Symbian Signed Followup

Bruce Carney from Symbian was nice enough to comment on my earlier “Why Symbian Signed must die” post.

There is no intent to prevent long term access. The Symbian Signed infrastructure hit a step change in demand. In periods of overload we have a policy to prioritize the service to ensure professional users can continue their work.

— The problem is shown in this link (i.e. a massive spike)
— The underlying reason was posted in our developers forums here
— Free Developer Certificates *already* downloaded over the past years are valid for 3 years, There are millions and millions of developers who *are* not being impacted by this outage.
— We have been trying to contact the developer of RotateMe to get the app signed (for free) and awaiting response?

If anything, this underscores
(1) How Symbian OS is around an order of magnitude more popular than iPhone or any other mobile OS.
(2) As the smartphone OS market leader, Symbian OS is solving real world mobile developer problems every day, not preaching to the faithful on podiums with powerpoint.

We just ask our developer community to be a little patient

Bruce Carney
Director, Developer Programs & Services

Thanks for posting, Bruce.

I’m sorry I missed your call and I hope you are able to call back.

It’s great news that Symbian intends to restore the ability of people to get devcerts. And I understand and have read all the reasons and reported causes for the Open Signed outages.

I also agree that the volume of certs does suggest the popularity of the platform.

However, all that misses the point. The Symbian Signed server being down is just a symptom, as is the load on that server caused by the volume of developer cert requests. People are requesting so many certs because the signing restrictions are broken. The problem isn’t that the Symbian Signed site is down – the problem is that people have to use it in the first place. The problem is that apps need to be signed to be installed and the mechansm for freeware developers, or even small-time corporate or in-house developers, to get certs and manage getting apps signed (and tested and “approved” by Symbian) is defective. It’s untenable.

This is how we end up in the situation where developers release the apps “unsigned” and have the users themselves sign them (and thus, the high volume of “developer” certs). The arguments in favor of the signing requirement are about making phones “safe” and ensuring users can “trust” the apps. However that trust model is antiquated 20th century thinking. Look what they have to go through now to try to get freeware installed (getting a “devcert” and signing the freeware apps themselves). If they are willing to sign it themselves, it suggests that they “trust” the app, even though it has not been “blessed” by Nokia or Symbian. Why? The reason people trust these apps is not because some authority in the sky, like Symbian Signed, gives it a “thumbs up” but because the community provides a powerful degree of trust. Applications that jack around with people would be immediately discredited by the Symbian freeware community – everyone would know about it, and people would avoid the app like the plague. This works with things like Linux and Firefox and it would also work with Symbian freeware.

The current Symbian Signed process creates the opposite effect of its stated objectives. I’d suggest that Symbian Signed apps are actually less trustworthy, in the true sense of the term – it’s more likely for “official” apps that have been “approved and tested” to have bugs than the freeware ones because it takes months to get an app tested and approved (and it cost $$$) so bugs never get fixed; whereas problems with freeware get reported all over the place and they tend to get fixed quickly.

The solution is to release a version of S60 3rd edition that lets those users that are willing to take the risks install unsignd apps and grant the features, privledges, capabilities they wish to the apps, even if this is a “unsupported” “hacker” version of Symbian with “forfeit all rights to support” restrictions or some such – that would still be vastly better than the situation those people have today, where the only officially supported options are to not install the apps at all, ever or switch platforms/phones – and the “unofficial” solution is to overload the Symbian Signed site with “developer” cert requests.

So save yourself some money on upgrading the Symbian Signed server crypto hardware and instead release a simple version of S60 3rd edition. You’ll be happy, I’ll be happy, and users will be happy. And your phone manufacturer customers like Nokia will be happy too, happy that they don’t lose their customers to Windows Mobile, the iPhone, or other alternative platforms.

5 comments for “Symbian Signed Followup

Comments are closed.