16:16:25 <RRSAgent> RRSAgent has joined #sysapps
16:16:25 <RRSAgent> logging to http://www.w3.org/2014/04/08-sysapps-irc
16:16:33 <anssik> Claes, zolkis, the same, passcode invalid
16:17:32 <zqzhang_> zqzhang_ has joined #sysapps
16:17:40 <dsr_> dsr_ has joined #sysapps
16:18:14 <tobie__> tobie__ has joined #sysapps
16:18:45 <jungkees> jungkees has joined #sysapps
16:18:53 <lgombos> lgombos has joined #sysapps
16:18:55 <dsr> dsr has joined #sysapps
16:19:05 <wonsuk> Present+ Wonsuk_Lee
16:19:12 <anssik> wonsuk, ok, thanks!
16:19:22 <bhill2> bhill2 has joined #sysapps
16:19:31 <zolkis> not enough privileges to open the log at http://www.w3.org/2014/04/08-sysapps-irc
16:20:22 <jungkees> Present+ Jungkee_Song
16:20:50 <wonsuk> https://www.w3.org/wiki/System_Applications:_4th_F2F_Meeting_Agenda#Agenda
16:21:10 <jmajnert> jmajnert has joined #sysapps
16:21:42 <jinsong> jinsong has joined #sysapps
16:21:44 <marcosc_> marcosc_ has joined #sysapps
16:21:51 <Bin_Hu> Bin_Hu has joined #sysapps
16:21:51 <zolkis> Present+  Zoltan_Kis
16:22:17 <mounir> scribe: mounir
16:22:18 <Claes> Present+ Claes_Nilsson
16:22:20 <Bin_Hu> present+ Bin_Hu
16:22:27 <mounir> Present+ Mounir_Lamouri
16:22:36 <mounir> Topic: Web Application Manifest
16:22:42 <marcosc_> present +marcosc
16:22:54 <BaopingChneg> BaopingChneg has joined #sysapps
16:23:01 <opoto> present+ Olivier_Potonniee
16:23:08 <anssik> Present+ Anssi_Kostiainen
16:23:15 <dsr> rrsagent, set logs public
16:23:40 <mounir> marcosc_: since the last time I saw you, since the manifest spec left this group, I analyzed the UC
16:24:00 <mounir> ... looked at the conventional wisdom, things like authors, etc.
16:24:11 <mounir> ... even though Firefox OS had that kind of information, it was never used (same with Widgets)
16:24:41 <mounir> ... so we reduced the manifest spec to be only things actually used by runtimes instead of any metadata
16:24:44 <BaopingCheng> BaopingCheng has joined #sysapps
16:25:12 <Zakim> Zakim has joined #sysapps
16:25:17 <slightlyoff_> slightlyoff_ has joined #sysapps
16:25:51 <mounir> ... We want to make the manifest a tool to leverage webapps so they can be powerful, like installable
16:26:26 <mounir> ... (explains how permissions and signature would work with manifest and packaged apps)
16:27:03 <cdumez> http://manifest.sysapps.org/
16:30:15 <mounir> marcosc_ is explaining some behaviour of start_url based on the example in manifest.sysapps.org
16:32:40 <gmandyam> q+
16:33:26 <mounir> (discussion paused until we get the phone line connected)
16:33:28 <dsr> zakim, room for 5 for 480m?
16:33:29 <Zakim> ok, dsr; conference Team_(sysapps)16:33Z scheduled with code 26631 (CONF1) for 480 minutes until 0033Z
16:33:31 <mounir> ack gmandyam
16:33:52 <mounir> gmandyam: can you share the data of the runtime usage of metadata you mentioned?
16:34:02 <Zakim> Team_(sysapps)16:33Z has now started
16:34:09 <Zakim> +??P1
16:34:47 <zolkis> zolkis
16:35:01 <dsr> zakim, ??P1 is zolkis
16:35:01 <Zakim> +zolkis; got it
16:35:09 <Zakim> +??P6
16:35:16 <anssik> zakim, ??P6 is me
16:35:17 <Zakim> +anssik; got it
16:35:36 <Zakim> +[Paypal]
16:35:37 <anssik> dsr, thanks for fixing the conf :)
16:35:56 <Zakim> + +46.7.03.79.aaaa
16:36:15 <dsr> zakim, aaaa is Claes
16:36:15 <Zakim> +Claes; got it
16:36:34 <mounir> (phone is fixed)
16:37:13 <mounir> (marcosc_ summarized what he was saying)
16:38:31 <mounir> marcosc_: the big giant hole in that is obviously offline, appcache is there but not enough
16:38:38 <mounir> ... but hopefully we have serviceworker
16:38:43 <marcosc_> https://github.com/w3c/manifest/blob/gh-pages/README.md
16:39:04 <dsr> Present+ Dave, Anssi, Zoltan, Claes
16:39:14 <mounir> marcosc_: in the readme file, we have the v1 and v2 goals
16:40:07 <mounir> (marcosc_ is listing the v2 goals)
16:40:16 <mounir> (... from the link above)
16:40:48 <anssik> v1: https://github.com/w3c/manifest/issues?labels=V1&page=1&state=open
16:40:48 <anssik> v2: https://github.com/w3c/manifest/issues?labels=V2&page=1&state=open
16:43:35 <gmandyam> q+
16:43:53 <mounir> marcosc_: what happens if you load the manifest async regarding to csp policy? because you have already loaded scripts
16:44:47 <mounir> marcosc_: the manifest is an unblocking resource that you load after the load event so if there is a CSP policy, given that the manifest is not part of the critical path, it might create a different behaviour at the second load
16:44:56 <mounir> marcosc_: service worker would have a similar problem
16:45:10 <mounir> brad: so far the answer is that the meta tag has to be loaded ahead
16:45:21 <mounir> brad: we started with only headers to kind of avoid that kind of issues
16:46:05 <mounir> anssik: I think that CSP1.1 is <inaudible>
16:46:19 <mounir> ack gmandyam
16:46:36 <mounir> gmandyam: we had a pretty conservative default security policy
16:46:39 <Axel> Axel has joined #sysapps
16:46:43 <mounir> ... like no default inline
16:47:15 <anssik> s/is <inaudible>/not yet settled on the <meta> behavior/
16:47:38 <mounir> brad: the current spec says that if you have a policy in the header, any meta policy is ignored
16:47:43 <mounir> ... it might be an issue to work trough
16:47:55 <mounir> marcosc_: we are hoping to past this request feedback from the CSP folks soon on this
16:48:45 <mounir> marcosc_: updatable manifest, how to handle when the author update the manifest?
16:48:52 <mounir> mounir: isn't that in the spec?
16:48:57 <mounir> marcosc_: yes, but it's loose
16:49:02 <mounir> mounir: it should be in v1 then?
16:49:04 <mounir> marcosc_: yes
16:49:36 <mounir> marcosc_: HTTP Link Header, this may never happen because there is no much interest but Jonas and Hixie like it
16:49:45 <Axel_> Axel_ has joined #sysapps
16:50:00 <mounir> marcosc_: inline manifest, this could be a future thing if people start doing that
16:50:34 <anssik> Feature Requests:  https://github.com/w3c/manifest/issues?labels=Feature+Request&page=1&state=open
16:50:42 <mounir> marcosc_: splash screens are problematics
16:52:00 <mounir> mounir: we talked about that a few times and always realized it's not a good idea to do
16:52:11 <mounir> marcosc_: make installable apps sharable...
16:52:20 <mounir> opoto: what does sharable mean?
16:52:51 <mounir> marcosc_: <didn't hear the answer>
16:53:47 <opoto> q+
16:54:01 <mounir> marcosc_: there is then the question of how to do that with the standard track
16:54:07 <mounir> ... we could do a v1 then a v2 or a living document
16:54:15 <mounir> ... there is no decision yet and it's mostly process
16:54:18 <mounir> ack opoto
16:54:26 <mounir> opoto: there is no declarative permission requests
16:54:33 <mounir> marcosc_: no, there is no real need for that for the moment
16:54:39 <mounir> ... and we do not know what's the best approach for this
16:54:42 <mounir> ... we need to look into that
16:54:46 <Claes> q+
16:55:36 <jungkees> q+
16:56:22 <marcosc_> mounir: the permission model of Sockets is complicated... and it's not yet solved in a non-packaged app. But we still don't know how to bring this to the Web.
16:56:41 <marcosc_> dsr: do we have time to talk about security stuff later in the agenda
16:56:47 <marcosc_> ?
16:56:55 <mounir> scribe: marcosc_
16:58:10 <marcosc_> opoto: maybe the manifest is good way to addressing the permissioning problem by gathering things together.
16:58:10 <wonsuk> q?
16:59:24 <marcosc_> marcosc_: we could go and look at how the permissioning model works in FxOS and in Chrome apps
16:59:44 <marcosc_> mounir: I disagree that it's the same. Those things are not quite the Web - so it's a bit different.
17:00:52 <marcosc_> brad: there is also iOS and Android. Access control gadgets is work that microsoft did a few years ago that could be relevant for the discussion.
17:01:10 <marcosc_> brad: it's a different model to look at for contrast
17:01:40 <marcosc_> dsr: I've been asked to write a white paper about this
17:02:05 <bhill2> actually: Windows Phone and iOS work more like the Access Control Gadget model vs. Android's manifest model
17:02:13 <marcosc_> dsr: I have a few months to work on this
17:02:27 <marcosc_> marcosc: it would be great if you could work with WebMob IG
17:02:34 <anssik> Dom's work on permissions: https://github.com/dontcallmedom/web-permissions-req/
17:02:36 <bhill2> Link to ACG work:  http://research.microsoft.com/apps/pubs/?id=152495
17:02:39 <marcosc_> mounir: Dom has also done tome work on this
17:02:43 <wonsuk> q?
17:02:46 <marcosc_> s/tome/some/
17:03:40 <mounir> s/tome work/some work/
17:03:43 <mounir> ack Claes
17:04:18 <marcosc_> Claes: I don't have much to add right now. However, Marcos talked about making manifest CORS compatible. But I dont' see that there
17:04:19 <mounir> scribe: mounir
17:04:54 <mounir> marcosc_: you are right, anssik, keneth and I talked of creating a spearate spec for packaged apps to be CORS compatible
17:05:15 <mounir> ... you need an origin member in the manifest that doesn't specify http:// [the protocal] but just the domain
17:05:58 <mounir> (marcosc explains how the origin value would be checked on the server)
17:06:09 <mounir> marcosc_: we are using such mechanism in firefox os for packaged apps
17:06:16 <mounir> ... i'm not volunteering to do it but it's doable
17:06:24 <mounir> Claes: so it should be a separate spec?
17:06:43 <mounir> marcosc_: yes, I can actually link to the extension point part of the spec
17:06:54 <marcosc_> http://manifest.sysapps.org/#dfn-extension-point
17:07:15 <anssik> [any packaged app specific features are out of scope for the core spec, should use the extension point]
17:07:42 <mounir> marcosc_: any spec can use that extension point to hook in new features
17:07:54 <mounir> ... it should be little work and pretty trivial
17:08:02 <mounir> q?
17:08:17 <mounir> Claes: we can have a look at that and see how that goes based on the needs we have
17:08:25 <mounir> marcosc_: take a look at firefox os manifest
17:09:20 <marcosc_> https://developer.mozilla.org/en-US/Apps/Build/Manifest#origin
17:10:03 <mounir> marcosc_: it is tried and tested and used in the wild
17:10:26 <mounir> Claes: why have a separate specification?
17:10:33 <mounir> marcosc_: it doesn't make sense for web pages
17:10:43 <mounir> ... it is something that only packaged applications would use
17:11:17 <mounir> ack jungkees
17:11:21 <marcosc_> Claes: we will look at that
17:11:48 <marcosc_> https://github.com/w3c/manifest/issues/161https://github.com/w3c/manifest/issues/161
17:11:55 <mounir> marcosc_: bug related to servige worker ^
17:12:02 <cdumez> q+
17:12:14 <wonsuk> https://github.com/w3c/manifest/issues/161
17:12:30 <mounir> ack cdumez
17:12:38 <mounir> marcosc_: datastore defines its own model
17:12:54 <cdumez> q-
17:13:25 <mounir> Topic: Service Worker
17:13:27 <genelian_> genelian_ has joined #sysapps
17:13:57 <jungkees> https://github.com/slightlyoff/ServiceWorker/
17:14:01 <mounir> jungkees: we are working on service worker, it is now in the charter of the webapps wg
17:14:03 <genelian_> present+ Gene_Lian
17:14:11 <mounir> ... the actual work is made on GitHub
17:14:25 <mounir> ... Mozilla, Google and Samsung are working on this
17:14:32 <mounir> ... We are done with the v1 features
17:15:06 <dsr> meeting: System Applications Face to Face - 8 April 2014
17:15:11 <jungkees> http://slightlyoff.github.io/ServiceWorker/spec/service_worker/index.html
17:15:31 <mounir> jungkees: the spec is still being drafted
17:16:09 <mounir> jungkees: a servece worker can fetch the resources
17:17:09 <terri> terri has joined #sysapps
17:17:36 <mounir> jungkees is describing the service worker specification/features to the group
17:26:45 <Zakim> -Claes
17:28:50 <cdumez> q+
17:30:00 <wonsuk> ?
17:30:05 <wonsuk> q?
17:30:37 <mounir> genelian_: the goal of the task scheduler is to open the app when it is no longer running
17:30:45 <mounir> ... how would service worker do that?
17:31:23 <mounir> jungkees describes how task scheduler works
17:31:57 <mounir> jungkees: the idea is to launch a service worker and run the script
17:32:03 <mounir> ... we don't need to open any tab
17:32:24 <mounir> ... within the worker code, the developer can create a notification, for example
17:32:42 <mounir> cdumez: so every app using task scheduler will have to create a service worker?
17:32:45 <mounir> jungkees: yes
17:33:22 <cdumez> q-
17:34:17 <mounir> jungkees explains how a service worker gets woken up by an event after the developer registered for it
17:37:03 <opoto> q+
17:37:27 <dsr> q+ to ask which companies are implementing ServiceWorker and whether this includes mobile devices?
17:37:29 <mounir> jungkees shows example from the service worker GitHub repository
17:37:40 <wonsuk> Push integration example with ServiceWorker: https://github.com/slightlyoff/ServiceWorker/issues/177
17:38:44 <mounir> <discussions around service worker examples shown in the room>
17:38:47 <dsr> ack opoto
17:38:48 <mounir> ack opoto
17:39:10 <mounir> opoto: when a web page register a service worker, is there a spec explaining how this is hapenning?
17:39:18 <mounir> ... because this is a service and it is persistent
17:39:40 <mounir> jungkees: for the initial version, to install the service worker, we should do https only
17:39:53 <mounir> opoto: it's good to require https but we should inform the user about what's hapenning
17:40:11 <mounir> ... and about the registration, is there any requirement about the display?
17:40:20 <bhill2> bhill2 has joined #sysapps
17:40:26 <mounir> jungkees: no
17:41:30 <mounir> wonsuk: there would be a problem if the web application uses memory uses without the user knowledge
17:41:31 <dsr> ack dsr
17:41:31 <Zakim> dsr, you wanted to ask which companies are implementing ServiceWorker and whether this includes mobile devices?
17:41:32 <anssik> q+ to note Chrome Canary has an experimental UI for unregistering SWs meant for debugging purposes only: chrome://serviceworker-internals/
17:41:55 <mounir> dsr: what companies are implementing service worker? what about mobile device?
17:42:16 <mounir> jungkees: Mozilla and Google are implementing
17:42:25 <mounir> jungkees: it should be implemented in 2-3 for a beta version
17:43:29 <wonsuk> s/2-3/2-3 months/
17:44:35 <wonsuk> q?
17:45:03 <mounir> mounir: on Mobile, the problem is more complicated than desktop because waking up the service would take memory and cpu...
17:45:11 <mounir> ack anssik
17:45:11 <Zakim> anssik, you wanted to note Chrome Canary has an experimental UI for unregistering SWs meant for debugging purposes only: chrome://serviceworker-internals/
17:45:29 <mounir> anssik: there is a UI for Canary
17:45:39 <mounir> ... is Google working on a better UI?
17:45:42 <mounir> mounir: don't know
17:45:51 <mounir> anssik: developers might want to be in control of that UI
17:46:10 <mounir> jungkees: we might want to talk about service worker integration with manifest
17:46:52 <anssik> s/developers/developers as well as users/
17:47:34 <wonsuk> s/the user knowledge/the user permission/
17:48:02 <mounir> mounir: we should keep manifest/service worker integration to the webapps meeting so we don't repeat ourselves
17:49:59 <gmandyam> q+
17:51:14 <anssik> http://status.modern.ie/ says Service Workers is Under Consideration
17:51:57 <mounir> mounir: we might want to move task sceduler to webapps because it will reach a broader audience
17:52:00 <anssik> q+ to ask about the plan for extension points in the SW spec for future events, if not deemed out of scope for this session
17:52:20 <wonsuk> ack gma
17:52:38 <mounir> q?
17:53:16 <mounir> ack anssik
17:53:16 <Zakim> anssik, you wanted to ask about the plan for extension points in the SW spec for future events, if not deemed out of scope for this session
17:53:38 <mounir> anssik: i remember talking to alex about extensions point for the spec
17:53:51 <mounir> ... is there an issue I should follow to track the progress on this?
17:54:02 <mounir> jungkees: you are talking of application lifecycle events?
17:54:37 <mounir> anssik: no
17:54:58 <mounir> jungkees: let's talk about that offline
17:55:08 <mounir> anssik: it would be good for people that want to build on top of SW
17:55:20 <mounir> jungkees: yes
17:55:26 <mounir> q?
18:07:01 <Zakim> +Claes
18:08:08 <dsr> dsr has changed the topic to: zakim code is 26631
18:08:31 <dsr> .... coffee break for 15 minutes ....
18:08:38 <dsr> rrsagent, make minutes
18:08:38 <RRSAgent> I have made the request to generate http://www.w3.org/2014/04/08-sysapps-minutes.html dsr
18:11:30 <dsr> chair: Wonsuk, Mounir
18:11:33 <dsr> rrsagent, make minutes
18:11:33 <RRSAgent> I have made the request to generate http://www.w3.org/2014/04/08-sysapps-minutes.html dsr
18:11:43 <mounir> Topic: Brain storming and discussion about the direction of security and privacy model
18:12:16 <dsr> scribe: dsr
18:12:20 <dsr> scribenick: dsr
18:13:39 <dsr> Opoto: the web security model today is mostly based upon the document origin, but we now need to consider system applications.
18:14:39 <dsr> ... There could be access to sensitive data including credential stores.  We need some form of access control for sensitive APIs, and to identify that an application can be trusted. This is missing today.
18:14:47 <terri> dsr: is that really the zakim code?  I'm not able to join.
18:15:14 <Zakim> +terri
18:15:22 <dsr> Wonsuk: we need to use existing mechanisms or we need to look for new ways based upon the principles of the Web
18:16:01 <dsr> ... in my opinion package signing would not be good, as it doesn't work well with hyperlinking
18:16:35 <dsr> ... hosted apps gets you the latest version, but this isn't the case for packaged apps.
18:17:22 <dsr> ... we can have security mechanisms for packaged and hosted apps, but my focus is on hosted apps, and to cover packaged apps as corner cases.
18:18:13 <dsr> ... Vendors are using their own signed package schemes
18:18:39 <dsr> opoto: we should try to find a common security/trust model for packaged and hosted apps.
18:19:12 <dsr> Mounir: this has proven to be hard in practice, you can't trust websites much
18:19:27 <Zakim> -zolkis
18:20:08 <dsr> Marcos: I am not sure agree. It is a very challenging problem. The web security model is deeply embedded into the browser code, so we need to align with the origin model.
18:21:22 <dsr> ... I am optimistic that we will eventually be able to address, but it will take more than the people in this room.
18:21:58 <dsr> opoto: do we agree that there is a need for this?
18:22:08 <dsr> Marcos: absolutely, yes!
18:23:22 <dsr> ... The Node community are also interested in this.  However, there are huge UX challenges.
18:23:44 <dsr> ... normal users won't want to see technical permission dialogs
18:24:08 <dsr> ... people are using iOS and Android and the World hasn't collapsed.
18:24:16 <Zakim> +??P1
18:24:41 <dsr> Mournir: there is a difference due to the ease of following a link. There isn't the same curated app store model.
18:24:55 <dsr> opoto: do you see this being done in SysApps?
18:25:00 <zolkis> zakim, ??P1 is me
18:25:00 <Zakim> +zolkis; got it
18:26:00 <dsr> Marcos: we need to deal with this in a broader community. The HTML WG is still some way to go before addressing this.
18:26:51 <dsr> ... current focus is on extending the markup, HTML6 primarily about web components, and further work on expanding scope of CSS.
18:27:22 <gmandyam> q+
18:28:17 <mounir> ack gma
18:28:18 <wonsuk> ack gma
18:28:25 <dsr> ... we don't have all of the major players here in SysApps.  Previous efforts e.g. Bondi didn't work out as they didn't involve sufficient range of stakeholders.
18:29:23 <dsr> Giri: it is about how apps are distributed and it has proven hard to reconcile different approaches.
18:30:46 <dsr> Marcos: the packaged app approach hasn't worked out, so we should focus more on hosted apps and approach matters from the web security model perspective and try to embrace packaged apps as there is a clear demand for them.
18:31:02 <gmandyam> Slight modification:  I think BONDI didn't solve the security/permission/signing problem was because the platforms that existed at the time were so different i ntheir approaches that it was difficult to commonalize.
18:32:12 <dsr> Marcos talks about phonegap experience.
18:32:43 <dsr> Dave: automotive domain where web apps are starting to appear in cars, these folks are seeking guidance
18:33:31 <dsr> Marcos: suggest looking at best commercial experience  and experiment, but trying to experiment in a standards body isn't a recipe for success
18:33:51 <lgombos> q+
18:33:58 <dsr> ... there are lots of things you can look at e.g. widgets
18:34:43 <dsr> Wonsuk: I had a private meeting last week with Mozilla and Google, and they are also interested in moving this forward.
18:35:26 <dsr> ... What things can we progress within the existing web security model (same origin), and what things would break that e.g. raw sockets.
18:36:14 <dsr> ... We should clarify which APIs can fit within the existing model
18:36:48 <dsr> ... We need to go step by step
18:36:55 <jinsong> q+
18:37:04 <dsr> ack lgombas
18:37:10 <dsr> ack lgombos
18:37:41 <dsr> lgombos: it is likely that many of the SysApps APIs will break the same origin model
18:37:42 <bhill2> bhill2 has joined #sysapps
18:38:01 <dsr> Mounir: perhaps all of them except task scheduler
18:39:23 <Zakim> -anssik
18:39:38 <Zakim> -zolkis
18:39:44 <dsr> ServiceWorker is interesting in how it relates to the security model
18:39:51 <dsr> Jungkee: maybe we can try to come up with a solution for APIs that break the sandbox model
18:40:40 <dsr> Wonsuk: I attended the W3C TAG meeting last week, one idea that came up was to use the website's reputation
18:40:48 <Zakim> +??P1
18:40:52 <anssik> zakim, ??P1 is me
18:40:52 <Zakim> +anssik; got it
18:41:37 <dsr> Marcos: Alex has been throwing around the idea that if a site meets sufficient criteria, e.g. uses SSL, has been used so many times etc. then it is more likely to be trusted.
18:42:12 <dsr> Mounir: some APIs should be limited to https, e.g. geolocation
18:42:42 <dsr> ... for apps that include a manifest, that in its own merits some trust
18:42:53 <anssik> q+ to note https://developer.mozilla.org/en/docs/The_Places_frecency_algorithm et al.
18:43:22 <dsr> ... the push API is not about sensitive data
18:43:29 <mounir> ack jinsong
18:44:26 <dsr> jinsong: my understanding is that there is 2 levels of security for the web -- hosted and packaged
18:45:38 <dsr> ... I have been learning about work relating to this in China. They want to protect user's privacy/security. They didn't accept the use of pop-ups
18:45:52 <Zakim> +??P6
18:46:22 <zolkis> zakim, ??P6 is me
18:46:22 <Zakim> +zolkis; got it
18:46:37 <dsr> ... They have the notion of certified apps, and they require explicit user confirmation for sensitive APIs e.g, access to camera or microphone.
18:47:03 <dsr> ... They also need a means to allow users to switch on and off app permissions.
18:48:11 <dsr> Marcos: iOS allows you to alter privacy settings in an app specific way.
18:48:29 <wonsuk> q?
18:49:05 <dsr> opoto: this relies on users to control security which isn't very effective for everyone
18:50:31 <dsr> Marcos: on iOS this can be many levels deep in the settings
18:50:31 <dsr> opto: it is also unclear how changing the settings effect the application
18:51:56 <dsr> Dave: maybe there is a market for 3rd party tools for monitoring and managing your security as a way to get around individual users level of technical savvy
18:52:57 <wonsuk> ack anssi
18:52:57 <Zakim> anssik, you wanted to note https://developer.mozilla.org/en/docs/The_Places_frecency_algorithm et al.
18:53:04 <dsr> Jinsong: there are indeed tools for monitoring what apps are doing, but there is a need for such tools to update the security settings for apps.
18:53:46 <anssik> another interesting research-y area is http://en.wikipedia.org/wiki/Reputation_system
18:54:27 <dsr> Anssi: I've droped a link to work that looks at the frequency at which you've visited a site, and it would be interesting to combine with reputation. This still feels like a research areas for innovation before we start on standardization.
18:54:52 <wonsuk> q?
18:55:09 <anssik> s/frequency/frecency/
18:55:23 <anssik> The word "frecency" itself is a combination of the words "frequency" and "recency."
18:55:47 <dsr> Dave: is there any work on being able to sign hosted apps?
18:56:39 <dsr> Marcos: for FirefoxOS you can only sign packaged apps
18:57:02 <anssik> [ The frecency algorithm https://developer.mozilla.org/en/docs/The_Places_frecency_algorithm ]
18:57:05 <dsr> Wonsuk: hosted apps keep changing which creates challenges for signing
18:57:30 <dsr> Dave: you can make signing dynamic as a work around when needed
18:57:40 <dsr> Maros: Anders R. has some ideas
18:57:51 <lgombos> slightly related work - http://w3c.github.io/webappsec/specs/subresourceintegrity/
18:58:47 <dsr> Brad: scaling issues, e.g. with certificate expiry, competing approaches, but these generally haven't mapped well into the Web space.
18:59:41 <dsr> Marco talks about the experience during work on the widget spec
19:00:09 <jungkees> Packaging on the web discussed last week: http://oksoclap.com/p/packaging-on-the-web
19:00:09 <dsr> opoto: most of the sysapps APIs require a solution so we are faced with a real challenge!
19:01:09 <dsr> Marcos: yes, Adam B. insisted we work on the security model for SysApps, but we have not lived up to that
19:02:45 <dsr> ... we break for lunch and will resume at 1pm PST ...
19:02:54 <dsr> rrsagent, make minutes
19:02:54 <RRSAgent> I have made the request to generate http://www.w3.org/2014/04/08-sysapps-minutes.html dsr
19:03:26 <Zakim> -terri
19:03:29 <Zakim> -zolkis
19:03:31 <Zakim> -anssik
19:03:35 <Zakim> -Claes
19:24:22 <jmajnert> jmajnert has left #sysapps
19:30:42 <jmajnert> jmajnert has joined #sysapps
19:42:56 <Github> Github has joined #sysapps
19:42:56 <Github> [13tcp-udp-sockets] 15ClaesNilsson pushed 3 new commits to 06gh-pages: 02http://git.io/QS_55g
19:42:56 <Github> 13tcp-udp-sockets/06gh-pages 14d1d6956 15Claes Nilsson: interface UDPSocket rewritten to be based on Streams API
19:42:56 <Github> 13tcp-udp-sockets/06gh-pages 140600e85 15Claes Nilsson: Updates according to comments bt Domenic.
19:42:56 <Github> 13tcp-udp-sockets/06gh-pages 14690a29c 15Claes Nilsson: Merge pull request #64 from ClaesNilsson/gh-pages...
19:42:56 <Github> Github has left #sysapps
19:46:57 <Github> Github has joined #sysapps
19:46:57 <Github> [13tcp-udp-sockets] 15ClaesNilsson opened pull request #65: Corrections (06gh-pages...06gh-pages) 02http://git.io/Bk2ykQ
19:46:57 <Github> Github has left #sysapps
19:47:05 <Github> Github has joined #sysapps
19:47:05 <Github> [13tcp-udp-sockets] 15ClaesNilsson closed pull request #65: Corrections (06gh-pages...06gh-pages) 02http://git.io/Bk2ykQ
19:47:05 <Github> Github has left #sysapps
19:47:06 <Github> Github has joined #sysapps
19:47:06 <Github> [13tcp-udp-sockets] 15ClaesNilsson pushed 2 new commits to 06gh-pages: 02http://git.io/_8Dd2w
19:47:06 <Github> 13tcp-udp-sockets/06gh-pages 14834186c 15Claes Nilsson: Corrections
19:47:06 <Github> 13tcp-udp-sockets/06gh-pages 14afcbf90 15Claes Nilsson: Merge pull request #65 from ClaesNilsson/gh-pages...
19:47:06 <Github> Github has left #sysapps
19:56:48 <zqzhang_> zqzhang_ has joined #sysapps
19:59:03 <Zakim> +Claes
20:06:29 <mounir> Topic: Raw Socket API
20:07:06 <Claes> http://lists.w3.org/Archives/Public/public-sysapps/2014Apr/att-0035/TCP_UDP_Socket_API_based_on_Streams_-_San_Jose_April_2014.pdf
20:07:43 <marcosc> marcosc has joined #sysapps
20:07:48 <bhill2> bhill2 has joined #sysapps
20:07:54 <lgombos> lgombos has joined #sysapps
20:07:59 <marcosc> Claes: I sent the presentation to the list
20:08:45 <marcosc> [Claes will walk through his presentations ... slide link forthcoming ]
20:09:26 <mounir> scribe: mounir
20:09:28 <mounir> scribenick: mounir
20:09:31 <mounir> http://lists.w3.org/Archives/Public/public-sysapps/2014Apr/att-0035/TCP_UDP_Socket_API_based_on_Streams_-_San_Jose_April_2014.pdf
20:09:35 <Zakim> +terri
20:10:35 <mounir> Claes is going trough the slides
20:11:00 <mounir> Claes: the api name is "TCP and UDP Socket API" because "Raw Sockets" wasn't very clear
20:11:06 <opoto> opoto has joined #sysapps
20:11:26 <mounir> Claes: the API is being re-written to be based on Streams API
20:11:43 <mounir> ... the motivation is to handle the complexity of sending, receiving, buffering the backpressure
20:12:28 <mounir> Claes: there are two Streams API being aligned
20:12:53 <mounir> ... the rebasing work is done on top of WHATWG API instead of W3C Streams API
20:13:12 <mounir> marcosc: the WHATWG Streams is going to be the primitive Streams API for the platform
20:13:18 <mounir> which is going to be moved te ECMAScript
20:13:28 <mounir> s/which is/... which is/
20:13:34 <mounir> ... the W3C spec is going to be on top of that
20:13:52 <mounir> ... this is a great primitive for a ton of API using Streams
20:13:58 <mounir> Claes: what's the Streams API?
20:14:11 <mounir> ... it provides an interface for creating, composing and consuming streams of data
20:14:26 <mounir> Claes read the slides
20:14:37 <mounir> s/Cleas read /Claes reads /
20:16:48 <terri> I can hear Claes on the bridge fine, so it might be on your end
20:17:06 <Zakim> -Claes
20:17:45 <Zakim> +Claes
20:17:59 <marcosc> Claes, I think it might be us
20:18:08 <Zakim> -[Paypal]
20:18:14 <marcosc> Claes: we are dialing in again
20:18:20 <Claes> ok
20:18:47 <Zakim> +[Paypal]
20:19:25 <mounir> Claes continues reading the slides after some phone connectivity issues
20:21:29 <mounir> Claes: slide 11 is the previous version that is not Stream based
20:22:06 <mounir> ... if we look at the next slide, we have two attributes, one is ReadableStream and the other one is WritableStream
20:22:46 <mounir> http://lists.w3.org/Archives/Public/public-sysapps/2014Apr/att-0035/TCP_UDP_Socket_API_based_on_Streams_-_San_Jose_April_2014.pdf
20:23:17 <mounir> Claes continues reading the slides
20:24:49 <Zakim> +??P5
20:24:54 <anssik> zakim, ??P5 is me
20:24:54 <Zakim> +anssik; got it
20:26:34 <mounir> Claes: the example in slides 16 is using the new TCP interface based on Streams
20:26:55 <mounir> ... input is the writable Stream
20:27:24 <mounir> ... so you are write a text and then if the promise return resolve, you wait for the readable side (output.wait())
20:27:28 <mounir> ... then you receive data
20:27:32 <mounir> ... and read out the data
20:28:29 <mounir> cdumez: why are we calling the method socketClose() and socketHalfClose()?
20:29:07 <mounir> Claes: I have actually changed that
20:29:09 <mounir> ... 10 mins ago
20:29:41 <mounir> opoto: so halfClose() is for closing the input?
20:29:50 <mounir> Claes: it's for closing the writable side indeed
20:30:03 <mounir> opoto: shouldn't the close() be on the writable stream interface?
20:30:27 <mounir> Claes: input.close() is a possibility
20:30:27 <gmandyam> q+
20:30:42 <mounir> Claes: ppl familiar with TCP Socket are familiar with halfClose() term
20:31:03 <mounir> ack gmandyam
20:31:25 <mounir> gmandyam: is server socket stable or do you plan similar changes on that?
20:31:37 <mounir> Claes: yes
20:31:52 <mounir> marcosc: what are your plans from here wrt this?
20:32:17 <mounir> Claes: finish the specification and have a prototype implementation
20:32:45 <mounir> Claes: I can't promise that I will have time to do the implementation
20:32:52 <mounir> ... but I hope that it could be done by someone else
20:33:01 <mounir> ... any voluntary resource would be appreciated
20:33:30 <anssik> q+ to ask whether one could wrap the previous iteration of the API?
20:33:57 <mounir> marcosc: as a reference it might be possible to wrap the Firefox OS API as a reference
20:34:29 <mounir> s/Firefox OS API as a reference/Firefox OS API/
20:35:45 <mounir> anssik: we have some persons interested in this and could write a reference API
20:36:10 <mounir> marcosc: you go to the whatwg streams repo, you can find a reference implementation there
20:36:29 <mounir> marcosc is looking for a link
20:36:42 <marcosc> https://github.com/whatwg/streams/tree/master/reference-implementation
20:36:46 <anssik> s/a reference API/an experimental implementation/
20:37:06 <mounir> ack anssik
20:37:06 <Zakim> anssik, you wanted to ask whether one could wrap the previous iteration of the API?
20:37:59 <mounir> Claes: we should see if it could be implemented on top of Firefox OS TCP API
20:38:05 <mounir> ... I will check some alternatives and come back on that
20:39:17 <mounir> mounir: implementation status?
20:39:25 <mounir> anssik: we are interested but we implement the previous one
20:39:31 <mounir> marcosc: we are watching and seeing
20:39:59 <mounir> lgombos: what's the story regarding permission for TCP/UDP?
20:40:20 <mounir> Claes: this relates to the discussion we had before lunch
20:40:38 <mounir> ... it has to be a store security model, we can't do a simple security model
20:40:43 <mounir> ... it opens up too much stuff
20:41:02 <mounir> Claes: we have to relate to the discussion for security/privacy
20:41:28 <mounir> lgombos: are you saying that it belongs to the spec but we can't spec it out?
20:41:35 <mounir> ... or do you mean that it's outside of the specification?
20:42:04 <mounir> Claes: it's a sensitive api like other apis
20:44:52 <mounir> mounir: to answer lgombos' question, I think this is bigger than the spec
20:45:17 <mounir> jungkees: I think lgombos' question was more that we currently have a specification but no permission model for it, so what should we do with it?
20:45:32 <genelian_> genelian_ has joined #sysapps
20:46:10 <mounir> Topic: Application Management API
20:48:08 <anssik> http://lists.w3.org/Archives/Public/public-sysapps/2014Apr/att-0041/AppManagementAPI.pdf
20:48:17 <wonsuk> slide: https://mail-attachment.googleusercontent.com/attachment/u/0/?ui=2&ik=53293ca563&view=att&th=1454160492b8137f&attid=0.1&disp=inline&safe=1&zw&saduie=AG9B_P_9ZyqSId_uZvO2K-Bes8iX&sadet=1396990101753&sads=g8k7O62q8uIis8Xvs13F4IwtVHo
20:49:50 <mounir> Claes reads the slides
20:52:20 <mounir> Claes: so that's the proposal, any comment?
20:52:23 <mounir> q?
20:52:57 <mounir> mounir: I don't think we should work on that
20:53:09 <mounir> marcosc: I will send my comments to the list and give my rational on that
20:53:21 <mounir> ... on firefox os there is an alternative screen homescreen
20:55:04 <mounir> scribe: marcosc
20:55:09 <mounir> scribenick: marcosc
20:56:30 <marcosc> mounir: I also wanted to point out that this API is very closly tied to the permission and security model. So moving it forward might complicate things further with regards security. The APIs are very very different and they have very limited interop. It might be too optimistic/early to try to standardize this.
20:56:32 <lgombos> q+
20:57:42 <mounir> ack lgombos
20:58:33 <marcosc> lgombos: is the entire set of use cases related to security - or can there be a subset that is more limited that we all have agreement on?
20:58:51 <marcosc> Claes: maybe that would be good
20:59:10 <marcosc> mounir: I don't know if we can find such a baseline
20:59:11 <marcosc> +q
20:59:57 <anssik> we had an API in the Manifest to "install" an app, but dropped it based on feedback
21:00:00 <marcosc> mounir: there is complexity with regards to the kinds of apps your can launch (priveliged vs hosted, etc.)
21:01:38 <Claes> Claes has joined #sysapps
21:02:35 <marcosc> lgombos: the thing that we hate on the web is getting a bunch of install buttons for native apps
21:03:20 <marcosc> mounir: as anssik said, we had an API, but now we dropped it because it's better to let the browser handle it.
21:03:42 <marcosc> mounir: I'm not saying this is the final thing, but we should experiment in the browsers first
21:04:19 <marcosc> lgombos: the initial intent of this API was to allow people to create a store, but I agree that that is very ambitious
21:04:41 <mounir> scribe: marcosc
21:04:45 <mounir> scribenick: marcosc
21:04:49 <mounir> scribe: mounir
21:04:54 <mounir> scribenick: mounir
21:05:04 <mounir> marcosc: I personally wouldn't want to have us work on this
21:05:22 <mounir> ... like Mounir said earlier, it goes back to the manifest
21:05:34 <mounir> ... that could be used as a start, using that metadata
21:05:48 <mounir> ... to build a store site and share half the metadata with
21:05:54 <mounir> ... the store and the application itself
21:07:30 <mounir> mounir and marcosc chats about things and how the web could be better
21:07:45 <mounir> marcosc: it's complicated
21:07:54 <mounir> ... that's my perspective
21:08:11 <mounir> marcosc: I'm not in favour in working on this or bringing this to the group
21:10:18 <mounir> RESOLUTION: the group believes it is not ready to start working on that deliverable
21:10:40 <mounir> break - 10 mins - 14:20
21:11:03 <Zakim> -Claes
21:23:53 <cdumez> http://www.w3.org/2012/sysapps/web-alarms/
21:24:10 <mounir> Topic: Task Scheduler
21:24:22 <wonsuk> http://www.w3.org/2012/sysapps/web-alarms/
21:25:05 <mounir> cdumez: let's review the requirements section
21:25:20 <mounir> ... an application can only access its own scheduled tasks
21:25:46 <mounir> ... a task id must be unique within its origin
21:25:55 <mounir> ... a scheduled task must be restorted at restart
21:26:36 <mounir> ... a scheduled task must make the system
21:27:03 <mounir> s/make the system/wake the system/
21:28:02 <mounir> ... a scheduled task that was supposed to run when the system was shutdown must run at startup
21:28:15 <mounir> mounir: I think we sholud say that if you miss a task you should run it ASAP
21:28:51 <zolkis> i.e. instead of "must" use "should"?
21:30:45 <mounir> cdumez continues reading the list of requirements
21:30:54 <mounir> cdumez: but there is uninstalled mentions here
21:31:01 <mounir> ... which doesn't really exist anymore
21:31:15 <zolkis> say if you leave the phone off for two weeks, then you switch on, and get all missed daily alarms?
21:31:29 <anssik> q+ to ask about plans to expose TaskScheduler in ServiceWorkerGlobalScope
21:31:39 <mounir> marcosc: what owns the tasks? what is an application? should that be the service worker? the origin? the document?
21:33:36 <mounir> jungkees: we might want to use the service worker scope
21:33:50 <mounir> marcosc: we could go further and make this only apply in the context of service worker
21:34:02 <mounir> cdumez: but we should be able to register from the page
21:35:41 <mounir> marcosc: but then you need to pass a service worker when you register the task
21:35:47 <mounir> cdumez: I didn't understand that was needed
21:36:38 <mounir> genelian: so the timezone issue is covered by item #6, right?
21:36:41 <anssik> q?
21:36:46 <mounir> cdumez: timezone change is indeed
21:36:54 <mounir> ack marcosc
21:37:02 <mounir> ack anssik
21:37:02 <Zakim> anssik, you wanted to ask about plans to expose TaskScheduler in ServiceWorkerGlobalScope
21:37:29 <mounir> anssik: it seems that we reach a consensus here
21:38:19 <mounir> marcosc: we need to ask the service worker people
21:39:19 <mounir> ACTION: cdumez will change the requirements to specify that a missing task must be restored (regardless of why it was missed)
21:39:50 <mounir> ACTION: cdumez will investigate how to correctly plug the API to Service Worker - probably using the Thursday session
21:44:40 <mounir> discussions about service worker and how it works
21:45:29 <mounir> ACTION: make the task scheduler task not aware of application install/uninstall - use SW unregistration instead of uninstall
21:47:23 <mounir> mounir: is Mozilla implementing the spec?
21:47:32 <mounir> genelian: no, we are still using our old version
21:47:47 <mounir> cdumez: there is an open bug about adding a privacy and security issue section
21:48:19 <mounir> marcosc: I believe Jonas sent an email about that a year ago
21:48:25 <mounir> cdumez: okay
21:48:51 <mounir> ACTION: cdumez should write a privacy and security issues
21:49:06 <mounir> q?
21:49:26 <mounir> Topic: App-URI
21:49:47 <mounir> marcosc makes odd sounds
21:50:01 <mounir> marcosc: after not looking at this for a couple of months, I read it again
21:50:06 <mounir> ... and layered it on top of fetch
21:50:17 <wonsuk> http://www.w3.org/2012/sysapps/app-uri/
21:50:20 <mounir> ... the result of doing that is that the spec reduced quite a lot
21:50:22 <mounir> ... as hoped
21:50:35 <mounir> marcosc: there is like no spec now, it's like five sentences
21:50:47 <mounir> ... all I need to do is to handle the scheme
21:50:54 <mounir> ... the URL spec handles all the parsing
21:50:59 <mounir> ... and the fetch spec all the parsing
21:52:08 <mounir> marcosc: I sent a pull request to Anne to plug 'app' in the fetch spec
21:52:39 <mounir> marcosc: anne might tell me to take a hike
21:52:52 <mounir> genelian: aren't you guys in the same team?
21:52:55 <mounir> marcosc: literally, yes
21:54:31 <mounir> opoto: regarding the instance identifier, you said that it could be provided by the developer, do you have any more information?
21:54:51 <mounir> marcosc: in the manifest, we spake about the 'origin' thing, in that case we would use that component
21:57:56 <mounir> brad: does that mean that I can access an app's resources if I set 'origin'?
21:58:15 <mounir> mounir: no because you will be http vs app, so the domain/sub-domain would be the same but not the protocal wrt origin
21:58:33 <mounir> brad: it would be interesting to discuss that in the context of subresourceintegrity from webappssec
21:58:54 <mounir> marcosc: that's the current status, still waiting for anne's answer
21:58:58 <mounir> q?
21:59:07 <mounir> gmandyam: what would be the handle?
21:59:18 <mounir> ... would the entire spec move in fetch?
21:59:33 <mounir> marcosc: no, just a part of it
21:59:36 <dsr> http://w3c.github.io/webappsec/specs/subresourceintegrity/
22:00:03 <mounir> mounir: implementation status?
22:00:09 <mounir> marcosc: firefox os implements it
22:00:28 <mounir> ... not exactly the same but could be changed to match
22:00:32 <mounir> ... if there is interest
22:00:36 <mounir> lgombos: and crosswalk too
22:00:45 <anssik> I can confirm Crosswalk implements the spec
22:00:45 <mounir> marcosc: it would be interested to see how it's done in crosswalk
22:01:27 <anssik> q+ to ask whether there is a test suite (planned) for the Fetch spec?
22:01:39 <mounir> ack anssik
22:01:39 <Zakim> anssik, you wanted to ask whether there is a test suite (planned) for the Fetch spec?
22:02:12 <mounir> anssik: is there a test suite for the fetch spec?
22:02:39 <mounir> marcosc: I imagine that there will be but fetch just captures what the web currently does
22:02:54 <mounir> ... in term of test suite, there will be an actual api for fetch
22:03:10 <mounir> ... Look at fetch as a meta spec that describes the behaviour of the web
22:03:33 <mounir> q+ to ask what's the added value of that spec
22:03:57 <mounir> marcosc: however, there is a test suite for the app uri that Marta has build - she did a very nice job there
22:04:08 <anssik> we can look at that if there's something to improve
22:04:26 <mounir> marcosc: that spec is sitting on the w3c web platform test repo waiting review
22:04:33 <mounir> ... and I've been too lazy to review it
22:04:34 <anssik> pointer?
22:05:29 <marcosc> https://github.com/w3c/web-platform-tests/pull/325
22:05:52 <anssik> ok, we're already looking at that then :)
22:06:20 <mounir> ack
22:06:21 <mounir> ack me
22:06:21 <Zakim> mounir, you wanted to ask what's the added value of that spec
22:06:32 <mounir> mounir: what's the added value of that spec?
22:06:53 <mounir> marcosc: given that the platform does not define how to deal with local resources
22:07:08 <mounir> ... given the security and privacy issues of using the file://
22:07:18 <mounir> ... (like iOS will show the username)
22:07:22 <mounir> ... we avoid some of those issues
22:07:36 <mounir> marcosc: we also get the added benefit of using the web platform technology
22:07:42 <mounir> ... without that you can't use xhr
22:07:45 <mounir> ... localstorage
22:08:01 <mounir> ... (because of missing origin)
22:08:25 <mounir> mounir: this is the value of having a scheme, but not an interoperable one
22:10:46 <mounir> marcosc: the hole purpose is having the same behaviour, not the name
22:11:08 <mounir> q?
22:11:49 <mounir> Topci: Task Scheduler API
22:12:06 <mounir> genelian: I just recall why we kept the respect-timezone part of the api
22:12:15 <dsr> s/Topci/Topic/
22:12:28 <mounir> genelian: it seems that your api only need the absolute change
22:12:45 <mounir> ... how can you get the new timezone?
22:14:25 <Zakim> -anssik
22:29:13 <mounir> ACTION: cdumez will look at how native platforms handle the alarms wrt timezone
22:29:40 <mounir> ACTION: mounir will look at how Android handle the alarm clock features like week-ends and week days and what API is used for alarms
22:29:55 <dsr> Android's alarm clock distinguishes weekends from weekdays, what do they rely on to achieve that?
22:31:50 <marcosc> marcosc has joined #sysapps
22:41:37 <mounir> we are done for today
22:41:40 <mounir> thank you all
22:41:44 <jmajnert> jmajnert has left #sysapps
22:42:08 <Zakim> -terri
22:44:14 <dsr> rrsagent, make minutes
22:44:14 <RRSAgent> I have made the request to generate http://www.w3.org/2014/04/08-sysapps-minutes.html dsr
22:47:18 <Zakim> -[Paypal]
22:47:19 <Zakim> Team_(sysapps)16:33Z has ended
22:47:19 <Zakim> Attendees were zolkis, anssik, [Paypal], +46.7.03.79.aaaa, Claes, terri
23:45:09 <dsr> dsr has joined #sysapps
23:56:52 <dsr> zakim, room for 5 tomorrow at 12:00 for 480m?
23:56:54 <Zakim> ok, dsr; conference Team_(sysapps)16:00Z scheduled with code 26632 (CONF2) tomorrow at 12:00 for 480 minutes until 0000Z; however, please note that capacity is now overbooked
23:57:11 <dsr> dsr has changed the topic to: zakim code 26632
23:59:59 <dsr> dsr has changed the topic to: zakim code 26632 for San Jose F2F day 2