www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Ruby <ru...@intertwingly.net>
Subject Re: Official code signing certificate
Date Sat, 23 Jun 2012 19:26:17 GMT
On Sat, Jun 23, 2012 at 2:39 PM, Rob Weir <robweir@apache.org> wrote:
> On Sat, Jun 23, 2012 at 12:33 PM, Sam Ruby <rubys@intertwingly.net> wrote:
>> On Sat, Jun 23, 2012 at 11:34 AM, Rob Weir <robweir@apache.org> wrote:
>>>
>>> OK.  I agree that this would be much harder for Infra to do code
>>> signing than it would be for the PMC's to do this.
>>
>> I'll note that I said nothing of the sort.
>>
>> To recap: any and all requests for the ASF infrastructure team to
>> provide a web service to sign an arbitrary binary on behalf of the ASF
>> will be rejected.  Instead, projects are encouraged to design a
>> process by which [P]PMCs can request a build of an specified tag from
>> source with the expectation that the outcome will be a signed binary
>> that the project can evaluate and chose to release.
>>
>
> Great.  Thanks for being so definitive on that.
>
> As we all know the PMC's are the ones that already build releases,
> review releases, vote on releases, sign releases, support users with
> the releases and maintain the releases.    So there is some synergy to
> having what amounts merely to a different signing technology devolve
> to the project level as well, where the release diligence already
> occurs.  But out of an abundance of caution  I thought it was
> important that we checked with Infra first.  That being done, no
> further questions from me.
>
> Thanks again for your time.

Jürgen, Dennis, despite the fact that Rob feels that he thought it was
important to check with infrastructure after both of you demonstrably
did so, I encourage both of you to continue with your efforts.

> -Rob

- Sam Ruby

Mime
View raw message