logging-log4net-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: Compiling log4net with strong name and 3rd party dependencies
Date Thu, 18 Aug 2011 05:45:17 GMT
On 2011-08-17, Piers Williams wrote:

> On 10 August 2011 23:38, Stefan Bodewig <bodewig@apache.org> wrote:

>> This seems to be consensus by now by pretty much all Open Source
>> projects in the .NET space.  Just hand out your signing key so people
>> can create their own patch builds - as they can do for any other
>> platform as well.  There is absolutely zero security attached to that
>> key if used that way, but that doesn't matter since our releases are
>> signed using OpenPGP and we provide hashes of everything.

>> I'd propose to not keep the signing key of future releases secret but
>> simply keep the full keypair inside the source tree.

> I'm unconvinced that handing out the key like that is a good idea, though I
> quite understand why people have started to do it.

> Either way, in the case that a project *doesn't*, an app.config /
> machine.config binding redirect to your forked version (mapping the
> different different hash, version etc...) works just fine for keeping the
> 3rd party dependencies happy.

At the danger of embarrassing myself: it's been my understanding that
binding redirects can be used to redirect from one version of an
assembly with a given publicKeyToken to another but not from one token
to another.

What does a binding redirect look like if I want to redirect from
publicKeyToken"hash1" to publicKeyToken"hash2"?


View raw message