Dave Fisher wrote:
The main concern that the ASF has with digitally signing with a
singular apache.org certificate for the whole foundation is keeping
it in strict control. For some this means physical machines. This is
a high bar.
I wonder if the ASF would allow AOO to experiment with an
OpenOffice.org codesigning certificate?
If there is willingness to experiment on this, for sure the OpenOffice
project would benefit from it. It is clear what the goal is: it would be
beneficial to our users if the Windows and Mac binaries were signed, to
avoid potentially confusing security warnings. And it would be very good
to have it by version 4.0. And the problem is much more with policy (or,
in general, with security/infra concerns) than technology.
We never thought we would get the wildcard certificate, but hey who
knows?
I thought it was hard, but not impossible. But honestly, it also raised
fewer concerns than a code-signing certificate.
On May 24, 2013, at 2:43 PM, Rob Weir wrote:
And I should mention that pushing the code signing side is
probably premature until we have the build side more solidly
automated.
This has been Infra's approach in the current discussion. For those not
following that list: see
http://mail-archives.apache.org/mod_mbox/www-infrastructure-dev/ (you
will see the "code signing" thread appearing in most of the recent
months' archives).
On Fri, May 24, 2013 at 5:01 PM, janI wrote:
I am sorry I defended our viewpoint, and made this list aware
that there are other projects with similar needs. You just
managed to kill the messenger, next time this issue is
discussed on IRC, I will refer to this thread and keep silent.
No, no need for this. Of course you should discuss options that would be
beneficial to the OpenOffice project, and it's well-known that you do
get things done, a lot of them. In this case, the ongoing frustration
that you see reflected in some messages is due to the fact that the long
discussion on infra-dev made it clear, so far, that there are
infrastructure requirements that must be satisfied as a prerequisite for
code signing.
So, while code-signing is the ultimate goal, with the current approach
we would have to get other infrastructure work done before it (namely,
improve buildbots). Unless we have, or find, a way to work around it to
properly sign the 4.0 release.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
