On Thu, Oct 23, 2014 at 1:19 PM, Gary Buhrmaster <gary.buhrmas...@gmail.com> wrote:
> On Thu, Oct 23, 2014 at 4:02 PM, Andrew Deason <adea...@sinenomine.net> > wrote: > .... > > For all of these situations where the Foundation would provide the > > ability to sign binaries, there are those legal considerations, then, > > but also other things. The Foundation needs to have a point of contact > > for any of these, and needs to go through the process of signing up for > > the relevant service and buying the relevant certificates/keys, etc. We > > also need to have a place or person(s) to store the secret keys; if > > they're not stored securely, they obviously do no good. It also needs to > > be clear how they will get used to sign the binary releases (who gets > > access to the keys for signing). > > And this is one place things can get "interesting". Let us imagine > someone is evil, and their intent is crack into a major corporation > that uses OpenAFS. One might target obtaining that kext signing > certificate. Because that key can be used to bypass all of the > protections that Mac OS X provides. It is a "key to the kingdom". > > Yes. That's why the kext certificate process is more involved, IMO anyway. [] > And that is why a foundation is likely to need (at least) > Professional Liability Insurance, Directors and Officers > Insurance, and Produce Liability Insurance (as I believe > Jeff mentioned). > > And the costs for those are going to depend on what liabilities > one is accepting, and what processes one can show are used > to limit disclosure of any such certificate. It might even require > the foundation to run their own signing infrastructure (as > many large organizations do). All of which likely requires > legal and auditor review. Welcome to some of the true costs of > operating a non-profit in a litigious society. > > > Sure, that scenario might not happen. One might even > argue that it is unlikely (and it probably is). But then again, > would you want to be the board member individually sued > if it does, and the foundation does not provide adequate > D&O insurance? > Or the developer, if the builder and/or signer are not otherwise contractually tied to the foundation's insurance. Again, seek actual legal advice. Yup. And that's the summary I'd give about the understanding Stephen was looking for after Jeff's earlier comments. Jeff explained what things looked like, legally, for him. It's not FUD. It's what Jeff is willing to do based on Jeff's lawyer. What someone else is willing to do should, though, be entered into by that person only with an understanding of what their liability is, or with the explicit knowledge that they plan to ignore it and hope for the best. -- D
