Just an FYI, I've raised a ticket with infra expressing interest in code signing.
Not that these would be any better or worse than the other great third party builds out there. And we still have some license clarifications if we include compiled lgpl or especially gpl bindings. This is also predicated on working up a wix or other .msi schema that is upgradable, this time around. It might be worth baking in available upgrade notification into ApacheMonitor, as well. But VC14 seems to have started to address my aversion to MS's disdain toward long term msvcrt support (now the universal crt --- shipping in Windows 10 and deployable to older versions) and posix type declarations (they actually have a rational ssize_t for the first time) so this arch finally looks to be worth supporting again. ---------- Forwarded message ---------- Date: Jan 25, 2016 08:28 Subject: [jira] [Apache Infrastructure] Participation in Code Signing by HTTP Server project > New comment for the request "Participation in Code Signing by HTTP Server project" with key INFRA-11118 has been added... > Apache Infrastructure - Something else... > Reference: INFRA-11118 > Participation in Code Signing by HTTP Server project Waiting for Infra > Mark Thomas > Today 08:27 > We are still in discussions with Syantec about renewal. > > Knowing that httpd is interested in using the service is helpful since that helps us judge whether or not the pricing framework offered by Symantec for the renewal is cost effective for the ASF. > You can view the full request > Details > Description > Raising a ticket to express interest... > > For some time, the value of an ASF shipping Windows httpd binary has been negligible, as various lgpl and gpl components could be combined by other parties and assembled as a more complete version of httpd. It has been a few years since the httpd project has shipped Windows binaries. > > With the introduction of code signing, this becomes interesting once again for httpd to ship what are the official sources built for Windows, particularly with the introduction of a persistent runtime in Visual C 14. I'm willing to take this on if the Code signing service agreement can be extended. > > Note that an httpd 2.4 package consists of about 48 programs and dynamic libraries, and some 108 modules. Internal to the installer there is a script rewriting binary and the install package itself, for a total of soon to be 160 signed objects per release. Releases of 2.4 occur about 4 times a year with releases of the legacy package (2.2 at present) which occur 2 times a year. > > Given the number of components, some batch submission mechanism is required to consider this effort. > > Please provide feedback about the commitment to renewing the Symantec service, and I would like to participate in this offering, going forwards, if the commitment is there. > Component/s > Codesigning > > This message is automatically generated by JIRA Service Desk. > If you think it was sent incorrectly, please contact your JIRA administrators. > For more information on JIRA Service Desk, see: http://www.atlassian.com/software/jira/service-desk
