www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: Signing jars
Date Mon, 05 Sep 2011 12:11:12 GMT
Sander's email raises the fundamental policy question: "What does an
ASF-wide signature mean?"

There are two possibilities.

1: A signature means that the thing signed is piece of a fully-voted release.

2: A signature means that the thing signed was produced by an Apache
committer as part of a release process.

If you take option 1, then you have the dilemma between 'voting on the
final bits' and 'not signing until it's voted.'

I think that Bill Rowe thoughts included, however, what I could call option 3:

3:  A signature means that the thing signed was produced by an Apache
committer as part of a release process. However, at *this url*, you
will find a permanent list of all the signed artifacts that eventually
became part of fully-voted Apache releases.

I am not clear if the Verisign service that Bill described offers some
utility here.

On the other hand, when I started thinking about this last week, I
expected that a global ASF certificate would be rejected for this very
reason. I expected more enthusiasm for a scheme to extend the
'individual responsibility' theory to X.509.

This is what I claim you get if you set up a CA and issue code signing
certificates to individual RMs. In this case, the X.509 certificates
point to a person (whose certificate is issued under the aegis of the
ASF), and we're back to where we are with the PGP signatures.

My concern here was that (a) an intermediate certificate that could
sign new signing certificates would be either (a) prohibitively
expensive, or (b) self-signed, in which case we haven't accomplished
much in the Eclipse ecosystem unless Eclipse.org adds that cert to
their roots.

Mime
View raw message