pivot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Brown <gkbr...@mac.com>
Subject Re: ASF code signing certificate
Date Mon, 07 Dec 2009 13:56:04 GMT
The problem with waiting until after we graduate is that we'll launch with an invalid cert
signed by Todd, rather than a valid cert signed by the ASF. This won't leave a good first
impression on anyone seeing Pivot for the first time.

You are probably right that general@incubator is probably not the right place for this discussion,
but I think it is at least worth posting the question to the infra list. I'm guessing that
most of the previous discussion around PKI focused on SSL, etc. - maybe it won't be as difficult
to push a code signing cert. through.

How are purchase decisions generally handled? Would someone on the infra list be able to approve
something like this, or is there another list I should also post to?


On Dec 6, 2009, at 11:45 PM, Niclas Hedhman wrote:

> On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <gkbrown@mac.com> wrote:
>> Hello mentors,
>> Back when Pivot first entered the Incubator, I had asked about the availability of
an official Apache code signing certificate. Some of our demo and tutorial JARs are signed,
but they currently use an unofficial (and expired) certificate Todd had created locally for
testing purposes. This doesn't inspire quite as much confidence in the authenticity of the
code as we would like.  :-)
>> The response at the time was that no such certificate currently exists. Once we graduate,
do you know if it might be possible to request one? I believe these cost around $500 (US)
- is the ASF likely to cover something like this, or do you think we would need to fund it
>> FWIW, I actually tried to get both Verisign and Thawte to contribute a certificate
a few months back, and I didn't get a reply from either one...maybe I will try again after
we graduate. Anyone have any contacts at either place?
> PKI is not something to toss around lightly (I am sure you are aware
> of that), and the security conscious individuals at ASF have for long
> ponder over how a PKI at ASF could/should look like. One thing that
> was excluded was an ASF-wide cert available to "many". It has been
> discussed to setup a system where infra "owned" a master cert, from
> which they signed certs of "verified individual committers/officers".
> The problem is/was that this has not been high on the agenda, since
> for "releases" the PGP approach of "web of trust" has been considered
> both sufficient and superior of centralized PKIs.
> My advice is to wait until after graduation and then approach
> infra/board to bring up the usecase/need to see if this can be managed
> to a level of satisfaction "within our lifetime" ;-)  Bringing this to
> general@incubator.a.o now will just be "messy" and lead to no
> resolution.
> Cheers
> -- 
> Niclas Hedhman, Software Developer
> http://www.qi4j.org - New Energy for Java
> I  live here; http://tinyurl.com/2qq9er
> I  work here; http://tinyurl.com/2ymelc
> I relax here; http://tinyurl.com/2cgsug

View raw message