On Fri, May 24, 2013 at 5:01 PM, janI <[email protected]> wrote: > On 24 May 2013 22:30, Juergen Schmidt <[email protected]> wrote: > >> >> >> Am Freitag, 24. Mai 2013 um 19:50 schrieb janI: >> >> > Hi. >> > >> > we are not alone in ASF wishing code signing, but we might get run over >> (as >> > I did today on IRC) if we do not formulate our requirements very clearly. >> > >> > >> >> decisions are made on mailing lists, correct? That is what I learned at >> Apache, what not happened on a mailing list, is not relevant ;-) >> Well it seems that infra is always special. >> I tried several times to discuss it on the infra mailing list and I >> believe I have described very clearly what we need and how it works today >> for OpenOffice if we would have a cert. I also proposed a solution that can >> work from my point of view and I started to collect the info on a wiki page >> as suggested. >> There might be other solutions to do it but I have no in place and nobody >> convinced me that my proposed approach can not work. >> I agree that it's not easy and I simply have no energy to discuss further >> at the moment. I have enough other things to do. >> >> Juergen >> > >> > rgds >> > jan I. >> > >> > ---------- Forwarded message ---------- >> > From: Scott Deboy <[email protected]> >> > Date: 24 May 2013 18:59 >> > Subject: Re: Official code signing certificate >> > To: [email protected] >> > >> > >> > Logging Services has a simple requirement: >> > >> > Have the Chainsaw build artifacts signed by a Java code signing cert >> > that is signed by a trusted/root CA so the jars can be downloaded via >> > WebStart without the user receiving a warning that the signed jars >> > aren't trusted. >> > >> > The Chainsaw maven script supports signing jars - infra just needs to >> > point it to the cert. >> > >> > I don't know whether or not an ASF-wide Java code signing cert makes >> > sense or a Logging Services-specific Java code signing cert makes >> > sense. I don't even know if it is possible to have TLP-specific Java >> > code signing certs. I defer to infra on that decision. >> > >> > I believe the code signing service WRowe described will meet our >> > requirements. Hopefully infra can spend some time looking at the >> > service and see how it can meet their requirements. >> > >> > Logging Services would like to be a guinea pig for the Java code >> > signing service WRowe described above. If there are additional >> > details needed by infra, we are happy to provide them. >> > >> > Thanks, >> > >> > Scott >> > >> > On 4/12/13, sebb <[email protected]> wrote: >> > > You are now in http://wiki.apache.org/general/ContributorsGroup >> > > >> > > >> > > On 12 April 2013 17:32, William A. Rowe Jr. <[email protected]> >> wrote: >> > > >> > > > On Fri, 12 Apr 2013 10:47:29 -0500 >> > > > "William A. Rowe Jr." <[email protected]> wrote: >> > > > >> > > > > On Tue, 26 Mar 2013 00:56:06 +0200 >> > > > > Daniel Shahaf <[email protected]> wrote: >> > > > > >> > > > > > Can you write this all down somewhere? A wiki page maybe >> > > > > >> > > > > http://wiki.apache.org/general/ASFCodeSigning >> > > > >> > > > Could one of the page editors please grant WilliamARoweJr some >> > > > karma? I'll document the first-draft approach and the Symantec >> > > > service-based approach. >> > > > >> > > >> > > >> > >> > I am truly sorry that I tried to help....with those 2 replies, I only > forwarded a mail for your information, I will for sure forget all about > code signing, and leave it to the experts. > > During the discussion on IRC, a blog from adobe was thrown in, showing just > how complicated it can be for full time security profs. to ensure the > certificate is not misused. > > I am sorry I defended our viewpoint, and made this list aware that there > are other projects with similar needs. You just managed to kill the > messenger, next time this issue is discussed on IRC, I will refer to this > thread and keep silent. >
Jan, I'm sure we all appreciate your attempt to "defend our viewpoint", but you might not be aware that this has been discussed repeatedly with Infra, since before you were even involved in the project. If there is any frustration expressed it is not with you. The fact that security is hard or that other projects would benefit from code signing -- none of this is news. That doesn't mean that you were wrong to discuss it. It just means that you did not have the information and background that Juergen and I have from trying to push this forward over a much longer period of time. There is a thread with 93 posts on infra-dev on this topic dating back a year. It probably makes sense to read up on what has been discussed previously before as background information. -Rob > rgds > jan I. > >> >> > >> >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
