www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Grobmeier (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-3991) Request for code signing certificate
Date Mon, 21 Oct 2013 21:29:43 GMT

    [ https://issues.apache.org/jira/browse/INFRA-3991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13801106#comment-13801106

Christian Grobmeier commented on INFRA-3991:

Ulrich: please be aware that Chainsaw doesn't necessary address "expert users". There are
plenty of people to whom I spoke which were not Java expert but need Chainsaw for their daily
work. For these people we would like to provide a great user experience. We currently work
hard to move Apache Logging into a better light these days and of course a certificate would
help here. As I understood Apache OpenOffice is also in need of such a certificate and their
product is not aiming at expert users too.

Upayavira: if there is anything we can do to help with this issue, we gladly do it. From this
issue I could not understand what I can do to help. Sometimes we just need some help from
the Infra team as they can tell us if it can work, how it works and if we can help with anything.
This is one of these cases.

> Request for code signing certificate
> ------------------------------------
>                 Key: INFRA-3991
>                 URL: https://issues.apache.org/jira/browse/INFRA-3991
>             Project: Infrastructure
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>            Reporter: Scott Deboy
>            Assignee: Tony Stevenson
> The Logging Services project provides a WebStart-deployed Swing application, Chainsaw.
 To deploy Chainsaw via WebStart and take advantage of all of its features, the jars that
are downloaded must be signed by a code signing certificate which has been signed by a trusted
root CA.
> It would seem to me it would make sense to have this code signing certificate and associated
keys managed by the ASF and not be a project-specific certificate, so other projects could
take advantage of the same resources.  If you feel it makes more sense to get Logging Services
its own code signing certificate that is managed by the PMC, I'm fine with that as well -
I would just like the issue to be resolved.
> I assume if this resource were an ASF-wide resource, the keys and certificate would be
managed by infra.  If so, I'm not sure what workflow infra would like to use - maybe a jira
issue with release candidate jars and pgp info, and signed jars could be added back to the
same jira?  We don't release often, so just let us know what you would like.
> Our needs are relatively simple, and I understand others may have more complex needs.
 PMC members or the RM could manage self-signed certificates and 'get by', but I would rather
have an official code signing cert provided by ASF itself.

This message was sent by Atlassian JIRA

View raw message