Strategic incentives of Symbian signed

Arvind Gupta wrote:
> Hello all !
>
> To start off the forum, you specified "any questions about Symbian Signed"
> as the scope. Surely, there are going to many technical postings to come.
> I hope it's alright to have a non-technical one at the very beginning 😊

Surely!

> I personally think "Symbian signed" is a courageous and great move of
> Symbian. What are the strategic incentives of Symbian to go down that road?
>
> A couple of things are trivial:
>
> - Tighten security and make life much harder for malicious software. (Very
> responsible, in my opinion)

This is true for Symbian OS 9 onwards only. People tend to press the
infamous 'Yes' button to get things installed. After that the game is
over. I suggest reading '10 Immutable Laws of Security' from
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer anymore.

Fortunately, after the new platform security, things get a bit more
complicated for a malicios software as you said.

> - Improve software quality on devices - signed software will tend to be of
> high quality.

This is also true.

> - Address security yourself instead of letting companies like Symantec take
> care of it (very good - maybe the most "unusual" aspect of the whole thing
> 😊 )

There's always room for more security don't you think? It's good to be
secure in the platform level too but 3rd party solutions give the final
touch. I don't want to see Symbian to evolve something like Brew.

--
|||
(0-0)
+--------oOO--(_)--OOo----------------------------+
| Wellu M�kinen www.wellu.0rg |
| |
| No tears please, it's a waste of good suffering |
+-------------------------------------------------+

"Arvind Gupta" <[email protected]> schreef in bericht
news:uXXeOZRmFHA.1016@extapps30...
> Hello all !
>
> To start off the forum, you specified "any questions about Symbian Signed"
> as the scope. Surely, there are going to many technical postings to come.
> I hope it's alright to have a non-technical one at the very beginning 😊
>
> I personally think "Symbian signed" is a courageous and great move of
> Symbian. What are the strategic incentives of Symbian to go down that
> road?
>
> A couple of things are trivial:
>
> - Tighten security and make life much harder for malicious software. (Very
> responsible, in my opinion)
> - Improve software quality on devices - signed software will tend to be of
> high quality.
> - Address security yourself instead of letting companies like Symantec
> take care of it (very good - maybe the most "unusual" aspect of the whole
> thing 😊 )
>
> Some other things, however, include:
>
> - Is the "Symbian Signed" unit meant to be very profitable / are the
> prices for certificates too high? (I doubt it... if you could get rid of
> that rumour - a lot of resistance would diminish)

Do the maths. The person doing the testing could also do other work that
will earn his company at least EUR 100,-- per hour, in Western Europe. So
testing costs around EUR 100,--. That is about 5 hours of work for the price
a certain West European company asks.

I expect that companies in those parts of the world with lower per-hour
tariffs will take advantage of it.

> - Doesn't "Symbian Signed" stifle application development on Symbian,
> because it turns developers off? (I think it does - but Symbian could
> argue, those who don't mean it serious anyway)

It will turn some developers off, but not enough to stiffle application
development. Besides, if the app is good, the money to make it a signed app
can be found.

--
Sander van der Wal
www.mBrainSoftware.com

Hi Sander !

Thanks for the great reply !

> Do the maths. The person doing the testing could also do other work that
> will earn his company at least EUR 100,-- per hour, in Western Europe. So
> testing costs around EUR 100,--. That is about 5 hours of work for the
> price a certain West European company asks.

I agree totally and would like to add an "intuitive feeling" that developers
in general are not totally aware of this. It is easily forgotten that the
"signing procedure" on Symbian's side is bespoke and not automated - and
therefore very expensive for Symbian in terms of labour. Thanks !

> It will turn some developers off, but not enough to stiffle application
> development. Besides, if the app is good, the money to make it a signed
> app can be found.

I agree...

Cheers and regards, Arvind.

"Sander van der Wal" <[email protected]> schrieb im Newsbeitrag
news:jviyakZmFHA.2964@extapps30...
>
> "Arvind Gupta" <[email protected]> schreef in bericht
> news:uXXeOZRmFHA.1016@extapps30...[color=green]
>> Hello all !
>>
>> To start off the forum, you specified "any questions about Symbian
>> Signed" as the scope. Surely, there are going to many technical postings
>> to come. I hope it's alright to have a non-technical one at the very
>> beginning 😊
>>
>> I personally think "Symbian signed" is a courageous and great move of
>> Symbian. What are the strategic incentives of Symbian to go down that
>> road?
>>
>> A couple of things are trivial:
>>
>> - Tighten security and make life much harder for malicious software.
>> (Very responsible, in my opinion)
>> - Improve software quality on devices - signed software will tend to be
>> of high quality.
>> - Address security yourself instead of letting companies like Symantec
>> take care of it (very good - maybe the most "unusual" aspect of the whole
>> thing 😊 )
>>
>> Some other things, however, include:
>>
>> - Is the "Symbian Signed" unit meant to be very profitable / are the
>> prices for certificates too high? (I doubt it... if you could get rid of
>> that rumour - a lot of resistance would diminish)
>
> Do the maths. The person doing the testing could also do other work that
> will earn his company at least EUR 100,-- per hour, in Western Europe. So
> testing costs around EUR 100,--. That is about 5 hours of work for the
> price a certain West European company asks.
>
> I expect that companies in those parts of the world with lower per-hour
> tariffs will take advantage of it.
>
>> - Doesn't "Symbian Signed" stifle application development on Symbian,
>> because it turns developers off? (I think it does - but Symbian could
>> argue, those who don't mean it serious anyway)
>
> It will turn some developers off, but not enough to stiffle application
> development. Besides, if the app is good, the money to make it a signed
> app can be found.
>
> --
> Sander van der Wal
> www.mBrainSoftware.com
>[/color]

Hi Wellu !

Thanks just the same 😉

> There's always room for more security don't you think? It's good to be
> secure in the platform level too but 3rd party solutions give the final
> touch. I don't want to see Symbian to evolve something like Brew.

Yes, very good. Of course, we will see Symantec and friends additionally -
nice one 😊.

Kind regards, Arvind.

"Wellu M�kinen" <[email protected]> schrieb im Newsbeitrag
news:RalelKZmFHA.2908@extapps30...
> Arvind Gupta wrote:[color=green]
>> Hello all !
>>
>> To start off the forum, you specified "any questions about Symbian
>> Signed"
>> as the scope. Surely, there are going to many technical postings to
>> come.
>> I hope it's alright to have a non-technical one at the very beginning 😊
>
> Surely!
>
>> I personally think "Symbian signed" is a courageous and great move of
>> Symbian. What are the strategic incentives of Symbian to go down that
>> road?
>>
>> A couple of things are trivial:
>>
>> - Tighten security and make life much harder for malicious software.
>> (Very
>> responsible, in my opinion)
>
> This is true for Symbian OS 9 onwards only. People tend to press the
> infamous 'Yes' button to get things installed. After that the game is
> over. I suggest reading '10 Immutable Laws of Security' from
> http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx
>
> Law #1: If a bad guy can persuade you to run his program on your
> computer, it's not your computer anymore.
>
> Fortunately, after the new platform security, things get a bit more
> complicated for a malicios software as you said.
>
>> - Improve software quality on devices - signed software will tend to be
>> of
>> high quality.
>
> This is also true.
>
>> - Address security yourself instead of letting companies like Symantec
>> take
>> care of it (very good - maybe the most "unusual" aspect of the whole
>> thing
>> 😊 )
>
> There's always room for more security don't you think? It's good to be
> secure in the platform level too but 3rd party solutions give the final
> touch. I don't want to see Symbian to evolve something like Brew.
>
>
> --
> |||
> (0-0)
> +--------oOO--(_)--OOo----------------------------+
> | Wellu M�kinen www.wellu.0rg |
> | |
> | No tears please, it's a waste of good suffering |
> +-------------------------------------------------+
>[/color]

Arvind Gupta wrote:

> - Doesn't "Symbian Signed" stifle application development on Symbian

As it looks, non-signed applications will be crippled on the target device
due to inability to access certain APIs. What will happen during the
development stage to those programs that are based on such restricted APIs?
How will the developer test his program on the device? The development cycle
includes countless in-house test runs - all to be separately signed for
money and time? That's surely a nonsense, but then how the contradiction is
resolved?

Hi Arvind,

>To start off the forum, you specified "any questions about Symbian Signed"
>as the scope. Surely, there are going to many technical postings to come.
>I hope it's alright to have a non-technical one at the very beginning 😊

Indeed. It's an interesting thread to start!

>- Tighten security and make life much harder for malicious software. (Very
>responsible, in my opinion)
>- Improve software quality on devices - signed software will tend to be of
>high quality.
>- Address security yourself instead of letting companies like Symantec take
>care of it (very good - maybe the most "unusual" aspect of the whole thing
>😊 )

All of these are important aspects to Symbian Signed - it is a channel to
promote higher quality software in the market. You are also missing one very
important key driver behind Symbian Signed though - the market itself is
*demanding* it.

The forum is a good channel to kick off some of these discussions, and it gives
me a chance to repeat a couple of things I've said when I've given public
presentations on Symbian Signed itself in the past 😊

The major driver for its launch was that our customers (the licensees/handset
manufacturers) and their customers (the Network Operators) were demanding a
testing and certification program to ensure higher quality software was released
on their phones. Rather than letting several different programs spring up (e.g.
in the early days, we already had Nokia OK and Sony Ericsson were doing some
initial work too on their own program), Symbian took the initiative and created
one, single unified program instead. The program now has the backing of our
licensees as well as major network operators and perhaps most interestingly of
all, the GSM Association (GSMA) who have strongly endorsed the model/approach
used by Symbian Signed as a good example for other certification programs to
follow.

Symbian Signed has come a long way since it was first launched...

>- Is the "Symbian Signed" unit meant to be very profitable / are the prices
>for certificates too high? (I doubt it... if you could get rid of that
>rumour - a lot of resistance would diminish)
>- Doesn't "Symbian Signed" stifle application development on Symbian,
>because it turns developers off? (I think it does - but Symbian could argue,
>those who don't mean it serious anyway)

I can absolutely state that Symbian Signed is not run as a revenue or profit
generating program for Symbian! We take no cut or percentage of the test runs,
etc. and indeed it does cost us to host and run the program. Symbian is squarely
focused on making its money from phone revenues...the more great apps there are
to help sell phones, the more money we make - so pricing Symbian Signed out of
the market or stifling development is definitely NOT in our own interests!

When we launched Signed, there were (quite rightly) lots of complaints about the
costs being too high - they were. However, we asked people to bear with us as
the program matured from the early beta stages and we brought costs down...and I
think we've delivered here! If you look, the lowest test cost quote is now 180
Euro. This is over a 75% reduction in costs since launch which is a great
achievement in my opinion, mainly thanks to the increased competition between
the test houses. That said, there's still more work to do on reducing costs -
and we're looking at ways (like some automated testing) to continue to do this.
But if you check other similar programs within the industry, the pricing of
Symbian Signed compares extremely favourably.

Symbian Signed is meant to be as unobtrusive as possible - it is meant to be the
final stage of your standard development process, i.e. the route-to-market phase
where you can establish your application passes the industry backed and agreed
criteria and give both users and Networks confidence. This is something they are
happy with...and absolutely helps prevent them 'locking' phones to all
additional software, something which really would stifle the market.

We know that the program isn't perfect and doesn't suit everyone, but we're keen
to evolve it to minimize the problems and make it as easy and as accessible as
possible - and feedback from this group (or to [email][email protected][/email]) is all
taken in to account.

Thanks for your comments and kicking off the thread.

Regards,

Phil
PS One other thing, we are very aware that the current program does not cater
adequately for freeware/open source software...this is something we will also be
addressing in H2 2005, so expect some news later in the year 😊

Hi,

>As it looks, non-signed applications will be crippled on the target device
>due to inability to access certain APIs. What will happen during the
>development stage to those programs that are based on such restricted APIs?
>How will the developer test his program on the device? The development cycle
>includes countless in-house test runs - all to be separately signed for
>money and time? That's surely a nonsense, but then how the contradiction is
>resolved?

On Symbian OS v9, only some (as an estimate, around 40% of all the APIs in the
system) are 'protected' by one of several 'Capabilities'. These range from
fairly trivial ones which the user (or the developer in the case of testing) can
approve on the device itself at install-time (e.g. "LocalServices" which allows
you to turn on Bluetooth) to very restricted ones which virtually no product in
the world will need to use (e.g. "AllFiles" which gives very extensive access to
all parts of the file system, including protected areas, which only things like
AV Scanners will need). Let me say that in most cases, you probably won't need
capabilities for general code, etc. so don't panic.

SOME capabilities will be 'granted' through Symbian Signed as you
imply...HOWEVER, you will NOT need to sign your product every time you want to
test/debug it! For developers, we will be offering (for free) so-called
'Developer Certificates'. With these, you can sign your SIS file yourself and
test it on your phone(s) using the capabilities you need - the certificate will
be locked to your phone's IMEI so that only you can use it (there will be a
facility to have multiple IMEIs in one certificate to test on multiple phones).
This will cost you nothing extra in time/money, just as now. Once your
application has been tested and is ready to be Signed 'properly', you follow the
same process as now and submit it via the Symbian Signed portal, etc.

This is a very quick, simple explanation but I wanted to try and dispel some
myths and allay some (perfectly reasonable) fears 😊 As I said on another thread
in discussion.general the other week, a lot of information on Symbian OS v9,
Capabilities, Symbian Signed, etc. *will* be available soon...but without SDKs
and other supporting material for Symbian OS v9 and Series 60 v3/UIQ v3/etc. the
information itself is of limited use and nothing can be put in to practice. The
best way to explain the new changes is to see them in practice. However, please
let me say again - just as with Symbian Signed itself, we are trying to ensure
the important changes to the enhanced platform security model introduced in
Symbian OS v9 have as little impact as possible on developers. We are absolutely
NOT trying to stifle development or make it harder...there are some changes to
the general 'way' Symbian OS v9 works which will require extra checks and
balances if you like, but we're trying to ensure these are as easy for
developers to deal with as possible.

Regards,

Phil

Hi Phil !

Great stuff ! (and lots of it 😊 ) (Good to rule out some 'myths' as you
say).

I hope it's alright, if I only address the points most urgent for me:

> For developers, we will be offering (for free) so-called
> 'Developer Certificates'. With these, you can sign your SIS file yourself
> and
> test it on your phone(s) using the capabilities you need - the certificate
> will
> be locked to your phone's IMEI so that only you can use it (there will be
> a
> facility to have multiple IMEIs in one certificate to test on multiple
> phones).

Phil, that's phantastic. That's what I meant by "test certificate" ! I
would have been surprised, if there had been no such concept foreseen... A
big relief !

Is that going to be from v9 on? Or is it maybe even accessible right now?
It reads, as if it's not yet customary.

If the concepts works well, no worries about "stifled development" are
justified anymore - in my opinion. Absolutely nothing to worry about - on
the contrary - the "best of both worlds" really.

> When we launched Signed, there were (quite rightly) lots of complaints
> about the
> costs being too high - they were. However, we asked people to bear with us
> as
> the program matured from the early beta stages and we brought costs
> down...and I
> think we've delivered here! If you look, the lowest test cost quote is now
> 180
> Euro. This is over a 75% reduction in costs since launch which is a great
> achievement in my opinion, mainly thanks to the increased competition
> between
> the test houses. That said, there's still more work to do on reducing
> costs -
> and we're looking at ways (like some automated testing) to continue to do
> this.
> But if you check other similar programs within the industry, the pricing
> of
> Symbian Signed compares extremely favourably.

Yeah, well done. Also known in short as the "economies of scale" paired
with a bit of a "chicken and egg" - challenge. The large scale launch of
Bluetooth faced the same challenge, I believe having read in the
"Economist". Initially, bluetooth units were too bulky and expensive. The
prices go down steeply with the amount of units shipped. We don't perceive
Bluetooth as expensive anymore, do we? Nor is the procedure of using it
still awkward, is it? However, Bluetooth adds lots of value to our everyday
lives - even if may have had its funnies in the past (and may still have a
few).

Great stuff Phil, thanks again. Could you just provide a hint as to when
we'll be seeing the "Developer Certificate".

Kind regards,

Arvind.

"Phil Spencer" <[email protected]> schrieb im Newsbeitrag
news:[email protected]...
> Hi Arvind,
>[color=green]
>>To start off the forum, you specified "any questions about Symbian Signed"
>>as the scope. Surely, there are going to many technical postings to come.
>>I hope it's alright to have a non-technical one at the very beginning 😊
>
> Indeed. It's an interesting thread to start!
>
>>- Tighten security and make life much harder for malicious software. (Very
>>responsible, in my opinion)
>>- Improve software quality on devices - signed software will tend to be of
>>high quality.
>>- Address security yourself instead of letting companies like Symantec
>>take
>>care of it (very good - maybe the most "unusual" aspect of the whole thing
>>😊 )
>
> All of these are important aspects to Symbian Signed - it is a channel to
> promote higher quality software in the market. You are also missing one
> very
> important key driver behind Symbian Signed though - the market itself is
> *demanding* it.
>
> The forum is a good channel to kick off some of these discussions, and it
> gives
> me a chance to repeat a couple of things I've said when I've given public
> presentations on Symbian Signed itself in the past 😊
>
> The major driver for its launch was that our customers (the
> licensees/handset
> manufacturers) and their customers (the Network Operators) were demanding
> a
> testing and certification program to ensure higher quality software was
> released
> on their phones. Rather than letting several different programs spring up
> (e.g.
> in the early days, we already had Nokia OK and Sony Ericsson were doing
> some
> initial work too on their own program), Symbian took the initiative and
> created
> one, single unified program instead. The program now has the backing of
> our
> licensees as well as major network operators and perhaps most
> interestingly of
> all, the GSM Association (GSMA) who have strongly endorsed the
> model/approach
> used by Symbian Signed as a good example for other certification programs
> to
> follow.
>
> Symbian Signed has come a long way since it was first launched...
>
>>- Is the "Symbian Signed" unit meant to be very profitable / are the
>>prices
>>for certificates too high? (I doubt it... if you could get rid of that
>>rumour - a lot of resistance would diminish)
>>- Doesn't "Symbian Signed" stifle application development on Symbian,
>>because it turns developers off? (I think it does - but Symbian could
>>argue,
>>those who don't mean it serious anyway)
>
> I can absolutely state that Symbian Signed is not run as a revenue or
> profit
> generating program for Symbian! We take no cut or percentage of the test
> runs,
> etc. and indeed it does cost us to host and run the program. Symbian is
> squarely
> focused on making its money from phone revenues...the more great apps
> there are
> to help sell phones, the more money we make - so pricing Symbian Signed
> out of
> the market or stifling development is definitely NOT in our own interests!
>
> When we launched Signed, there were (quite rightly) lots of complaints
> about the
> costs being too high - they were. However, we asked people to bear with us
> as
> the program matured from the early beta stages and we brought costs
> down...and I
> think we've delivered here! If you look, the lowest test cost quote is now
> 180
> Euro. This is over a 75% reduction in costs since launch which is a great
> achievement in my opinion, mainly thanks to the increased competition
> between
> the test houses. That said, there's still more work to do on reducing
> costs -
> and we're looking at ways (like some automated testing) to continue to do
> this.
> But if you check other similar programs within the industry, the pricing
> of
> Symbian Signed compares extremely favourably.
>
> Symbian Signed is meant to be as unobtrusive as possible - it is meant to
> be the
> final stage of your standard development process, i.e. the route-to-market
> phase
> where you can establish your application passes the industry backed and
> agreed
> criteria and give both users and Networks confidence. This is something
> they are
> happy with...and absolutely helps prevent them 'locking' phones to all
> additional software, something which really would stifle the market.
>
> We know that the program isn't perfect and doesn't suit everyone, but
> we're keen
> to evolve it to minimize the problems and make it as easy and as
> accessible as
> possible - and feedback from this group (or to [email][email protected][/email])
> is all
> taken in to account.
>
> Thanks for your comments and kicking off the thread.
>
> Regards,
>
> Phil
> PS One other thing, we are very aware that the current program does not
> cater
> adequately for freeware/open source software...this is something we will
> also be
> addressing in H2 2005, so expect some news later in the year 😊[/color]

"Arvind Gupta" <[email protected]> wrote in message
news:Ut3gdAamFHA.2996@extapps30...
> Hi Sander !
>
> Thanks for the great reply !
>[color=green]
> > Do the maths. The person doing the testing could also do other work[/color]
that[color=green]
> > will earn his company at least EUR 100,-- per hour, in Western Europe.[/color]
So[color=green]
> > testing costs around EUR 100,--. That is about 5 hours of work for the
> > price a certain West European company asks.
>
> I agree totally and would like to add an "intuitive feeling" that[/color]
developers
> in general are not totally aware of this. It is easily forgotten that the
> "signing procedure" on Symbian's side is bespoke and not automated - and
> therefore very expensive for Symbian in terms of labour. Thanks !
>[color=green]
> > It will turn some developers off, but not enough to stiffle application
> > development. Besides, if the app is good, the money to make it a signed
> > app can be found.
>
> I agree...
>
> Cheers and regards, Arvind.[/color]

And to add my 2 pence worth; Symbian 9 is going to be based on a single
core/chip architecture. This means costs of design & manufacturing of the
devices are reduced, this in turn means mass market Symbian devices; finally
this means lots of customers to sell your applications to (and probably
never any need for J2ME 😊 )

AMK

"Arvind Gupta" <[email protected]> wrote in message
news:5g7wEYbmFHA.1872@extapps30...

> If the concepts works well, no worries about "stifled development" are
> justified anymore - in my opinion. Absolutely nothing to worry about

That's a little bit too optimistic IMHO. I agree that the test certificates
and distinguishing freeware are important and good incentives. Hovewer, what
about the necessity to re-sign all upgrades to existing, released software?
Won't that decrease the developer's motivation to improve and frequently
update the software? What about reducing recurring costs for re-signing
software upgrades?

Hi Arvind,

>I hope it's alright, if I only address the points most urgent for me:

Of course 😊

>Phil, that's phantastic. That's what I meant by "test certificate" ! I
>would have been surprised, if there had been no such concept foreseen... A
>big relief !
>
>Is that going to be from v9 on? Or is it maybe even accessible right now?
>It reads, as if it's not yet customary.

The Developer Certificates will be launched soon (as soon as SDKs and prototype
hardware begins appearing for the UI platforms based on Symbian OS v9), but will
only be used on Symbian OS v9 - for earlier releases, they are not needed.

On current phones, once your application is on the phone, you do not need extra
permissions/checks to call any APIs. On Symbian OS v9, this will change slightly
as I said - and some APIs will only be available to you if your application has
been granted the required capability. To get this capability, the SIS file is
signed. In development, this can be done using the free, temporary Developer
Certificates for just you and your phone(s)...for the shipping release build, it
can be done through Symbian Signed (but because of Developer Certificates, of
course, you can already test your product to make sure it meets the criteria,
just as you can now). As a result, Developer/test Cerificates are of no use
pre-Symbian OS v9 because the only visible change from signing a pre-v9 SIS file
is the removal of installation prompts and warnings - you do not need them to
obtain access to any APIs during testing pre-v9.

Perhaps an analogy will help here too...this is taken from a draft chapter I am
currently writing for a book:

Symbian OS has always provided a strong "perimeter security model". What this
means in practice, is that users are presented with necessary warnings and
prompts when doing certain activities which may impact the security of their
device - for example, installing a new piece of software. In Symbian OS v9, the
enhanced platform security model offers even greater protection by actually
limiting (at a level users do not normally see and hence need to worry about),
what certain software can do. As an analogy, imagine giving your house key to a
stranger. With perimeter security, once you have trusted them with the key to
enter your house, they can look in any room they wish. With Symbian OS v9,
although you give the key to the front door away, each individual room is locked
inside too. The stranger can only access the rooms you then give them individual
keys to. In simple terms, it is the software installer which is they key-holder
in Symbian OS v9 - it allocates at install which capabilities any given program
can access once it is on the device, based on the SIS file's digital signature.

Regards,

Phil

ak wrote:
> "Arvind Gupta" <[email protected]> wrote in message
> news:Ut3gdAamFHA.2996@extapps30...
>[color=green]
>>Hi Sander !
>>
>>Thanks for the great reply !
>>
>>[color=darkred]
>>>Do the maths. The person doing the testing could also do other work[/color]
>
> that
>[color=darkred]
>>>will earn his company at least EUR 100,-- per hour, in Western Europe.[/color]
>
> So
>[color=darkred]
>>>testing costs around EUR 100,--. That is about 5 hours of work for the
>>>price a certain West European company asks.
>>
>>I agree totally and would like to add an "intuitive feeling" that[/color]
>
> developers
>
>>in general are not totally aware of this. It is easily forgotten that the
>>"signing procedure" on Symbian's side is bespoke and not automated - and
>>therefore very expensive for Symbian in terms of labour. Thanks !
>>
>>[color=darkred]
>>>It will turn some developers off, but not enough to stiffle application
>>>development. Besides, if the app is good, the money to make it a signed
>>>app can be found.
>>
>>I agree...
>>
>>Cheers and regards, Arvind.[/color]
>
>
> And to add my 2 pence worth; Symbian 9 is going to be based on a single
> core/chip architecture. This means costs of design & manufacturing of the
> devices are reduced, this in turn means mass market Symbian devices; finally
> this means lots of customers to sell your applications to (and probably
> never any need for J2ME 😊 )
>
> AMK
>
>[/color]

Symbian EKA1 and EKA2 may run on single or multi-core these days. Some
of the phones out there do that and companies have different phones that
do both 😊

The design of EKA2 also allows for many OS personalities to run ontop of
the EKA2 Nano kernel infrastructure _along_ side the Symbian OS kernel.

EKA" has a rather ellegant design and implementation 😊

/JP

Arvind Gupta wrote:
> Hello all !
>
> To start off the forum, you specified "any questions about Symbian Signed"
> as the scope. Surely, there are going to many technical postings to come.
> I hope it's alright to have a non-technical one at the very beginning 😊
>
> I personally think "Symbian signed" is a courageous and great move of
> Symbian. What are the strategic incentives of Symbian to go down that road?
>
> A couple of things are trivial:
>
> - Tighten security and make life much harder for malicious software. (Very
> responsible, in my opinion)
> - Improve software quality on devices - signed software will tend to be of
> high quality.
> - Address security yourself instead of letting companies like Symantec take
> care of it (very good - maybe the most "unusual" aspect of the whole thing
> 😊 )
>
> Some other things, however, include:
>
> - Is the "Symbian Signed" unit meant to be very profitable / are the prices
> for certificates too high? (I doubt it... if you could get rid of that
> rumour - a lot of resistance would diminish)
> - Doesn't "Symbian Signed" stifle application development on Symbian,
> because it turns developers off? (I think it does - but Symbian could argue,
> those who don't mean it serious anyway)
>
> Well, feel free to join in 😊
>
> Kind regards,
>
> Arvind.
>

hi there,
Although I don't deal with 'Symbian Signed' myself at all I'd like to
elaborate some common misconceptions, the following comments are of my
own and based on my opinions and my experience within the mobile phone
industry.

-----------------------------------------------------------------------
The 'Symbian Signed' team at Symbian as well as Symbian (UK) Ltd do not
make any money from 'Signed' neither intend or need to. This is fact
that is overlooked in many discussions.
-----------------------------------------------------------------------

'Signed' as a concept (and implementations may need tweaking, but it is
just the start) is there to help developers get their software on to
phones. The more value adding (to anyone and everyone) software there is
for Symbian OS, the more device royalties Symbian will receive.

There is increasing pressure due to FUD or otherwise by operators,
corporations, media and even consumers to ''do something'' in order to
have _some_ guarantee and trust on the software loaded on these open
devices which are well connected and _full_ of personal data.

If we all work together, 'Signed' can only help in getting consumers to
trust and be willing to load software on their devices.

This newsgroup is one manifestation of the efforts that Symbian is doing
to solicit feedback and get this right, your mileage may vary but the
route is clear ''more good software for Symbian OS in the hands of
users" 😊

Please do be vocal on your concerns, while at the same time do consider
the context and forces we're operating in this space.

Discussion is valuable and healthy, hence this newsgroup, challenge
'Symbian Signed' and help us make things better.

/JP

zol wrote:

> "Arvind Gupta" <[email protected]> wrote in message
> news:5g7wEYbmFHA.1872@extapps30...
>
>[color=green]
>>If the concepts works well, no worries about "stifled development" are
>>justified anymore - in my opinion. Absolutely nothing to worry about
>
>
> That's a little bit too optimistic IMHO. I agree that the test certificates
> and distinguishing freeware are important and good incentives. Hovewer, what
> about the necessity to re-sign all upgrades to existing, released software?
> Won't that decrease the developer's motivation to improve and frequently
> update the software? What about reducing recurring costs for re-signing
> software upgrades?
>
>[/color]

Why is that ? Maybe you are a bit unfair on this one.

Although I believe that the cost of signing can go down it isn't really
any abrrier to entry.

Be pragmatic here, if you sell an app that is worth paying let say
20Euros for, how many app copies do you need to sell in order to cover
the cost of a signing event ?......not many 😊

a solution for free software is also coming, watch this space

/JP

"JP" <[email protected]> wrote in message
news:dPrTdDcmFHA.1872@extapps30...
> ak wrote:[color=green]
> > "Arvind Gupta" <[email protected]> wrote in message
> > news:Ut3gdAamFHA.2996@extapps30...
> >[color=darkred]
> >>Hi Sander !
> >>
> >>Thanks for the great reply !
> >>
> >>
> >>>Do the maths. The person doing the testing could also do other work
> >
> > that
> >
> >>>will earn his company at least EUR 100,-- per hour, in Western Europe.
> >
> > So
> >
> >>>testing costs around EUR 100,--. That is about 5 hours of work for the
> >>>price a certain West European company asks.
> >>
> >>I agree totally and would like to add an "intuitive feeling" that
> >
> > developers
> >
> >>in general are not totally aware of this. It is easily forgotten that[/color][/color]
the[color=green][color=darkred]
> >>"signing procedure" on Symbian's side is bespoke and not automated - and
> >>therefore very expensive for Symbian in terms of labour. Thanks !
> >>
> >>
> >>>It will turn some developers off, but not enough to stiffle application
> >>>development. Besides, if the app is good, the money to make it a signed
> >>>app can be found.
> >>
> >>I agree...
> >>
> >>Cheers and regards, Arvind.
> >
> >
> > And to add my 2 pence worth; Symbian 9 is going to be based on a single
> > core/chip architecture. This means costs of design & manufacturing of[/color][/color]
the[color=green]
> > devices are reduced, this in turn means mass market Symbian devices;[/color]
finally[color=green]
> > this means lots of customers to sell your applications to (and probably
> > never any need for J2ME 😊 )
> >
> > AMK
> >
> >
>
> Symbian EKA1 and EKA2 may run on single or multi-core these days. Some
> of the phones out there do that and companies have different phones that
> do both 😊
>
> The design of EKA2 also allows for many OS personalities to run ontop of
> the EKA2 Nano kernel infrastructure _along_ side the Symbian OS kernel.
>
> EKA" has a rather ellegant design and implementation 😊
>
> /JP[/color]

So does this mean that mass market phones (Nokia Series 40) are a real
possibility now? Does this provide significant advantage (lower costs and
quicker time to market timeframes) for manufacturers and OEMs?

AMK

ak wrote:
> "JP" <[email protected]> wrote in message
> news:dPrTdDcmFHA.1872@extapps30...
>[color=green]
>>ak wrote:
>>[color=darkred]
>>>"Arvind Gupta" <[email protected]> wrote in message
>>>news:Ut3gdAamFHA.2996@extapps30...
>>>
>>>
>>>>Hi Sander !
>>>>
>>>>Thanks for the great reply !
>>>>
>>>>
>>>>
>>>>>Do the maths. The person doing the testing could also do other work
>>>
>>>that
>>>
>>>
>>>>>will earn his company at least EUR 100,-- per hour, in Western Europe.
>>>
>>>So
>>>
>>>
>>>>>testing costs around EUR 100,--. That is about 5 hours of work for the
>>>>>price a certain West European company asks.
>>>>
>>>>I agree totally and would like to add an "intuitive feeling" that
>>>
>>>developers
>>>
>>>
>>>>in general are not totally aware of this. It is easily forgotten that[/color]
>
> the
>[color=darkred]
>>>>"signing procedure" on Symbian's side is bespoke and not automated - and
>>>>therefore very expensive for Symbian in terms of labour. Thanks !
>>>>
>>>>
>>>>
>>>>>It will turn some developers off, but not enough to stiffle application
>>>>>development. Besides, if the app is good, the money to make it a signed
>>>>>app can be found.
>>>>
>>>>I agree...
>>>>
>>>>Cheers and regards, Arvind.
>>>
>>>
>>>And to add my 2 pence worth; Symbian 9 is going to be based on a single
>>>core/chip architecture. This means costs of design & manufacturing of[/color]
>
> the
>[color=darkred]
>>>devices are reduced, this in turn means mass market Symbian devices;[/color]
>
> finally
>[color=darkred]
>>>this means lots of customers to sell your applications to (and probably
>>>never any need for J2ME 😊 )
>>>
>>>AMK
>>>
>>>
>>
>>Symbian EKA1 and EKA2 may run on single or multi-core these days. Some
>>of the phones out there do that and companies have different phones that
>>do both 😊
>>
>>The design of EKA2 also allows for many OS personalities to run ontop of
>>the EKA2 Nano kernel infrastructure _along_ side the Symbian OS kernel.
>>
>>EKA" has a rather ellegant design and implementation 😊
>>
>>/JP[/color]
>
>
> So does this mean that mass market phones (Nokia Series 40) are a real
> possibility now? Does this provide significant advantage (lower costs and
> quicker time to market timeframes) for manufacturers and OEMs?
>[/color]

I couldn't possible comment on a manufacturer's business plans.

😊
/JP

> This newsgroup is one manifestation of the efforts that Symbian is doing
> to solicit feedback and get this right, your mileage may vary but the
> route is clear ''more good software for Symbian OS in the hands of
> users" 😊
>
> Please do be vocal on your concerns, while at the same time do consider
> the context and forces we're operating in this space.
>
> Discussion is valuable and healthy, hence this newsgroup, challenge
> 'Symbian Signed' and help us make things better.

Here are some issues I've been concerned with in the past:

- Is it right to state that ACS ids are given only to companies? (At
least that was the only way in the past). For some small ISV, this cost
will also be considerable.

- Upgrades, optional packages cases: this one is an important issue at
least to me. How will an upgrade be considered? Will it cost the same as
signing the app for the first time? What about different versions (s60,
s80, s90, uiq). Will I need to pay x4?
Regarding optional components, from a software design point of view is
something nice to have, but will I need to pay for its signing separatedly?
Consider something as simple as a "language pack" sis addon, which is
updated with new translations quite regularly. Will we need to pay for
these too? Someone could say a language file needn't be signed, just the
main application only, but this misses the point. Consider someone
inserting a rogue autoexecutable program and distributing this sis
file.. Test houses might arrange some deal regarding this, but maybe
Symbian should state some basic rules.

- Freeware and opensource cases: I wait eagerly for your news 😊

Maybe also elaborating a "Myths and facts" document with all these
issues discussed would prove valuable.

Regards,
--
David Caabeiro
www.PushL.com

"JP" <[email protected]> wrote in message
news:$t%23H1KcmFHA.1872@extapps30...

> Be pragmatic here, if you sell an app that is worth paying let say
> 20Euros for, how many app copies do you need to sell in order to cover
> the cost of a signing event ?......not many 😊

Don't you think that signing will kill the current nice habit of releasing
multiple free upgrades? This may have a serious impact on end-customers,
including their attitude towards Symbian smartphones.

Hi David,

>- Is it right to state that ACS ids are given only to companies? (At
>least that was the only way in the past). For some small ISV, this cost
>will also be considerable.

Yes, currently it's fair to say ACS IDs are normally only issued to recognized
organisations. This is a VeriSign process issue and, unfortunately, is mostly up
to them. We do recognize there are plenty of small "one man" shareware authors
out in the community for whom setting up a company (which can be issued an ACS)
is perhaps not practical. In these instances, what we've done is partner with
companies such as Handango for them to become "Publisher Signers" - in this
case, they can (and do - contact them for more details) offer a service whereby
they sign your SIS file using *their* ACS ID after passing the relevant tests.
This allows you to pass throught the normal Signed process, but without your own
ACS...it also allows companies such as Handango to boost their catalogs.

>- Upgrades, optional packages cases: this one is an important issue at
>least to me. How will an upgrade be considered? Will it cost the same as
>signing the app for the first time? What about different versions (s60,
>s80, s90, uiq). Will I need to pay x4?

Any different SIS packge will have to be individually signed, I'm afraid. Since
SIS files and apps don't tend to be compatible between UI platforms, that does
mean one for each platform. As far as upgrades go, this is is still one of the
major areas of focus as Signed continues to evolve - we do realise that even for
small changes, the whole SIS needs to be re-tested and re-Signed at the standard
cost. Some Test Houses may offer individual upgrade/re-test deals if you
discuss it with them...but there is no formal policy on this right now. What
we're trying to investigate is reliable ways to check for deltas and only test
new/changed areas, thus lowering costs. No news on this as yet though, I'm
afraid.

>Consider something as simple as a "language pack" sis addon, which is
>updated with new translations quite regularly. Will we need to pay for
>these too? Someone could say a language file needn't be signed, just the
>main application only, but this misses the point. Consider someone
>inserting a rogue autoexecutable program and distributing this sis
>file.. Test houses might arrange some deal regarding this, but maybe
>Symbian should state some basic rules.

All passive content files can be signed at much reduced cost. There are also
bulk discounts for multiple signings. In your case, language SIS files (other
common examples include themes/skins, game levels, ringtones, etc.) which
contain no binaries would be picked up as a passive content on the server and
subject to a much lower price - mainly designed to cover the overheads of the
whole process (e.g. hosting, time and materials, the actual signing instance for
which VeriSign make a charge each time) - once again, this is not any kind of
revenue driver for Symbian!

I hope that clarifies a few things for you, even if I can't give any definitive
news on upgrade signing right now.

Kind regards,

Phil

"David Caabeiro" <[email protected]> schreef in bericht
news:SA5gQVdmFHA.828@extapps30...[color=green]
>> This newsgroup is one manifestation of the efforts that Symbian is doing
>> to solicit feedback and get this right, your mileage may vary but the
>> route is clear ''more good software for Symbian OS in the hands of users"
>> 😊
>>
>> Please do be vocal on your concerns, while at the same time do consider
>> the context and forces we're operating in this space.
>>
>> Discussion is valuable and healthy, hence this newsgroup, challenge
>> 'Symbian Signed' and help us make things better.
>
> Here are some issues I've been concerned with in the past:
>
> - Is it right to state that ACS ids are given only to companies? (At least
> that was the only way in the past). For some small ISV, this cost will
> also be considerable.
>
> - Upgrades, optional packages cases: this one is an important issue at
> least to me. How will an upgrade be considered? Will it cost the same as
> signing the app for the first time? What about different versions (s60,
> s80, s90, uiq). Will I need to pay x4?[/color]

Yes, of course. The amount of work is four times greater. The problem here
is of course that the Testing House is doing Black Box testing. They cannot
verify that the apps are mostly identical. And even then, you would still
need to verify that the differences do not introduce problems.

> Regarding optional components, from a software design point of view is
> something nice to have, but will I need to pay for its signing
> separatedly?

Probably yes. Again, it is extra work. But only if the components are
installable at the .sis level, because signing happens at the sis level.

> Consider something as simple as a "language pack" sis addon, which is
> updated with new translations quite regularly. Will we need to pay for
> these too? Someone could say a language file needn't be signed, just the
> main application only, but this misses the point. Consider someone
> inserting a rogue autoexecutable program and distributing this sis file..
> Test houses might arrange some deal regarding this, but maybe Symbian
> should state some basic rules.

There might be cheaper solutions here. The application can of course install
optional data files itself using it's own format, instead of using a sis
file. The app might need a Capability for that, but it is still cheaper than
having a sis file signed (at least, when you do not count developing costs).

> - Freeware and opensource cases: I wait eagerly for your news 😊
>
> Maybe also elaborating a "Myths and facts" document with all these issues
> discussed would prove valuable.

--
Sander van der Wal
www.mBrainSoftware.com

zol wrote:
> "JP" <[email protected]> wrote in message
> news:$t%23H1KcmFHA.1872@extapps30...
>
>[color=green]
>>Be pragmatic here, if you sell an app that is worth paying let say
>>20Euros for, how many app copies do you need to sell in order to cover
>>the cost of a signing event ?......not many 😊
>
>
> Don't you think that signing will kill the current nice habit of releasing
> multiple free upgrades? This may have a serious impact on end-customers,
> including their attitude towards Symbian smartphones.
>
>[/color]

Good question,

I think not, becausse regular free updates actually yield many more
_new_ sales of the app. This is because such regular ''free to existing
users'' updates are brought to the attention of new potential buyers 😊

There is going to be a relevant talk at the upcoming show in October
about this area btw.

/JP

> I hope that clarifies a few things for you, even if I can't give any definitive
> news on upgrade signing right now.

Thank you Phil, that was certainly a thorough explanation, and very much
appreciated.

Regards,
--
David Caabeiro
www.PushL.com

> There might be cheaper solutions here. The application can of course install
> optional data files itself using it's own format, instead of using a sis
> file. The app might need a Capability for that, but it is still cheaper than
> having a sis file signed (at least, when you do not count developing costs).

Maybe this could end up becoming a common practice, and not only for
data files (if allowed by v9)

--
David Caabeiro
www.PushL.com

Hi all,

This is all very interesting discussion. We are hoping that strict signing
policy and higher entry bar will enable widespread of use and sell of
Symbian apps in the States.

Currenlty, Symbian is very, very shy in the States, comparing to Qualcomm's
BREW, for example. Carriers/operators in the States are scared of Symbian
because of the fact it's "open", therefore it's very difficult for us to
make any money on it. Carriers are the first to take user complains and they
don't want that.

I cannot stress enough how welcome this Symbian Sign process is here among
developers I talk to.

To give an example of what we already have here, in CDMA world, for a while:

User cannot install anything on its own phone, without going to the carriers
distribution system (BDS = brew distribution system). There is no "free"
download (through cable or bluetooth or IR). Only certified apps end up on
the carrier distribution system (such as Midwest Wireless, Alltel, Verizon).

Qualcomm's BREW entry level is curretnly around 1900 USD: for one VeriSign
certificate 400 USD, 1500 for one ARMs compiler license. Qualcomm didn't
endores GNU for a long time, however newest ARM doesn't support C++
development for us that well, because it doesn't create relocateable
excetuable (BREW apps are stripped down binaries, not ELF files). To get
certified, for each app we have to pay for certification testing: 1000 USD
per handset (not per BREW version, because each OEM does their own RTOS and
BREW framework, but per handset). In case you can have exactly the same
binary and resource files, you may get second handset for 250 USD certified.
Certifications on this side are done only by NSTL, and in case of failure -
it's full price again.

We cannot "self modify" application nor download some sort of executable
through the app - that's prohibitied, and if discovered during
certification - your\ app would fail certification. If Verizon discoveres
something like that later on, they would remove your company off the deck
completely.

So far, because of Sybiman being kind of "free", developers and publishers
were looking down at it on this side of the Pond. Carriers didn't seem to
endorse it (ATT Wireless before, Cingular, T-Mobile USA, etc...), and we
just couldn't make any serous money or place it on the carrier's stack.

I hope that signing process on Sybmian will be strict enough so that our
carriers start looking and taking Symbian seriously. That will enable us to
finally start making revenue with customers in the States. Our customers are
not used to buy phones outside carrier's stores - that includes carrier
certified sellers of their devices and plans to stores like RadioShack
(precentage wise, outside carriers sales are probably below 5%). They don't
download apps from handango and install them on the phone themselves.

I've seen that carriers like Cingular did already make deals with MobileMate
for example, to place them on the phone, but signing process will encourage
them to take more apps (as it did to Verizon, Alltel, etc... in CDMA BREW
world).

Two things: Symbian Signed and Preminent should help us reach wider customer
based.

Just my 2c

"David Caabeiro" <[email protected]> wrote in message
news:4xuEZmDnFHA.504@extapps30...[color=green]
> > There might be cheaper solutions here. The application can of course[/color]
install[color=green]
> > optional data files itself using it's own format, instead of using a sis
> > file. The app might need a Capability for that, but it is still cheaper[/color]
than[color=green]
> > having a sis file signed (at least, when you do not count developing[/color]
costs).
>
> Maybe this could end up becoming a common practice, and not only for
> data files (if allowed by v9)
>
> --
> David Caabeiro
> www.PushL.com