www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Signing jars
Date Thu, 08 Sep 2011 18:01:35 GMT
On 9/8/2011 9:45 AM, sebb wrote:
> So why are we trying to be more careful with the embedded sigs?
> What is it about such sigs that makes it important not to sign the
> release candidates?

Really, the only issue is that the gpg signature, which we verify
(as should /all/ downloaders, internal or external ;-) attests to
the individual creating the package.

The code signing signature is ASF-wide and not tied to a committer.

I publish httpd 2.2.8, and it isn't accepted, I go back and publish
httpd 2.2.9, it is accepted and that is then published by the ASF.
To sign the package implies publication/endorsement by the ASF,
which wouldn't be true of 2.2.8 in this example.

View raw message