incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andre Fischer <awf....@gmail.com>
Subject Re: [VOTE] Apache OpenOffice Community Graduation Vote
Date Tue, 28 Aug 2012 07:43:48 GMT
On 27.08.2012 20:02, Jim Jagielski wrote:
> And so I get back to my question... How is this new "requirement" substantially
> different from the kind of signing we do today?

My mother could do one but not the other.

-Andre

>
> And please notice the word "substantially".
>
> On Aug 27, 2012, at 1:52 PM, Dennis E. Hamilton <orcmid@apache.org> wrote:
>
>> There is a missing distinction here.
>>
>> The discussion about signed binaries is not about external signatures of the kind
used by release managers and others, nor about the external digests and signatures that might
be obtained in conjunction with a download.
>>
>> The signing of code that I am talking about, and that others are talking about (at
least in part), has to do with embedded signatures that consumer operating systems notice
and check and that are part of the artifact.  These signatures are used (and typically required
for application certification) by Microsoft, Apple, Adobe, and others.  The requirement for
them is not decreasing.
>>
>> The discussion with regard to trust and the presumed reputation of the signer has
merit, but it is not satisfied by external signatures in the case of download distributions
to modern consumer platforms.
>>
>> - Dennis
>>
>> PS: I love it that when recognized authorities ask that a discussion be moved off
of a particular list and then everyone piles on that list with a vengeance.  This message
is *not* being copied to general@ i.a.o.
>>
>> -----Original Message-----
>> From: Joe Schaefer [mailto:joe_schaefer@yahoo.com]
>> Sent: Monday, August 27, 2012 10:07
>> To: general@incubator.apache.org
>> Cc: ooo-dev@incubator.apache.org
>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>
>> Which better agrees with written policy anyway- the sigs
>> are part of the release package to be voted on and voted on
>> by the PMC, so even tho it constitutes individual sigs
>> those sigs (well at least the RM's sig) are PMC-approved.
>>
>>
>>
>>
>> ----- Original Message -----
>>> From: Greg Stein <gstein@gmail.com>
>>> To: general@incubator.apache.org
>>> Cc: "ooo-dev@incubator.apache.org" <ooo-dev@incubator.apache.org>
>>> Sent: Monday, August 27, 2012 1:03 PM
>>> Subject: Re: [VOTE] Apache OpenOffice Community Graduation Vote
>>>
>>> On Aug 27, 2012 9:57 AM, "Jim Jagielski" <jim@jagunet.com>
>>> wrote:
>>>> ...
>>>> But recall in all this that even when the PMC releases code, it is
>>>> signed by the individual RM, and not by the PMC itself.
>>>
>>> Apache Subversion releases tend to have a half-dozen signatures. Thus, I'd
>>> say they are signed by the PMC. For example:
>>>
>>> https://dist.apache.org/repos/dist/release/subversion/subversion-1.7.6.tar.bz2.asc
>>>
>>> Cheers,
>>> -g
>>>
>>
>


Mime
View raw message