that added this feature (to restrict updates
based on cert) to SeaMonkey. We also did not catch this issue until
Mozilla IT had renewed a cert and applied it to our update server.
And that finding out/application of the cert happened shortly after we
released 2.3 (it would have been easier, less confusing if we could have
included this as part of our 2.3 release)
--
~Justin Wood (Callek)
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
