www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Ruby <ru...@intertwingly.net>
Subject Re: Official code signing certificate
Date Sat, 23 Jun 2012 14:12:19 GMT
On Sat, Jun 23, 2012 at 9:48 AM, Rob Weir <robweir@apache.org> wrote:
> This could be done, e.g., with a signing web service or command line
> service available via ssh.   Access controls are limited to
> PMC-designated Release Managers.  (Web service would be easier to
> integrate into a build).  Log everything, send signing actions to
> appropriate Infra or project commit lists, etc.

And that will inevitably lead to somebody someday signing something
that has a trojan or a virus or something else undesirable, and
thereby retroactively make worthless our signature on all artifacts.

Just so we don't simply rehash over and over again this material, I'll
close with a few pointers:




- Sam Ruby

View raw message