www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
Date Thu, 16 Aug 2012 20:38:12 GMT

On Aug 16, 2012, at 11:50 AM, Daniel Shahaf wrote:

> Jürgen Schmidt wrote on Thu, Aug 16, 2012 at 08:57:12 +0200:
>> Maybe infra-structure can give me feedback what doesn't work with these
>> proposals. And as typical at Apache if you have concerns (-1) come up
>> with another proposal that fulfill better the needs of infra-structure
> 
> Infra do have veto power over PMCs with respect to solutions that
> involve obtaining and maintaining any sort of central secret (e.g.,
> certificate private key).
> 
> Now, would you quit citing policies of this org to people who had been
> Members thereof before you heard of it?

One of Jürgen's proposals was in essence to have infrastructure controlled buildbots with
project provided setups which would be run by the Infrastructure team that would include certificates
that were under Infrastructure's control. These buildbots would be based on the project's
ci buildbots. Infrastructure would be given the release tag and would be able to fully build
each of the binary artifacts on the appropriate OS.

Perhaps that would meet Infrastructure's approval?

So far these proposals have been met with lazy -1's. Please tell us what is wrong with these
ideas? This really is a good faith attempt to be compliant with what we all agree are important
policies. Specifically assuring that the ASF's credibility is not in any way damaged by the
misuse of an apache.org digital signing certificate.

Regards,
Dave



Mime
View raw message