www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jesse McConnell <jmcconn...@apache.org>
Subject Re: Official code signing certificate
Date Wed, 13 Jun 2012 20:37:23 GMT
On Wed, Jun 13, 2012 at 3:27 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> On Jun 13, 2012, at 1:21 PM, Roy T. Fielding wrote:
>> Apache does not release binaries.  We release source code that
>> other people can distribute as binaries, based on their own
>> secure build environments, their own signatures, and their
>> own liability for doing so.
> I meant to add that if anyone wants to change that policy,
> the first thing they will have to do is create a secure
> build environment by which a person under contract with the
> ASF can produce a binary artifact, and then a process by
> which a distributed group of volunteers can adequately verify
> the binaries that were built.

The eclipse foundation has such a setup and it is a bit of a palaver
to deal with.  It is not technically part of a formal build process
but something that can be pointed at their funky p2 repository setup
and that churns out signed goop...which makes it something that can be
wedged into build processes.  They restrict execution of the signer
script to their hudson instance and certain committers on a case by
case basis.

I only mention this to show that another open source foundation _is_
doing this and you could always talk to their webmaster Denis Roy
about their setup if you wanted to see a working example.  Not that
its particularly hard for the ASF to get something like that in place.

Personally I rather like Roy's response about Apache strictly focusing
on releasing 'source'.  Eclipse has some funky hybrid approach and its
often not clear what 'release' means over there.


jesse mcconnell

View raw message