www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Official code signing certificate
Date Wed, 13 Jun 2012 21:41:21 GMT
@Roy,

That would certainly simplify matters.

Unfortunately, it does not appear to make sense in the case of Apache OpenOffice where authentic
binaries for use by end users is pretty much an essential quality of the brand.  

And the podling is indeed shipping binaries (with 4 *million* downloads of Apache OpenOffice
3.4.0 reached earlier today) whether they qualify as a release in ASF terms or not.  They
are seen as the important part by end-users and the Apache OpenOffice project (and actually,
the ASF) is looked to as their authentic source.

There are authentication mechanisms on the downloadable artifacts of course - sha1 hashes,
external signatures, etc.  This is already happening to ensure the integrity and authenticity
of the downloads.  It just doesn't do anything for the authentication that is performed by
the Windows operating system in the handling of embedded code signatures in the installer
and the installed artifacts.  This authentication and the confidence it inspires is ordinary
and expected in the Microsoft Windows ecosystem.

But still, it could be concluded that the Apache OpenOffice project should get out of the
provision of binaries, especially for Windows, and allow third parties to establish themselves
as reliable providers of such support.  It won't do much for Apache OpenOffice as a brand,
of course.
 
Is that a desirable outcome?

 - Dennis

-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com] 
Sent: Wednesday, June 13, 2012 13:21
To: infrastructure-dev@apache.org
Subject: Re: Official code signing certificate

Apache does not release binaries.  We release source code that
other people can distribute as binaries, based on their own
secure build environments, their own signatures, and their
own liability for doing so.

....Roy


Mime
View raw message