> Assumption: only the "official owner" of log4net should be > able to sign the log4net.dll assembly with the "official" > public/private key pair.
That is the key point we need to decide. Does this assumption hold for open source projects? Or should _everything_ required to build an identical copy of the assembly be released? Is the private key part of the source? It is a given that if the private key were to be opened then the identity guarantees of the strong name would be lost. However I believe that this is the same for all Apache projects regardless of which language they are written in. > Now, as a local user of the log4net assembly I may uncover a > bug or need to change the code. I have these options: > > 1. Report the bug and wait for a fix. > 2. Fix the bug myself. > 3. Request the new feature and wait for it to be rolled into > the official distribution. > 4. Add the feature myself (and like someone already > mentioned, but a good open source citizen and send that code > to the log4net team for consideration). > > In the case of (1) and (3) the "signed assembly problem" isn't. > Eventually I'll get an assembly with the official key pair > and off I go. > > In the case of (2) and (4) I'd have to create my own key pair > to build my own (hopefully temporary) version of log4net.dll. This assumes that you have control over the application that uses the library. If you need to rebuild the library, but you cannot rebuild the application that binds to it, then there is nothing you can do. You have to either get a new version of the library signed by the publisher, or get the application vendor to rebuild the library with your changes (and they sign the library with a new key). At this point I should reiterate that the end user cannot change the binding on their machine - the only local binding redirects allowed are between versions, not between strong names. So in effect the user gets whatever the application developer decides is best for them and they have no option to replace libraries on their machine. From the application developer's point of view this is a good thing but from the user's point of view this is curtailing their freedom. This is a form of DRM for application dependencies. Is this in the spirit of open source? It is the unofficial position of The Apache Software Foundation that the Apache license is compatible with the GPL [1]. The GPL (with its anti-DRM stance) would not see a privately held strong name key as producing a 'free software' product. [1] http://www.apache.org/foundation/licence-FAQ.html#GPL Having said all that I also think that a typical .NET application developer would expect the private key for the strong name of libraries that they are using to be held securely private. After all that is what they themselves are doing with their private keys, and that is what Microsoft have told them to do. So we need to ensure that we are not going to do anything that will adversely affect the suitability of the log4net library to be used in 3rd party applications. Cheers, Nicko
