couchdb-marketing mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: Code-signing binary releases?
Date Tue, 07 Oct 2014 07:56:49 GMT

On 07 Oct 2014, at 01:00 , Joan Touzet <joant@lrtw.org> wrote:

> Presented with no bias on my part, but it showed up in my inbox:
> 
> https://blogs.apache.org/infra/entry/code_signing_service_now_available
> 
> Do we care to use something like this for our Windows binary builds?
> Or are we happy enough to just publish a Windows binary with a checksum?
> I can see the advantage in signing Windows binaries here.

I have no experience with what that would mean for us and for the end user,
but I assume it is streamlining a user experience and give a bit of a sense
of security?

> If we add Java or Android components in the future, this could extend to
> signing those binaries as well. I am sufficiently naive about those
> environments to not know whether there exist better, freer, more open
> alternatives that would suffice.
> 
> What is the process for signing things that end up in the OSX App Store?

Getting CouchDB into the Mac OS X App Store would require us to statically
link all of Erlang and Spidermonkey into the Mac OS X bundle, as the
guidelines do not allow fork(). It is certainly possible, but at this
point probably not something we want to spend too much time on right away.

> Would we want to try and get CouchDB in there, or just stick with brew?

One thing I’ve been meaning to do is sign the release on our website anyway,
as it will make installing CouchDB easier, even when not pushed through the
App Store. Currently people have to go through a bit of a security dance
before they can “double click and run”. We can make this smooth, but I haven’t
had the time to set this up. I also have done no research as to how it would
work for the ASF to have this set up, as the private key would have to be
shared with anyone who makes builds. For the time being my plan was to use
my own Apple Developer Account and identity to do the signing. If someone
is inclined to figure out how to do this ASF-wide, I’d welcome that, though :)

Best
Jan
-- 




> 
> -Joan


Mime
View raw message