logging-log4net-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: Compiling log4net with strong name and 3rd party dependencies
Date Fri, 12 Aug 2011 07:34:27 GMT
On 2011-08-12, Curt Arnold wrote:

> On Aug 11, 2011, at 12:16 AM, Stefan Bodewig wrote:

>> Right now I'd lean towards making breaking changes for a 1.3.x line of
>> releases and using the new key there, I'm not sure whether signing those
>> with the old key would be useful at all.

> The following email describes a situation where a new log4net signed
> with the existing key would be very handy.

Yes, I know.

Getting out a new release containing those bug fixes using the existing
key should be a top priority.  Questions like "hat platforms do we want
to support" can come later.

> We'd need to nuance the message so that most people who don't have a
> need for the drop in compatible old-key signed assemblies link against
> the new key signed binaries.

Or one that doesn't have a strong name at all.

> If we are disclosing the a common unsecret key, then the need to
> address every platform nuance is much reduced and we can just direct
> someone who needs a build for a specific variant of .NET or Mono to
> build it themselves.

Right, that's why I proposed to not keep the new key secret - secret
keys and open source simply don't match.

I do understand that some existing users may have some (false, TBH)
ideas about security attached to the old key and thus you don't want to
disclose that as well - even though it would simplify the migration a
lot (there wouldn't be any sort of migration at all).

Stefan

Mime
View raw message