maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: Eclipse plugins and X.509 signatures
Date Wed, 31 Aug 2011 17:32:42 GMT
On Wed, Aug 31, 2011 at 10:52 AM, Igor Fedorenko <igor@ifedorenko.com> wrote:
> Beware that Eclipse P2 does not like self-signed certificates all that much.

Gah. That's a pretty good reason to punt and just do the detached PGP
sigs to make the release police happy.

Unless someone wants to help me convince the board to pay for a
commercial cert and come up with a way to deploy it as they do at the
Eclipse foundation.



>
> [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=340345
>
> --
> Regards,
> Igor
>
> On 11-08-31 10:42 AM, Benson Margulies wrote:
>>
>> I've been helping Vincent&  Hervé push Vincent's Eclipse plugins for
>> Doxia file formats towards a release. I've got a tentative plan for
>> code-signing and I felt that it should be exposed on the dev list.
>>
>> Eclipse uses standard Java X.509 JAR signing. The Apache Directory
>> project also distributes Eclipse plugins, and handles this as follows:
>>
>> 1) They use a self-signed X.509 signature. In my view, the way to do
>> this consistent with Apache process is to have each person serving as
>> RM on this stuff generate their own and check the public key into the
>> tree.
>>
>> 2) They also attach the usual sort of PGP detached signature files to
>> all the files that they distribute. We can't do this with Maven in
>> this case, at least not very well.
>>
>> I'm going to proceed down this line unless someone objects. Note that
>> the ASF infrastructure site has some web pages that suggest the
>> existence of an X.509 CA, but I can't find any evidence so far that it
>> is alive.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


Mime
View raw message