incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: [MENTOR] InstallApacheFlex AIR app related questions
Date Wed, 18 Jul 2012 04:03:17 GMT

On Jul 17, 2012, at 8:18 PM, Justin Mclean wrote:

> Hi,
> 
>> The recommendation is to sign this binary convenience package in the same way as
the binary packages are signed - as pgp detached signature. You can follow the digital signing
discussions on infrastructure-dev in either the archives or by joining the list.
> 
> As AIR app include their own signing process wouldn't it be simpler to just sign the
application once rather than twice? If we only sign the package as above we may want to consider
the warning message (basically states that the application is from an unknown and untrusted
source) that is shown when an AIR app is installed for the first time - the normal Apache
signing process won't change this warning.

Totally correct. The trouble is that The ASF is just determining whether and how it will provide
signing services with apache.org credentials to projects. This is happening slowly on infrastructure-dev.

This project will need to instruct users on how to check a PGP signature for the source and
binary release artifacts on the donwload page so it is not too much more to also ask that
they check this artifact if they use it.

(Is someone working on the download page?)

(Totally agree that a digital signing certificate is a technically better solution.)

You could ask general@i.a.o about third party signing of this artifact and what that should
mean for where it should be hosted.

Regards,
Dave

> 
> Thanks,
> Justin


Mime
View raw message