AFAIK infra has enough karma to purchase small hardware, domains and certificates. If they don't have enough they can escalate it to the board to make sure it happens.
Martijn On Mon, Dec 7, 2009 at 2:56 PM, Greg Brown <[email protected]> wrote: > The problem with waiting until after we graduate is that we'll launch with an > invalid cert signed by Todd, rather than a valid cert signed by the ASF. This > won't leave a good first impression on anyone seeing Pivot for the first time. > > You are probably right that gene...@incubator is probably not the right place > for this discussion, but I think it is at least worth posting the question to > the infra list. I'm guessing that most of the previous discussion around PKI > focused on SSL, etc. - maybe it won't be as difficult to push a code signing > cert. through. > > How are purchase decisions generally handled? Would someone on the infra list > be able to approve something like this, or is there another list I should > also post to? > > Thanks, > Greg > > On Dec 6, 2009, at 11:45 PM, Niclas Hedhman wrote: > >> On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <[email protected]> wrote: >>> Hello mentors, >>> >>> Back when Pivot first entered the Incubator, I had asked about the >>> availability of an official Apache code signing certificate. Some of our >>> demo and tutorial JARs are signed, but they currently use an unofficial >>> (and expired) certificate Todd had created locally for testing purposes. >>> This doesn't inspire quite as much confidence in the authenticity of the >>> code as we would like. :-) >>> >>> The response at the time was that no such certificate currently exists. >>> Once we graduate, do you know if it might be possible to request one? I >>> believe these cost around $500 (US) - is the ASF likely to cover something >>> like this, or do you think we would need to fund it ourselves? >>> >>> FWIW, I actually tried to get both Verisign and Thawte to contribute a >>> certificate a few months back, and I didn't get a reply from either >>> one...maybe I will try again after we graduate. Anyone have any contacts at >>> either place? >> >> PKI is not something to toss around lightly (I am sure you are aware >> of that), and the security conscious individuals at ASF have for long >> ponder over how a PKI at ASF could/should look like. One thing that >> was excluded was an ASF-wide cert available to "many". It has been >> discussed to setup a system where infra "owned" a master cert, from >> which they signed certs of "verified individual committers/officers". >> The problem is/was that this has not been high on the agenda, since >> for "releases" the PGP approach of "web of trust" has been considered >> both sufficient and superior of centralized PKIs. >> >> My advice is to wait until after graduation and then approach >> infra/board to bring up the usecase/need to see if this can be managed >> to a level of satisfaction "within our lifetime" ;-) Bringing this to >> [email protected] now will just be "messy" and lead to no >> resolution. >> >> >> Cheers >> -- >> Niclas Hedhman, Software Developer >> http://www.qi4j.org - New Energy for Java >> >> I live here; http://tinyurl.com/2qq9er >> I work here; http://tinyurl.com/2ymelc >> I relax here; http://tinyurl.com/2cgsug > > -- Become a Wicket expert, learn from the best: http://wicketinaction.com Apache Wicket 1.4 increases type safety for web applications Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.0
