www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: Official code signing certificate
Date Wed, 13 Jun 2012 20:43:12 GMT
If you look back in the archives, you will find a considerable thread
in which we explored the exact territory of setting up a signature
mechanism for signing Eclipse plugins at Apache. This fed off of an
even older conversation about Windows binaries. This included some
discussion with Eclipse about the potential to add a cert of ours to
their default trust list. We never got as far as Roy's points.

I don't think I'll do the discussion justice by trying to remember and
summarize it. I'm not at all sure that the ideas discussed there would
meet some of the criteria on these threads.


On Wed, Jun 13, 2012 at 4:37 PM, Jesse McConnell <jmcconnell@apache.org> wrote:
> On Wed, Jun 13, 2012 at 3:27 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>> On Jun 13, 2012, at 1:21 PM, Roy T. Fielding wrote:
>>
>>> Apache does not release binaries.  We release source code that
>>> other people can distribute as binaries, based on their own
>>> secure build environments, their own signatures, and their
>>> own liability for doing so.
>>
>> I meant to add that if anyone wants to change that policy,
>> the first thing they will have to do is create a secure
>> build environment by which a person under contract with the
>> ASF can produce a binary artifact, and then a process by
>> which a distributed group of volunteers can adequately verify
>> the binaries that were built.
>
> The eclipse foundation has such a setup and it is a bit of a palaver
> to deal with.  It is not technically part of a formal build process
> but something that can be pointed at their funky p2 repository setup
> and that churns out signed goop...which makes it something that can be
> wedged into build processes.  They restrict execution of the signer
> script to their hudson instance and certain committers on a case by
> case basis.
>
> I only mention this to show that another open source foundation _is_
> doing this and you could always talk to their webmaster Denis Roy
> about their setup if you wanted to see a working example.  Not that
> its particularly hard for the ASF to get something like that in place.
>
> Personally I rather like Roy's response about Apache strictly focusing
> on releasing 'source'.  Eclipse has some funky hybrid approach and its
> often not clear what 'release' means over there.
>
> cheers,
> jesse
>
> --
> jesse mcconnell
> jesse.mcconnell@gmail.com

Mime
View raw message