incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Curt Arnold <carn...@apache.org>
Subject Re: Signing Java Jars, versus Apache Signing of distributed artifacts
Date Tue, 21 Aug 2007 23:41:59 GMT
I'm looking for a resolution to this also.  Chainsaw (a log file  
viewer from the Logging Services project) has been available via  
WebStart from the Logging Services web site for several years but is  
signed by one of the developer's personal certificates.  It doesn't  
seem to fit within the release guidelines (not mirrored, not  
archived, not reproducible) and it seems hard to make it fit.  See  
http://marc.info/?l=log4j-dev&m=118772583611470&w=2 for today's  
discussion.  Using Chainsaw using WebStart would require signing as  
access to local files and the network is pretty much essential to  
operation.

Had a similar situation with log4net which had a .NET strong name key  
that had been used to prepare earlier versions of log4net which had  
been in the exclusive control of one developer which would prevent  
the project from releasing compatible builds if he had been hit by  
the fabled bus.  The strong name key file was encrypted so that it  
could be decrypted by using the signing keys of several of the  
developers and placed in the SVN repo.



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message