xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GOMEZ Henri <hgo...@slib.fr>
Subject RE: Signing Apache XML Projects' code
Date Tue, 10 Apr 2001 21:36:43 GMT
There was a similar question on jakarta list.
One possible way is to have the package sign
the binary/source package using it's personal
PGP key, and make a page with the list of 
commiters/mainainers/packagers PGP Public Key 
you could for verification.

Nota it's the way Apache httpd team use.

Henri Gomez                 ___[_]____
EMAIL : hgomez@slib.fr        (. .)                     
PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 

>-----Original Message-----
>From: Jake Repp [mailto:JakeR@Ingeniux.com]
>Sent: Tuesday, April 10, 2001 8:59 PM
>To: 'general@xml.apache.org'
>Cc: kjalbert@software.rockwell.com
>Subject: RE: Signing Apache XML Projects' code
>Would it be possible to extract all of your jar files into a common
>directory (your signed applet, xerces and xalan) after which 
>you can jar
>them all into single archive which you would then sign with 
>your companies
>certificate? This way you are saying, "I am representing the 
>validity of
>this applet and the libraries being used by it". There shouldn't be any
>legal issues with this, and it might take awhile before apache 
>can supply signed jar files.
>-Jake Repp
>-----Original Message-----
>From: Shane_Curcuru@lotus.com [mailto:Shane_Curcuru@lotus.com]
>Sent: Tuesday, April 10, 2001 8:59 AM
>To: general@xml.apache.org
>Cc: kjalbert@software.rockwell.com
>Subject: Re: Signing Apache XML Projects' code
>Hmmm - interesting question.  While many apache projects sign their
>distribution, there are a number of other technical and legal 
>issues about
>signing the jars.  Perhaps someone could refresh me on what 
>the technical
>things were? (or were those just with the sealed jars, that some people
>like and some can't use?)
>Legally, I'm not sure how we'd get a Thawte RSA certificate.
>Basically, the Apache Software Foundation
>http://www.apache.org/foundation/  is a U.S. corporation (now 
>non-profit by the IRS, too!) that exists to provide a legal 
>base and shield
>for the code that we all donate to Apache.  The board of 
>directors (made up
>of Apache 'members' http://www.apache.org/foundation/members.html ) is
>probably the only people who can either make legal agreements 
>on behalf of
>Apache, or can actually spend money on behalf of Apache.
>So in some ways, it's really a members decision to think about buying
>official 'Apache' certificates.  I know there are a bunch of 
>people in the
>webserver realm who are thinking about a more standardized way 
>to sign code
>at Apache, but I'm not sure of the status.  One issue would 
>obviously be
>language-based: signing .jar files is different than signing whole
>distribution units or C/C++ binary files, etc.
>The other option might be for a specific PMC or Apache 
>subproject to get
>someone to donate the cash to buy a license for that 
>particular group, but
>I haven't heard of anyone trying that yet.  Again, if there's 
>any sort of
>legal responsibility that holding the certificate means, I'm 
>not sure how
>that'd work vis-a-vis all us volunteers and the ASF itself.
>Sorry this doesn't sound like much of an answer, but like 
>licensing issues,
>there are a bunch of little details that make a difference.  
>One thing that
>could help is if you could briefly describe your organizations 
>at actualling getting and using one of these certificates, and 
>other common
>usage cases of them - that way you can help educate this xml.apache.org
>community on the issue, so we can start to think about code 
>signing in a
>more concrete way.
>Thanks for the note!
>- Shane
>---- you "Albert, Kevin" <kjalbert@software.rockwell.com> wrote ----
>> I have developed an applet using JDK 2 version 1.3, and have 
>signed its
>jar using an RSA certificate from Thawte that was purchased by 
>my employer.
>> When this signed applet is loaded by the JDK 2 Plug-In, the 
>user is given
>the option of granting permissions to the applet by the 
>Plug-In's security
>dialog.  This allows me to distribute the applet without requiring
>end-users to configure a policy file for the applet.
>> This is all great, except that I am also using the Apache Xerces and
>Xalan jar files from the applet.  These jars are loaded via 
>the HTML object
>tag's archive parameter.  When Xerces or Xalan has to go outside of the
>Plug-In's "sandbox", permission denied exceptions occur 
>because these jars
>are not signed.
>> I am wondering if the Apache XML Project has an RSA 
>certificate that can
>be used to sign the Xerces and Xalan jar files.  I would 
>REALLY prefer not
>to require that all of my end-users configure a policy file so 
>the Xerces
>and Xalan jars can be trusted.
>> Thanks in advance,
>> Kevin Albert
>In case of troubles, e-mail:     webmaster@xml.apache.org
>To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
>For additional commands, e-mail: general-help@xml.apache.org
>In case of troubles, e-mail:     webmaster@xml.apache.org
>To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
>For additional commands, e-mail: general-help@xml.apache.org

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

View raw message