Agree. On Mon, Oct 28, 2019 at 12:39 PM <reema.tan...@oracle.com> wrote:
> Hi, > > This came up during last release, I had raised an infra ticket for > notarization - INFRA-18790 > <https://issues.apache.org/jira/browse/INFRA-18790>, but it failed with > a long list of errors. > > This needs investigation, I haven't been able to get to it yet. > > So, I agree with Geertjan's suggestion to add note that installer works > for 10.13.x and 10.14.x macOS releases and is pending notarization that > is required for 10.15.x release. > > Thanks, > > Reema > > On 28/10/19 5:43 PM, Geertjan Wielenga wrote: > > We could add on the Download page that the installer for Mac OSX has been > > signed but not notarized ( > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__developer.apple.com_documentation_security_notarizing-5Fyour-5Fapp-5Fbefore-5Fdistribution&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=I_-Y15BecdUmuYLJbvbi0hFUs7JgHZnV_jPFSP8DQF0&m=AU5axCXNKWDQypYO5D1OcvSHUynS_-Wl1_0S-laIHDc&s=e05RMNxX87RB32yCeA9JWFLooi2yfatEqICXh-ffoTw&e= > > ). > > > > Unless Reema has a plan or someone has a plan relating to notarization. > > Since we have it signed and it seems a lengthy Apple-driven process to > > notarize it, I'd argue that so long as we state that clearly, this should > > not be a blocker for releasing the installer. > > > > Gj > > > > On Mon, Oct 28, 2019 at 11:36 AM Carl Mosca <carljmo...@gmail.com> > wrote: > > > >> -1 > >> "Can't be opened because Apple cannot check for malicious software" > >> > >> On Mon, Oct 28, 2019 at 6:26 AM Neil C Smith <neilcsm...@apache.org> > >> wrote: > >> > >>> On Mon, 28 Oct 2019 at 09:54, Eric Barboni <sk...@apache.org> wrote: > >>>> Sha512 and key from Reema is ok it means this can be released on dist. > >>>> Not functional is another point. But Reema can cancel if tester on > >> MacOS > >>> found issue. > >>> > >>> Distribution on dist requires more than that, and we also discussed > >>> requiring more ourselves. The wording that was discussed, that I > >>> thought you said you agreed with, said that all voters must verify all > >>> checksums and keys (including the additional keys in the installers!), > >>> check they function, and verify that they only install artefacts built > >>> from the released sources. I don't see any point in voting on > >>> binaries if we're not requiring checks on all those things that the > >>> PMC must check. > >>> > >>> Anyway, let's not hijack the vote thread further on this. > >>> > >>> I'd like to hear Reema's opinion on pulling and re-voting on macOS > >>> installers because of the notarization issue though. > >>> > >>> Thanks and best wishes, > >>> > >>> Neil > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org > >>> For additional commands, e-mail: dev-h...@netbeans.apache.org > >>> > >>> For further information about the NetBeans mailing lists, visit: > >>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_NETBEANS_Mailing-2Blists&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=I_-Y15BecdUmuYLJbvbi0hFUs7JgHZnV_jPFSP8DQF0&m=AU5axCXNKWDQypYO5D1OcvSHUynS_-Wl1_0S-laIHDc&s=XYqudrqPACu1wB_McTbfOCSjE5P-TWycb2BM7SRC_8Y&e= > >>> > >>> > >>> > >>> > >> -- > >> Carl J. Mosca > >> > -- Sent from a mobile device. Please excuse any typos.
