there may be some issues about signing ASF jars.
AFAIK the sun standard relies on centralized certification rather than a decentralized web of trust. this causes problems for the ASF.
there are no central keys held by apache and used for signing releases. when you download a log4j jar from the mirrors, you (should) check that the signature has been create by my key but when you download regexp, you check that the signature has been created by vadim's key. these keys should be used only for signing downloadable ASF releases and the ASF does not ask you to trust them for any other purpose.
this is a source of strength. if any key is known to be compromised, the ASF can simply replace the signatures and the KEYs file on minotaur. conversely, even if minotaur is compromised then since the private keys used to sign releases are retained by the release managers they can still be trusted.
issuing certificated jars would require a centralized release infrastructure. the ASF would have to issue a single authoritative certificate and could be held responsible for all jars certificated by it.
it's quite possible that all releases would need to be cut centrally by a dedicated team of volunteers and a dedicated, secure machine used to store the private keys.
the ASF infrastructure folks are (rightly) concerned about the security implications of centralized certification. certificates are expensive to obtain and require management. there are also legal questions about who would be entitled to sign releases.
so, though it'd be cool to be able to release signed jar's, certificates make things difficult for the ASF.
- robert
On Friday, September 5, 2003, at 02:03 AM, Paul Smith wrote:
Hi,
On Fri, 2003-09-05 at 10:32, WJCarpenter wrote:Is there any kind of ASF policy about signing JAR files that are made available for download? For most downloads, there is a companion file with some overall signature to prove the authenticity of the download, but in the particular case of Java JAR files, that leaves a piece of the pie undone.
</snip>
There is definately every intention of signing the Jar's. One of the Log4j companion utilities, Chainsaw, will be delivered using Java Web Start, and that will pretty much require Jar signing much the same way you describe applets and how they complain.
Hopefully we will be able to organise the bits and pieces before the 1.3 release, but maybe not in time.
Thanks for prodding me about this, I need to get started on organising this again.
cheers,
Paul Smith
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
