incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@hedhman.org>
Subject Re: apache binary distributions
Date Sat, 22 Aug 2015 03:37:30 GMT
Cool.
I can't find info on "how much" it costs ASF, any pointers before embarking
on 100+ artifact signing spree... ;-)

On Fri, Aug 21, 2015 at 12:35 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

> On Thu, Aug 20, 2015 at 8:09 AM, Niclas Hedhman <niclas@hedhman.org>
> wrote:
>
> > On Thu, Aug 20, 2015 at 1:06 AM, William A Rowe Jr <wrowe@rowe-clan.net>
> > wrote:
> >
> > > There are some special things here we do have absolute control over.
> If a
> > > project wants to provide the 'official' build, why not start signing
> > the .jar?
> >
> > Good idea, but to be practical to users, the certificate for the signing
> > needs to be part of the certificate chain of the JVM (otherwise those
> would
> > be needed to be installed on every host). I don't know how willing infra
> > would be to support PKI at ASF for this, otherwise many projects will be
> > limited due to cost (I could be wrong by now and that there are totally
> > free CAs)
> >
>
> That infrastructure now exists through code signing service by Symantec.
> One PMC member (or more) gets their own unique log in, pushes the artifact
> (.jar, in this example) to the service and is returned a signed artifact
> reflecting the ASF providence.
>
> The interesting thing is the actual cert is unique to the object, so if it
> is discovered that it was compromised, the signature can be revoked (good
> luck having sig revocations active at boot time, but otherwise this is
> quite useful.) And because there is a history, we know who precisely
> requested each object signing.
>



-- 
Niclas Hedhman, Software Developer
http://zest.apache.org - New Energy for Java

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message