www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Hall <Richard_H...@symantec.com>
Subject RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Thu, 19 Jan 2012 21:28:26 GMT
Hi -

We often allow multiple choices during the signing process.  Test signings are typically either
issued off of a different Root (untrusted) or issued off the same Root with a small window
of validity (such as 3 days).  Test signings do not usually require any testing (they are
signed immediately), whereas Production signings *could* require testing which would need
approval/rejection before the signing occurs.

The .jar signing service is committed in our next release and will be available on Feb. 13th.

I hope that helps.



-----Original Message-----
From: William A. Rowe Jr. [mailto:wrowe@apache.org] 
Sent: Thursday, January 19, 2012 2:50 PM
To: infrastructure-dev@apache.org; Richard Hall; Dean Coclin; Sam Ruby
Subject: RE: Proposed: Code (.jar/.msi/binaries) Signing Service Offer

Taking a closer look at pg 3...

We will need to consider how this differs from our traditional method of signing.  The flowchart
is fairly clear.  It appears that at any given time authorized users can upload an object
for signing, and obtain back either a dev, test or release signed package.

The question is, for our purposes, will we simply jump straight to the release signed package
for voting?  Or do we want to take advantage of that test flavor?

Perhaps we'll have to put it in motion, either as a beta experiment or simply adopt it.  Because
the ASF is very close to releasing

Any updates on the new .jar signing service features now that we are in 2012?
View raw message