www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: Official code signing certificate
Date Wed, 13 Jun 2012 20:27:42 GMT
On Jun 13, 2012, at 1:21 PM, Roy T. Fielding wrote:

> Apache does not release binaries.  We release source code that
> other people can distribute as binaries, based on their own
> secure build environments, their own signatures, and their
> own liability for doing so.

I meant to add that if anyone wants to change that policy,
the first thing they will have to do is create a secure
build environment by which a person under contract with the
ASF can produce a binary artifact, and then a process by
which a distributed group of volunteers can adequately verify
the binaries that were built.

I don't see a reason to pay for certificate authority
before that happens.


View raw message