Last modified: 2014-11-07 16:25:10 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T62287, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 60287 - sign cortado applet so that it works for people with outdated java
sign cortado applet so that it works for people with outdated java
Status: NEW
Product: MediaWiki extensions
Classification: Unclassified
TimedMediaHandler (Other open bugs)
unspecified
All All
: Lowest normal (vote)
: ---
Assigned To: Michael Dale
: ops
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-21 16:16 UTC by Bawolff (Brian Wolff)
Modified: 2014-11-07 16:25 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bawolff (Brian Wolff) 2014-01-21 16:16:42 UTC 
So I was testing timedmediahandler on computers at my university (I figure they represent a fairly common config).

On MSIE:
*I hit play button on an audio file
*Goes to java cortado fallback as it should
*Prompt comes up saying my java is out-dated
*I click continue anyways
*Pop up says applet is blocked by your security settings (My security setting is "high" which is the default. Apparently this blocks all unsigned java applets when you need an upgrade.

There's probably a good portion of our user base using old java. Signing the applet should get around this. There's a signed version at http://theora.org/cortado.jar, in my experiments, the copy of IE I did the test on successfully loaded this version (After a are you sure prompt).

We could potentially just use this signed version, however it would probably be ideal if instead Wikimedia signed the applet we serve, as then the publisher would be listed as "Wikimedia", so people would be more likely to trust it vs a publisher as some random person.

See also: http://www.java.com/en/download/help/jcp_security.xml
Comment 1 Bawolff (Brian Wolff) 2014-06-15 23:38:05 UTC 
Finally got around to filing an RT ticket for this:

RT #7695
Comment 2 Bawolff (Brian Wolff) 2014-06-19 17:15:01 UTC 
>There's a signed version at http://theora.org/cortado.jar

In some security settings, the permissions attribute is also required, which that copy is missing.


(In reply to Bawolff (Brian Wolff) from comment #1)
> Finally got around to filing an RT ticket for this:
> 
> RT #7695

So to summarize what was said there.

I had assumed this was something that could easily be done with our existing SSL certs. That was an incorrect assumption, and we would need to buy a new cert. Its unclear if we want to do that since work is ongoing on Brion's js ogv player.

http://lists.wikimedia.org/pipermail/multimedia/2014-June/000664.html
Comment 3 Derk-Jan Hartman 2014-08-19 12:33:02 UTC 
Is this any closer now after that discussion ?
Comment 4 Andre Klapper 2014-11-07 14:04:13 UTC 
https://rt.wikimedia.org/Ticket/Display.html?id=7695 ("Digitally sign cortado video player java applet") is still open and not clear who to make a decision...
Comment 5 Bawolff (Brian Wolff) 2014-11-07 14:33:52 UTC 
At this point id reccomend just concentrating on brion's solution instead
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links