Author

Topic: "New Version" notifications in MultiBit (Read 1885 times)

legendary
Activity: 1708
Merit: 1066
March 20, 2013, 01:17:58 PM
#14
You could, if you wanted, manually provide the SSL cert at the Java level. But I'd be tempted to just lose the SSL entirely and rely on ECDSA signatures.

This is the better approach - I know XChange have the same cert problem with some of their users on Android and it is not that clean to fix (you have to get a new cert into the cert store).
legendary
Activity: 1526
Merit: 1134
March 20, 2013, 12:27:28 PM
#13
Probably Java just uses the operating systems certificate store. I guess StartSSL isn't a well accepted CA Sad You could get a cert from somewhere else (not free).

You could, if you wanted, manually provide the SSL cert at the Java level. But I'd be tempted to just lose the SSL entirely and rely on ECDSA signatures.
staff
Activity: 4270
Merit: 1209
I support freedom of choice
March 20, 2013, 12:03:48 PM
#12
Some older copies of Java (1.6) don't have the certificate authorities to deal with SSL very well.
If you type :

java -version
Code:
C:\Users\xxxxxxxxxxx>java -version
java version "1.7.0_17"
Java(TM) SE Runtime Environment (build 1.7.0_17-b02)
Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)
legendary
Activity: 1526
Merit: 1134
March 20, 2013, 09:19:16 AM
#11
Sounds good! I hope we can get bcj 0.8 out soon.
legendary
Activity: 1708
Merit: 1066
March 20, 2013, 05:14:59 AM
#10
Yes my preferred option is to add ECDSA signatures to the file as:
+ you can several/ threshold
+ safe to deliver by http and mirror

I wanted to get what I had out as it is a start.

The help in multiBit is over http because of the https problems with earlier JVMs.

I thought for the bundled JVM I would do the checkpoints and upgrade to SPVStore first (as then the download size would decrease significantly) and then bundle in a JRE (which would put it back up !).

Then the user would not have to bother installing Java.
legendary
Activity: 1526
Merit: 1134
March 20, 2013, 05:06:37 AM
#9
You could also just include a Bitcoin style signature. If you have a hard dependency on Java version it makes sense to ship the JVM with the app. The Java7 SDK has a tool that creates Windows/Mac installers that bundle the JRE with them.
legendary
Activity: 1708
Merit: 1066
March 20, 2013, 03:39:41 AM
#8
Some older copies of Java (1.6) don't have the certificate authorities to deal with SSL very well.
If you type :

java -version

In a terminal I suspect you will see something with a '1.6' in.
If you update your copy of Java it should disappear.

I have to get the file using HTTPS to stop a man in the middle attack.
staff
Activity: 4270
Merit: 1209
I support freedom of choice
March 19, 2013, 07:39:22 PM
#7
v0.4.23
Code:
Synchronising with network...
Unable to load "https://multibit.org/version.txt". The error was "javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".
Synchronising with network, 28 block(s) to download. Block date : "Mar 19, 2013".
legendary
Activity: 1708
Merit: 1066
March 17, 2013, 09:52:43 AM
#6
As a balance between informing and annoying the user I show the 'new version' message a set number of times (currently twice).
To make sure the user can see the message if they need to, it is now always logged to the Messages tab, see below:

Code:
Opening wallet "/Users/jim/Library/Application Support/MultiBit/multibit.wallet"...
... done.
Opening wallet "/Users/jim/real money/pettyCash2.wallet"...
... done.
Opening wallet "/Users/jim/real money/unencrypted.wallet"...
... done.
Synchronised with network.
----------------------------------------------------------------
There is a new version "0.4.27" of MultiBit available.
Your current version is "0.4.23".
 
Lorem ipsum dolor sit amet, consectetur adipisicing elit,
sed do eiusmod tempor incididunt ut labore et dolore
magna aliqua. Ut enim ad minim veniam, quis nostrud
exercitation ullamco laboris nisi ut aliquip ex ea
commodo consequat. Duis aute irure dolor in reprehenderit
in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Excepteur sint occaecat cupidatat non proident, sunt in culpa
qui officia deserunt mollit anim id est laborum.
----------------------------------------------------------------
Synchronised with network.
legendary
Activity: 1708
Merit: 1066
March 17, 2013, 09:26:07 AM
#5
Updated version alert with bespoke lines from the server version.txt file:

legendary
Activity: 1708
Merit: 1066
March 17, 2013, 08:04:21 AM
#4
Good idea.
The dialog is localised so I'll keep the two lines shown for maximum comprehension.

I'll add in an extra few lines for explanatory text (which will just appear in English) that can come from the version.txt file on the server. This won't be signed yet but it is delivered by HTTPS and you need to be root on multibit.org to change it.

legendary
Activity: 1526
Merit: 1134
March 17, 2013, 07:47:51 AM
#3
Awesome! Could you make the message that appears customizable by you too? Otherwise if there are frequent updates people will "tune out" and you won't be able to urge them to upgrade when a security or other critical bug is found.
staff
Activity: 4270
Merit: 1209
I support freedom of choice
March 15, 2013, 07:41:29 PM
#2
Good! Cheesy
legendary
Activity: 1708
Merit: 1066
March 15, 2013, 04:42:31 PM
#1
I have added a little notification when you start up MultiBit for when there is a new version available on the multibit.org website.
Screenshot:



(the version numbers are ficticious - just testing it!)

You can click on the 'View release' button and it will open your browser to:
 https://multibit.org/releases.html

On that page you can see what's in the release and there are the usual download links.
It is just in test at the moment but I will put it in the live code for the next release.
Jump to: