Hey all, I’m planning a change to the Mac downloads for CouchDB with the 3.0 release.
Since Apple will require their variant of code signing called Notarization for all software that is supposed to run on the next version of macOS, and since I assume we want to continue to run on those systems, we need to go about this. I’m happy to offer my company (Neighbourhoodie) to be the arbiter for signing the Mac binaries, since that is infrastructure that we already have in place and we don’t have to try and figure out how to do this within the ASF. To make sure folks aren’t weirded out by getting binaries signed by an org that is not the ASF, I propose to move the actual binary downloads to our company website and link to that from c.a.o for folks who want to download. That page can then explain the circumstances and we can make sure nobody is spooked by the experience. Joan tells me that similar shenanigans are on the horizon for Windows, so I suggest we’ll just do this in one go now. That, plus NH is effectively funding the development and maintenance of the binary downloads, so we may as well embrace them properly. The binaries will be hosted on a highly available object store on the public internet and we’ll cover all uptime and bandwidth usage considerations. And the repos that lead to the creation of the binaries will remain open source for anyone to validate our work independently. I don’t think this warrants a vote, but I’m happy to hear about any thoughts you might have on this. Best Jan —
