Re: [cross-project-issues-dev] signing question

[Denis Roy]

On 01/04/2013 04:35 AM, Glyn Normington wrote: Scott Lewis <sle...@composent.com> wrote: Hi Folks, Until recently, (ECF) has been signing our plugins by 'pushing' our  plugins to eclipse.org (built on our own builder machine...which is  *not* running at eclipse.org).   Apparently this is not the appropriate  way now...rather what Denis indicated was appropriate was to have an  eclipse.org machine 'pull' our unsigned plugins, sign them, and then put  the signed versions somewhere.  I assume that other projects do some/all of their build on non-eclipse  systems...and need to do this as well.  Are there ant scripts and/or  documentation on this 'pull' approach for signing? I'm puzzled by the idea of a machine at eclipse.org pulling from a build machine running, for example, behind a corporate firewall. Maybe someone could clarify what Denis might have been meaning. If the remote build machine is behind a corporate firewall, it is not accessible anonymously by everyone on the planet and is being actively maintained by IT staff, then that gets my two thumbs up.  By all means, put your committer ID's private key there and push all you want. On the other hand, if your remote build machine is running a publicly web-accessible CI system with an open-to-the-world SSH port, I don't feel that the private key to your shell-enabled eclipse.org account is in a safe location.  This is consistent with my position regarding committer private keys on our own publicly web-accessible Hudson instance. If committers really feel that the our CI system should have the ability to push commits to Git and push builds to the downloads area via a committer's account (and I agree, this would be immensely convenient), then we could perhaps consider closing hudson.eclipse.org to the anonymous users, thus requiring a committer account and authentication to access Hudson? Denis Thanksinadvance, Scott fyi Virgo milestones and releases are built on non-eclipse systems. Virgo's signing scripts, which are using the "push" model, were added recently in this commit: http://git.eclipse.org/c/virgo/org.eclipse.virgo.packaging.git/commit/?id=7f149be0b1c6ac54122c5f197876d711e42933d8 _______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev -- Denis Roy Director, IT Services Eclipse Foundation, Inc. -- http://www.eclipse.org/ Office: 613.224.9461 x224 (Eastern time) denis....@eclipse.org

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev