www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Thu, 16 Aug 2012 15:47:12 GMT
On 8/16/2012 7:52 AM, Mark Thomas wrote:
> I suggest you read the entire thread and then consider offering the
> Infra team generally and Tony specifically an apology.

I have, there is a pdf whitepaper in the archives that Tony can refer
back to, if he were interested.  We have iterated the logic on any
number of occassions in the past year, and I spelled out exactly my
logic on dropping an offer of building an incomplete code signing
service on ASF hardware.  We simply cannot provide the same detail
and control that the Symantec plan offers.

There are two further interactions with Symantec on this subject, one
is for Sam in a position of authority or another to approach Symantec
for the precise details of their offer.  The other is to gather the
implementation details and I suspect that beta access to this service
is going to be required to determine how all the bits can be married
together across various build systems, including Maven.

I'm going to attribute his claim that nobody has provided any detailed
proposal to email overload and a request for collecting that data on
some wiki.

Sorry Tony.  Please point me to the wiki you wish me to use to gather
the relevant email-archived details?

> Om & Dave Fisher asked about siging Adobe Air applications
> Richard Hall stated that the Symantec signing service *does not* support
> Adobe Air but that a code signing cert could be made available.
> Om asked if there has been any progress.
> Tony replied (again) that a concrete proposal needs to be made for an
> ASF hosted signing service for infrastructure to consider. Some ideas
> have been floated but there has not yet been a proposal in sufficient
> level of detail for infrastructure to evaluate.
> The Symantec service may solve some problems but it is not a panacea.

Agreed in part (Apple being a huge enigma).  But if Apple certs are per
Apple ADC developer, we have far fewer issues that dealing with org sigs.
This becomes the equivalent of GPG keys.

View raw message