Or, maybe we could submit the artifacts to the web portal and the portal would allow us to login and vote on whether we deem it worthy of publishing? We could maybe require a minimum number of votes. Once it reaches a certain status (minimum number of +1s or something), the infrastructure team is notified (via email) or it shows up on their screen as something they need to address. Then, they can take the artifacts, give the ASF stamp of approval (sign them) and publish them to the appropriate place. Basically, it'd be a workflow system.
-----Original Message----- From: James Carman [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 8:17 AM To: 'Jakarta Commons Developers List'; [EMAIL PROTECTED] Subject: RE: [all] jar signing with jarsigner I would say that having the infrastructure team, or some other team, do the signing might be a good idea. Maybe there could be a mechanism for us to login through some web portal and request that certain files be signed and "published" rather than doing it ourselves. Having a jar signed by The Apache Software Foundation (and publishing the ASF certificate) would definitely make it easier for users to make up security policies which allows them to "trust" the code that comes from us (like giving HiveMind the ability to create classes on the fly using Javassist in application servers). -----Original Message----- From: Paul Libbrecht [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 3:56 AM To: Jakarta Commons Developers List Subject: Re: [all] jar signing with jarsigner As far as I could see such a thing... jar signing would need to happen on Apache server... using some Apache private key... right ? Maybe this is a first issue ? How would you go to ensure that such a private key is not hacked or copied ? Let infrastructure team do the signing ? I suppose that, with Java Web Start, the jar-signing mechanism may request at least one authorization for each signing key... paul Sandy McArthur wrote: > The discussion on signing releases with PGP led me to wonder why jar's > aren't signed with the jarsigner tool? As Java centric as Jakarta is, > now that I think about it, it seems kind of strange that the "java > way" of signing code isn't used. I'm not suggesting replacing the PGP > sigs on releases, jarsigner doesn't do much with tarballs. > > Eg: having HttpClient signed would let an admin express with the Java > security model that a web app cannot open sockets unless it's being > made by an official version of HttpClient. Or that a webapp cannot > create temp files except by a signed FileUpload lib. > > http://java.sun.com/docs/books/tutorial/security1.2/toolsign/ > http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html > -- > Sandy McArthur > > "He who dares not offend cannot be honest." > - Thomas Paine > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
