www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@gmail.com>
Subject Re: [jira] [Commented] (LEGAL-174) Creating an Apple Developer Account for distribution of iOS applications in the App Store
Date Mon, 29 Jul 2013 05:22:54 GMT
On Sun, Jul 28, 2013 at 10:31 PM, Yonik Seeley <yonik@lucidworks.com> wrote:
> On Sun, Jul 28, 2013 at 8:19 PM, Greg Stein (JIRA) <jira@apache.org> wrote:
>> Infrastructure would have to hold the certificate, and do the signing.
>>I imagine they would also want to perform the actual build from raw source, to ensure
they aren't signing a trojan provided by one of our committers.
>
> Infra building from source seems unnecessary - a PMC voted release
> should be enough.

Nobody can verify a binary. Not PMC Members, nor Infrastructure.

To sign something, in the name of the Apache Software Foundation,
there should be a clear, auditable path (think, "chain of custody")
from the PMC-blessed source to the signed binary.

> Infrastructure should be able to trust that the official releases do

Official releases are only source.

Binaries are provided for convenience.

Cheers,
-g

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message