logging-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bode...@apache.org
Subject svn commit: r1167050 - /logging/log4net/trunk/log4net.snk.readme
Date Fri, 09 Sep 2011 08:57:27 GMT
Author: bodewig
Date: Fri Sep  9 08:57:27 2011
New Revision: 1167050

URL: http://svn.apache.org/viewvc?rev=1167050&view=rev
Log:
Add some verbiage on old vs new strong name key

Modified:
    logging/log4net/trunk/log4net.snk.readme

Modified: logging/log4net/trunk/log4net.snk.readme
URL: http://svn.apache.org/viewvc/logging/log4net/trunk/log4net.snk.readme?rev=1167050&r1=1167049&r2=1167050&view=diff
==============================================================================
--- logging/log4net/trunk/log4net.snk.readme (original)
+++ logging/log4net/trunk/log4net.snk.readme Fri Sep  9 08:57:27 2011
@@ -3,7 +3,26 @@ Apache log4net Strong Name Key Readme
 
 The log4net release builds are strongly named using the log4net.snk key 
 file.  This key is different from the key used to sign log4net 1.2.10
-and earlier releases.  The key used to sign those older releases is
-not and has never been distributed as part of the log4net source or 
-binary downloads.
+and earlier releases.
 
+Starting with log4net 1.2.11 we've decided to use a key that we don't
+keep secret so you can build a drop-in replacement for an official
+release yourself.  This means that the strong name of a log4net
+assembly no longer provides any means of checking its authenticity.
+The only way to ensure you are using an official release by the Apache
+Software Foundation is by downloading the distribution from the Apache
+log4net download page and verifying the PGP signature of the ZIP
+archive.
+
+The key used to sign those older releases is not and has never been
+distributed as part of the log4net source or binary downloads.
+
+In order to make it easier to migrate from log4net 1.2.10 to newer
+releases log4net 1.2.11 we also provide builds using the key used to
+sign 1.2.10.  We may stop distributing these alternative builds in the
+future.
+
+You should use the binary builds signed with log4net.snk for new
+projects and only use the ones signed with "the old key" if switching
+to the newer builds is not possible because other parts of your
+project depend on the old strong name.



Mime
View raw message