www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Ruby <ru...@intertwingly.net>
Subject Re: Official code signing certificate
Date Sat, 23 Jun 2012 14:12:19 GMT
On Sat, Jun 23, 2012 at 9:48 AM, Rob Weir <robweir@apache.org> wrote:
>
> This could be done, e.g., with a signing web service or command line
> service available via ssh.   Access controls are limited to
> PMC-designated Release Managers.  (Web service would be easier to
> integrate into a build).  Log everything, send signing actions to
> appropriate Infra or project commit lists, etc.

And that will inevitably lead to somebody someday signing something
that has a trojan or a virus or something else undesirable, and
thereby retroactively make worthless our signature on all artifacts.

Just so we don't simply rehash over and over again this material, I'll
close with a few pointers:

http://mail-archives.apache.org/mod_mbox/www-infrastructure-dev/201206.mbox/%3C4FD9A77F.4020309%40googlemail.com%3E

http://mail-archives.apache.org/mod_mbox/www-infrastructure-dev/201206.mbox/%3C015201cd49b0%24ab078180%2401168480%24%40acm.org%3E

https://issues.apache.org/jira/browse/INFRA-3991?focusedCommentId=13399531&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13399531

- Sam Ruby

Mime
View raw message