Note taken :) Frank
On 8/30/07, Martijn Dashorst <[EMAIL PROTECTED]> wrote: > > An interesting response to a question asked on the incubator list > (general@) regarding signing releases. If you are a prospected release > manager, take note! > > Martijn > > ---------- Forwarded message ---------- > From: William A. Rowe, Jr. <[EMAIL PROTECTED]> > Date: Aug 30, 2007 8:47 AM > Subject: [board feedback] Signing Java Jars > To: [EMAIL PROTECTED] > > > The board took up this subject briefly at our Aug 29th meeting. Below is > the board's feedback; > > Marshall Schor wrote: > > > > Apache signing, to my knowledge, doesn't require use of a certificate > > authority. > > Apache projects post trusted signatories in a KEYS or equivalent file > within > the http://www.apache.org/dist/{project}/ distribution location. You may > also advertise any key within the http://people.apache.org/ committers > view > by following the instructions on that site for maintaining your .foaf > entry. > > PGP keys should also be registered at the pgp.mit.edu keyserver, and we > ask > you to countersign one anothers' keys at an appropriate event, such as the > ApacheCon key signing events. > > However, the board considers any personal signing mechanism to be > equivalent > and appropriate. So signing a tarball with your PGP key, or a jar with > your > Java Code Signing Certificate, or a .NET assembly with a Code Signing Cert > would all be equivalent. Simply document the trusted certificates in the > appropriate distribution/download directories, and preferably include some > short comments or instructions for users to obtain/validate the signatures > of packages they download. > > > I'd be interested to learn if others have gone down the Java JAR signing > > path, and if so, > > - is it considered an OK alternative to Apache signing, > > Source tarballs should still be signed with your pgp key. Binaries can > be signed (as appropriate) with your code signing certificate as > necessary. > > > - how did you get a certificate authority to verify ownership of your > > signing key > > If this becomes a frequently used approach and proves to be an issue, the > board will take up the issue of considering obtaining a signing authority > certificate and signing individual certificates at some point in the > future, > once a specific proposal is brought to us. > > Bill > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > -- > Buy Wicket in Action: http://manning.com/dashorst > Apache Wicket 1.3.0-beta3 is released > Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.0-beta3/ >
