After thinking about Igor's observations here and on the bz referenced below, I want to offer an alternative proposal.
At Apache, we want to encourage people to actually validate what they download from us. Given the current state of the X.509 ecosystem and Eclipse, no actual validation will take place if we self-sign, and some might argue that we're in fact assisting spoofers. My alternative proposal is to have no P2 site at all. Instead, simple put a .zip archive of the P2 site onto our regular release site, with the regular PGP signatures. The eclipse installation UI is perfectly happy to consume an archive of a P2 site instead of a URL. It's slightly less convenient for the end-user, but it's potentially a lot more secure. Thoughts? On Wed, Aug 31, 2011 at 10:52 AM, Igor Fedorenko <[email protected]> wrote: > Beware that Eclipse P2 does not like self-signed certificates all that much. > > [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=340345 > > -- > Regards, > Igor > > On 11-08-31 10:42 AM, Benson Margulies wrote: >> >> I've been helping Vincent& Hervé push Vincent's Eclipse plugins for >> Doxia file formats towards a release. I've got a tentative plan for >> code-signing and I felt that it should be exposed on the dev list. >> >> Eclipse uses standard Java X.509 JAR signing. The Apache Directory >> project also distributes Eclipse plugins, and handles this as follows: >> >> 1) They use a self-signed X.509 signature. In my view, the way to do >> this consistent with Apache process is to have each person serving as >> RM on this stuff generate their own and check the public key into the >> tree. >> >> 2) They also attach the usual sort of PGP detached signature files to >> all the files that they distribute. We can't do this with Maven in >> this case, at least not very well. >> >> I'm going to proceed down this line unless someone objects. Note that >> the ASF infrastructure site has some web pages that suggest the >> existence of an X.509 CA, but I can't find any evidence so far that it >> is alive. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
