www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Official code signing certificate
Date Sat, 23 Jun 2012 18:39:20 GMT
On Sat, Jun 23, 2012 at 12:33 PM, Sam Ruby <rubys@intertwingly.net> wrote:
> On Sat, Jun 23, 2012 at 11:34 AM, Rob Weir <robweir@apache.org> wrote:
>> OK.  I agree that this would be much harder for Infra to do code
>> signing than it would be for the PMC's to do this.
> I'll note that I said nothing of the sort.
> To recap: any and all requests for the ASF infrastructure team to
> provide a web service to sign an arbitrary binary on behalf of the ASF
> will be rejected.  Instead, projects are encouraged to design a
> process by which [P]PMCs can request a build of an specified tag from
> source with the expectation that the outcome will be a signed binary
> that the project can evaluate and chose to release.

Great.  Thanks for being so definitive on that.

As we all know the PMC's are the ones that already build releases,
review releases, vote on releases, sign releases, support users with
the releases and maintain the releases.    So there is some synergy to
having what amounts merely to a different signing technology devolve
to the project level as well, where the release diligence already
occurs.  But out of an abundance of caution  I thought it was
important that we checked with Infra first.  That being done, no
further questions from me.

Thanks again for your time.


> - Sam Ruby

View raw message