Scaffold Signing
52 views
Skip to first unread message
Sebastian Karcher
Dec 8, 2015, 12:17:18 PM12/8/15
to zoter...@googlegroups.com
Hi,
who is going to take care of Scaffold signing? The way I understand the
new signing process, this should be trivial, but someone needs to take
care of it. Dan -- are you guys on that?
Sebastian
who is going to take care of Scaffold signing? The way I understand the
new signing process, this should be trivial, but someone needs to take
care of it. Dan -- are you guys on that?
Sebastian
Dan Stillman
Dec 8, 2015, 8:55:19 PM12/8/15
to zoter...@googlegroups.com
running Scaffold can probably easily run Firefox Developer Edition or
the unbranded build. Do you have a sense for how widely Scaffold is used
these days, and who uses it?
Another possibility is to convert it into a restartless add-on [2],
which will likely allow it to be run in stable Firefox with user
permission each session [3]. I haven't looked at the Scaffold code
lately, so I don't know how feasible this is, but I would guess it would
be quite simple.
Note that signing involves not just the signing process itself but
vouching for the software from a given AMO account and responding to any
reviews (though those are, ahem, now decoupled from signing). The fact
that Scaffold has become more of a community project means that that
shouldn't really happen from Zotero's AMO account, so there would have
to be a separate AMO account for it. The id still has @zotero.org in it,
though, and I'm not sure if that matters as far as AMO is concerned —
that might need to change if it was going to be signed.
[1] https://github.com/zotero/scaffold/issues/24
[2]
https://developer.mozilla.org/en-US/Add-ons/How_to_convert_an_overlay_extension_to_restartless
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1209338
Philipp Zumstein
Dec 9, 2015, 2:14:15 AM12/9/15
to zoter...@googlegroups.com
> Do you have a sense for how widely Scaffold is used these days, and who uses it?
The download count from github are:
* 724 for v3.2.1I would argue that it should be as easy as possible to install and run scaffold. Each additional software or configuration, one has to do in order to run scaffold, may be an additional obstacle for a potential new contributor for the translators (which are IMO a key feature of Zotero).
> The fact that Scaffold has become more of a community project means that that shouldn't really happen from Zotero's AMO account, so there would have to be a separate AMO account for it.
Well, the source code is under https://github.com/zotero/scaffold and all documentation lays under https://www.zotero.org/support/dev/translators/scaffold . Thus, zotero provides the spaces for all parts of scaffold. Moreover, I am not sure if scaffold is actually working properly without Zotero installed. But I understand that you don't want to spend much time with the signing/review process of scaffold. Isn't there only a review of the addon if a new release is published? Scaffold is not really changing much and new releases might not happen often...
--
You received this message because you are subscribed to the Google Groups "zotero-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zotero-dev+...@googlegroups.com.
To post to this group, send email to zoter...@googlegroups.com.
Visit this group at http://groups.google.com/group/zotero-dev.
For more options, visit https://groups.google.com/d/optout.
Dan Stillman
Dec 9, 2015, 2:41:30 AM12/9/15
to zoter...@googlegroups.com
On 12/9/15 2:14 AM, Philipp Zumstein wrote:
> > The fact that Scaffold has become more of a community project means
> that that shouldn't really happen from Zotero's AMO account, so there
> would have to be a separate AMO account for it.
>
> Well, the source code is under https://github.com/zotero/scaffold and
> all documentation lays under
> https://www.zotero.org/support/dev/translators/scaffold . Thus, zotero
> provides the spaces for all parts of scaffold. Moreover, I am not sure
> if scaffold is actually working properly without Zotero installed.
Sure — I just mean that Zotero staff doesn't currently put out the
> > The fact that Scaffold has become more of a community project means
> that that shouldn't really happen from Zotero's AMO account, so there
> would have to be a separate AMO account for it.
>
> Well, the source code is under https://github.com/zotero/scaffold and
> all documentation lays under
> https://www.zotero.org/support/dev/translators/scaffold . Thus, zotero
> provides the spaces for all parts of scaffold. Moreover, I am not sure
> if scaffold is actually working properly without Zotero installed.
releases, and we obviously can't share access to the main Zotero AMO
account, and if there's going to be back-and-forth with Mozilla over the
code it wouldn't make sense for that to come to us.
> But I understand that you don't want to spend much time with the
> signing/review process of scaffold. Isn't there only a review of the
> addon if a new release is published? Scaffold is not really changing
> much and new releases might not happen often...
don't see that changing significantly, we can probably do these under
the Zotero account. The release process would need to be a bit
different: maintainers would need to tag a release and then open a
ticket and tag one of us, we'd run a script to build the XPI and submit
it to the Mozilla signing API, we'd upload the signed API to S3 and post
the download link to the ticket, and maintainers would update the
manifest with the download link and hash and then close the ticket. If
we were going to do these under our account, I'd want to make sure the
code always passed the validators [1] with no issues to reduce the
chance of having to deal with reviews.
[1] https://github.com/mozilla/amo-validator /
https://github.com/mozilla/addons-validator
Sebastian Karcher
Dec 10, 2015, 1:24:21 AM12/10/15
to zoter...@googlegroups.com
Thanks Dan, Philipp,
I agree with Philipp that I very much want to keep the hurdle for people
to use Scaffold low, so definitely want it signed, yes.
But I'm perfectly fine with having that be community run, that's why I
brought this up in the first place. I just wanted to make sure it wasn't
regarded as a Zotero (R) product. Given that it's not, Dan's concerns
make perfect sense and it'll probably be less work for the community
devs involved in Scaffold if we just run this ourselves. So my proposal:
Dan, could you add me to the Scaffold team on github?
I'll then create a scaffold-specific AMO account. I'll share login with
Rintze to ensure sustainability and I'm happy to include other people
(like Philipp or Aurimas) who I know in person, too. I'll try to run the
initial validation and signing.
Does anyone have objections to this?
Sebastian
I agree with Philipp that I very much want to keep the hurdle for people
to use Scaffold low, so definitely want it signed, yes.
But I'm perfectly fine with having that be community run, that's why I
brought this up in the first place. I just wanted to make sure it wasn't
regarded as a Zotero (R) product. Given that it's not, Dan's concerns
make perfect sense and it'll probably be less work for the community
devs involved in Scaffold if we just run this ourselves. So my proposal:
Dan, could you add me to the Scaffold team on github?
I'll then create a scaffold-specific AMO account. I'll share login with
Rintze to ensure sustainability and I'm happy to include other people
(like Philipp or Aurimas) who I know in person, too. I'll try to run the
initial validation and signing.
Does anyone have objections to this?
Sebastian
Dan Stillman
Dec 10, 2015, 1:56:19 AM12/10/15
to zoter...@googlegroups.com
On 12/10/15 1:24 AM, Sebastian Karcher wrote:
> Thanks Dan, Philipp,
>
> I agree with Philipp that I very much want to keep the hurdle for people
> to use Scaffold low, so definitely want it signed, yes.
> But I'm perfectly fine with having that be community run, that's why I
> brought this up in the first place. I just wanted to make sure it wasn't
> regarded as a Zotero (R) product. Given that it's not, Dan's concerns
> make perfect sense and it'll probably be less work for the community
> devs involved in Scaffold if we just run this ourselves. So my proposal:
>
> Dan, could you add me to the Scaffold team on github?
>
> I'll then create a scaffold-specific AMO account. I'll share login with
> Rintze to ensure sustainability and I'm happy to include other people
> (like Philipp or Aurimas) who I know in person, too. I'll try to run the
> initial validation and signing.
>
> Does anyone have objections to this?
Well, there's still the id issue, though — if this is going to keep the
> Thanks Dan, Philipp,
>
> I agree with Philipp that I very much want to keep the hurdle for people
> to use Scaffold low, so definitely want it signed, yes.
> But I'm perfectly fine with having that be community run, that's why I
> brought this up in the first place. I just wanted to make sure it wasn't
> regarded as a Zotero (R) product. Given that it's not, Dan's concerns
> make perfect sense and it'll probably be less work for the community
> devs involved in Scaffold if we just run this ourselves. So my proposal:
>
> Dan, could you add me to the Scaffold team on github?
>
> I'll then create a scaffold-specific AMO account. I'll share login with
> Rintze to ensure sustainability and I'm happy to include other people
> (like Philipp or Aurimas) who I know in person, too. I'll try to run the
> initial validation and signing.
>
> Does anyone have objections to this?
id scaf...@zotero.org and stay under Zotero's GitHub account, it does
make sense for this to be signed through Zotero's AMO account. And it's
true that, as Philipp says, translator development is sort of
fundamental to Zotero, so keeping it semi-official probably makes sense.
I'm happy for us to do these releases, as long as the extension passes
the validator and we're avoiding discussions with Mozilla.
Dan Stillman
Dec 10, 2015, 2:22:25 AM12/10/15
to zoter...@googlegroups.com
On 12/10/15 1:56 AM, Dan Stillman wrote:
> I'm happy for us to do these releases, as long as the extension
> passes the validator and we're avoiding discussions with Mozilla.
Sorry, I mean do the signing part of these releases. And "passing" the
> I'm happy for us to do these releases, as long as the extension
> passes the validator and we're avoiding discussions with Mozilla.
validator now just means not having anything that might cause Mozilla to
come knocking later.
I just fixed minVersion/maxVersion, and it looks like now the only file
that flags anything is ACE, which should be fine as long as it's not
modified from the original. They'll probably also want it unminified, so
I'll open a ticket to swap in an unminified version.
Dan Stillman
Dec 11, 2015, 7:24:00 PM12/11/15
to zoter...@googlegroups.com
I've updated Scaffold with some changes for signing and review,
including an updated (and unminified) ACE:
https://github.com/zotero/scaffold/compare/bf8fa8c...457b4d2
I'll submit this for signing this weekend if no one finds any issues.
- Dan
including an updated (and unminified) ACE:
https://github.com/zotero/scaffold/compare/bf8fa8c...457b4d2
I'll submit this for signing this weekend if no one finds any issues.
- Dan
Sebastian Karcher
Dec 13, 2015, 12:32:42 PM12/13/15
to zoter...@googlegroups.com
Thanks Dan, that's terrific.
Apart from the switch to black background (which I'm personally happy
with though I'm not sure how others feel about it)
this looks good on all my tests.
Apart from the switch to black background (which I'm personally happy
with though I'm not sure how others feel about it)
this looks good on all my tests.
Reply all
Reply to author
Forward
0 new messages