Am Freitag, 24. Mai 2013 um 19:50 schrieb janI:
> Hi. > > we are not alone in ASF wishing code signing, but we might get run over (as > I did today on IRC) if we do not formulate our requirements very clearly. > > decisions are made on mailing lists, correct? That is what I learned at Apache, what not happened on a mailing list, is not relevant ;-) Well it seems that infra is always special. I tried several times to discuss it on the infra mailing list and I believe I have described very clearly what we need and how it works today for OpenOffice if we would have a cert. I also proposed a solution that can work from my point of view and I started to collect the info on a wiki page as suggested. There might be other solutions to do it but I have no in place and nobody convinced me that my proposed approach can not work. I agree that it's not easy and I simply have no energy to discuss further at the moment. I have enough other things to do. Juergen > > rgds > jan I. > > ---------- Forwarded message ---------- > From: Scott Deboy <scott.de...@gmail.com> > Date: 24 May 2013 18:59 > Subject: Re: Official code signing certificate > To: infrastructure-...@apache.org > > > Logging Services has a simple requirement: > > Have the Chainsaw build artifacts signed by a Java code signing cert > that is signed by a trusted/root CA so the jars can be downloaded via > WebStart without the user receiving a warning that the signed jars > aren't trusted. > > The Chainsaw maven script supports signing jars - infra just needs to > point it to the cert. > > I don't know whether or not an ASF-wide Java code signing cert makes > sense or a Logging Services-specific Java code signing cert makes > sense. I don't even know if it is possible to have TLP-specific Java > code signing certs. I defer to infra on that decision. > > I believe the code signing service WRowe described will meet our > requirements. Hopefully infra can spend some time looking at the > service and see how it can meet their requirements. > > Logging Services would like to be a guinea pig for the Java code > signing service WRowe described above. If there are additional > details needed by infra, we are happy to provide them. > > Thanks, > > Scott > > On 4/12/13, sebb <seb...@gmail.com> wrote: > > You are now in http://wiki.apache.org/general/ContributorsGroup > > > > > > On 12 April 2013 17:32, William A. Rowe Jr. <wr...@rowe-clan.net> wrote: > > > > > On Fri, 12 Apr 2013 10:47:29 -0500 > > > "William A. Rowe Jr." <wr...@rowe-clan.net> wrote: > > > > > > > On Tue, 26 Mar 2013 00:56:06 +0200 > > > > Daniel Shahaf <d...@daniel.shahaf.name> wrote: > > > > > > > > > Can you write this all down somewhere? A wiki page maybe > > > > > > > > http://wiki.apache.org/general/ASFCodeSigning > > > > > > Could one of the page editors please grant WilliamARoweJr some > > > karma? I'll document the first-draft approach and the Symantec > > > service-based approach. > > > > > > > > > >
