www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jan i <j...@apache.org>
Subject Re: Discussion on enabling users to specify own machines as dynamic hosts
Date Thu, 17 Apr 2014 17:36:19 GMT
On 17 April 2014 18:55, Alex Harui <aharui@adobe.com> wrote:

> On 4/17/14 9:38 AM, "jan i" <jani@apache.org> wrote:
> >On 17 April 2014 18:29, Alex Harui <aharui@adobe.com> wrote:
> >
> >>
> >> I'm not sure Flex will be able to use it since our users really want our
> >> binaries to bundle proprietary build tools and I'm not sure Apache will
> >> ever allow that.
> >>
> >
> >I am very sure that apache will not sign tools, that are not build from
> >our
> >own sources.
> Well, you're not signing the tools, but rather, signing the entire binary
> package right?  What if an Apache project has a binary that bundles a JAR
> that is under Apache License but is not built/hosted at Apache?  Will the
> ASF sign that?

that depends on the project. For AOO I expect we will use double signing
(needed for windows8) so we first sign the tools then the total binary.

I can only give you  a personal opinion, in the end legal@  and board@ will
have a lot to say in this matter. We need to allow some jar/dll/so files to
be included that sure, I do have a problem with how we make sure they are
not infected with a virus.

The purpose of digitial signing, is that the signer guarantees the content.
How can we guarantee content from third party ? do we want to take the risk
? I dont know.

> >
> >I assume the flex project only releases sources, and third party makes the
> >bundling. With/without signing I dont believe ASF allows a project to
> >include category-x tools in a binary that are sent to the public.
> I assume that even with signing, even AOO will still "only release
> sources".

AOO (OpenOffice) releases source, but the majority of people download
binaries and dont care about the sources.

>  Right now there is no third-party for Flex, but one might be
> created.  Right now the Flex convenience binaries have a build script that
> still needs to run that downloads optional stuff.  And we have created an
> Installer application that downloads the category x tools and the
> convenience binary and automates the management of all of those pieces.

> The complaint we got from our users was that because of Apache "rules"
> folks had to separately download the tools then download the binary then
> run a script to download other optional dependencies whereas in the
> pre-Apache days they simply downloaded and uncompressed a package.  The
> installer automates that (it is written in Flex and interprets an Apache
> Ant scrip).  I suppose we may want to have the installer signed by the
> ASF, but we eventually might rely on some third-party entity to provide a
> complete package as that will be simplest for our users.
I dont  see a problem signing the installer. and I personally would prefer
third party to add their stuff and reship.

But I can also see a way, where our parts are digitally signed, and
"add-ons" (meaning non-asf items) are in a extra package.
That way we do not put the foundation at risk.

Please understand, I do not try to scare anyone or just be negative, I am
honestly concerned where we can end up, but I also would like to find a
solution, that make our users (and the projects) happy.

jan I.

> Thanks,
> -Alex

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message