Return-Path: 
 <infrastructure-dev-return-1709-apmail-infrastructure-dev-archive=apache.org@apache.org>
X-Original-To: apmail-infrastructure-dev-archive@minotaur.apache.org
Delivered-To: apmail-infrastructure-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 620F97D58
	for <apmail-infrastructure-dev-archive@minotaur.apache.org>;
 Thu,  8 Sep 2011 18:02:25 +0000 (UTC)
Received: (qmail 53015 invoked by uid 500); 8 Sep 2011 18:02:25 -0000
Delivered-To: apmail-infrastructure-dev-archive@apache.org
Received: (qmail 52854 invoked by uid 500); 8 Sep 2011 18:02:24 -0000
Mailing-List: contact infrastructure-dev-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:infrastructure-dev-help@apache.org>
List-Unsubscribe: <mailto:infrastructure-dev-unsubscribe@apache.org>
List-Post: <mailto:infrastructure-dev@apache.org>
List-Id: <infrastructure-dev.apache.org>
Reply-To: infrastructure-dev@apache.org
Delivered-To: mailing list infrastructure-dev@apache.org
Received: (qmail 52846 invoked by uid 99); 8 Sep 2011 18:02:24 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Sep 2011 18:02:24 +0000
X-ASF-Spam-Status: No, hits=0.7 required=10
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [72.167.82.82] (HELO p3plsmtpa01-02.prod.phx3.secureserver.net)
 (72.167.82.82)
    by apache.org (qpsmtpd/0.29) with SMTP; Thu, 08 Sep 2011 18:02:16 +0000
Received: (qmail 32483 invoked from network); 8 Sep 2011 18:01:53 -0000
Received: from unknown (76.252.112.72)
  by p3plsmtpa01-02.prod.phx3.secureserver.net (72.167.82.82) with ESMTP;
 08 Sep 2011 18:01:53 -0000
Message-ID: <4E6902FF.5020709@rowe-clan.net>
Date: Thu, 08 Sep 2011 13:01:35 -0500
From: "William A. Rowe Jr." <wrowe@rowe-clan.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: infrastructure-dev@apache.org
Subject: Re: Signing jars
References: 
 <CALhtWkdNUc5dFkAu8T82hy-7dQ8OK75fObtyPVszHXv5_9BifQ@mail.gmail.com>
 <4E6035F0.8000104@rowe-clan.net>
 <CALhtWkecD-Tjb8WB00187AyVhHH0m72Tbpu31CmVM3WK-2TtPg@mail.gmail.com>
 <4E60C3B5.1020406@rowe-clan.net>
 <CALhtWkfnWeSHkapsTnk1pqsCyS_iqem3aSwcSgfX4Er2GvksVQ@mail.gmail.com>
 <4E60C873.2050001@rowe-clan.net>
 <CALhtWkf_rggs_nKqt=Xe2PHrOcm7Q83hiRtkdKO=V4ww6cjuuQ@mail.gmail.com>
 <4E60CEA5.8030101@rowe-clan.net>
 <47ADA69D-8564-495C-8BC1-522A6446DF56@apache.org>
 <CAOGo0VYreHcmqKnjQhQLDQthD0rGOGr2bTpK0aWUB1s3HJp_=Q@mail.gmail.com>
In-Reply-To: 
 <CAOGo0VYreHcmqKnjQhQLDQthD0rGOGr2bTpK0aWUB1s3HJp_=Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

On 9/8/2011 9:45 AM, sebb wrote:
> 
> So why are we trying to be more careful with the embedded sigs?
> What is it about such sigs that makes it important not to sign the
> release candidates?

Really, the only issue is that the gpg signature, which we verify
(as should /all/ downloaders, internal or external ;-) attests to
the individual creating the package.

The code signing signature is ASF-wide and not tied to a committer.

I publish httpd 2.2.8, and it isn't accepted, I go back and publish
httpd 2.2.9, it is accepted and that is then published by the ASF.
To sign the package implies publication/endorsement by the ASF,
which wouldn't be true of 2.2.8 in this example.