www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Thu, 16 Aug 2012 12:52:20 GMT
On 16/08/2012 06:38, William A. Rowe Jr. wrote:
> On 8/15/2012 5:20 PM, Tony Stevenson wrote:
>> We, infra, are still waiting for someone to come to us with a proposal on how to
deploy this within the bounds we have laid out several times both here and in Jira. We won't
just randomly set something up. 
> I don't know how it's possible for infra to remain so deaf and ignorant
> to the offers on the table.
> In the Symantec proposal, each artifact is individually audited and
> revocable.  Admin rights remain entirely in infra root's hands (given
> some basic trust to the agency which issues most every code signing
> certificate, every trust model has some issues like this).  Committers
> continue to generate artifacts as they always have and are accountable
> for the bits they sign with ASF credentials, without ever possessing
> the keys to sign arbitrary objects outside of the auditable schema.
> The most sensical proposal is in front of your face, so your statement
> is completely crap.


I suggest you read the entire thread and then consider offering the
Infra team generally and Tony specifically an apology.

Om & Dave Fisher asked about siging Adobe Air applications

Richard Hall stated that the Symantec signing service *does not* support
Adobe Air but that a code signing cert could be made available.

Om asked if there has been any progress.

Tony replied (again) that a concrete proposal needs to be made for an
ASF hosted signing service for infrastructure to consider. Some ideas
have been floated but there has not yet been a proposal in sufficient
level of detail for infrastructure to evaluate.

The Symantec service may solve some problems but it is not a panacea.


View raw message