logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Smith <psm...@aconex.com>
Subject Re: Chainsaw dependencies on log4j 1.3
Date Wed, 18 Apr 2007 03:58:32 GMT
> The WebStart model appears to use X.509 certificates which route  
> back to a Certificate Authority, hence dealing with Thawte  
> signatories.  Doesn't seem to be any bridge between the GPG model  
> and the X.509 model which would allow us to use our existing GPG  
> code signing keys.  The keys are tied to personal identities, so  
> sharing signing keys as required by the log4net is inappropriate.   
> It should not matter however if Paul signs one release and I sign  
> the next (though my Thawte key is just the freemail variety).

Yep, it would not matter who signed the release.  ALL jars in the  
Webstart package must be signed with the same key though I think.   
Your freemail Thawte certificate is the same type as mine, the only  
difference is that I have had my "full name" verified by 2 other  
Thawte notaries.  For a while there, Chainsaw was signed just with  
'psmith < at > apache.org', but now it shows my full name.  That  
extra detail is probably irrelevant.  if there was an email address  
that could be 'controlled' by the Logging PMC, then perhaps we could  
sign it with a freemail certificate that had that email address in  
it.  Should a member get booted out or something else, the  
certificate could be revoked, and a new one generated by the PMC.   
One wouldn't be able to get a 'Full name' verified by a notary in  
this case though, since there isn't a real person to validate! :)   
The tricky thing is that Thawte freemail is all done online, so not  
sure how to control access to that online account by the PMC if/when  
a rogue member decided to get creative...

> I'm getting dizzy and maybe can find some way to reconcile all  
> this.  I think we have to have our primary distribution means a  
> classic .tar.gz and .zip going through the standard release  
> process.  Whether or how we make a WebStart version available after  
> that is a separate issue.

I definitely think continuing to support the Webstart version is  
worthwhile, it makes upgrades for everyone really easy.  I'm  
obviously not tied to having it signed with my certificate, I just  
happened to be the first one to get one arranged and fight through  
all the stupid keysigning rubbish that Sun has placed on us.


To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org

View raw message