Hello, what about an organisation assurance by Cacert.
At FOSDEM 2013 there are some discussions with people from cacert. If you need more informations and contacts I will act as an agent. Let me know Kind regards Mechtilde Am 25.05.2013 15:22, schrieb janI: > On 25 May 2013 12:04, Andrea Pescetti <[email protected]> wrote: > >> Dave Fisher wrote: >> >>> The main concern that the ASF has with digitally signing with a >>> singular apache.org certificate for the whole foundation is keeping >>> it in strict control. For some this means physical machines. This is >>> a high bar. >>> I wonder if the ASF would allow AOO to experiment with an >>> OpenOffice.org codesigning certificate? >>> >> >> If there is willingness to experiment on this, for sure the OpenOffice >> project would benefit from it. It is clear what the goal is: it would be >> beneficial to our users if the Windows and Mac binaries were signed, to >> avoid potentially confusing security warnings. And it would be very good to >> have it by version 4.0. And the problem is much more with policy (or, in >> general, with security/infra concerns) than technology. >> > > Seen with infra eyes the major problem is to find a working procedure that > are secure, meaning only few people have access to signing, the discussions > there have been very little on politics > >> >> We never thought we would get the wildcard certificate, but hey who >>> knows? >>> >> >> I thought it was hard, but not impossible. But honestly, it also raised >> fewer concerns than a code-signing certificate. >> >> On May 24, 2013, at 2:43 PM, Rob Weir wrote: >>> >>>> And I should mention that pushing the code signing side is >>>> probably premature until we have the build side more solidly >>>> automated. >>>> >>> >> This has been Infra's approach in the current discussion. For those not >> following that list: see http://mail-archives.apache.**org/mod_mbox/www-** >> infrastructure-dev/<http://mail-archives.apache.org/mod_mbox/www-infrastructure-dev/>(you >> will see the "code signing" thread appearing in most of the recent >> months' archives). >> >> On Fri, May 24, 2013 at 5:01 PM, janI wrote: >>>>> >>>>>> I am sorry I defended our viewpoint, and made this list aware >>>>>> that there are other projects with similar needs. You just >>>>>> managed to kill the messenger, next time this issue is >>>>>> discussed on IRC, I will refer to this thread and keep silent. >>>>>> >>>>> >> No, no need for this. Of course you should discuss options that would be >> beneficial to the OpenOffice project, and it's well-known that you do get >> things done, a lot of them. In this case, the ongoing frustration that you >> see reflected in some messages is due to the fact that the long discussion >> on infra-dev made it clear, so far, that there are infrastructure >> requirements that must be satisfied as a prerequisite for code signing. >> >> So, while code-signing is the ultimate goal, with the current approach we >> would have to get other infrastructure work done before it (namely, improve >> buildbots). Unless we have, or find, a way to work around it to properly >> sign the 4.0 release. >> > > Thx for the kind words. Actually buildbots is only one way of doing this, > and not the way you find in many big companies. In many companies (see > adobe as the example) the built binaries are delivered to a central > signing server, where only very few people have access. The project > guarantees for the quality of the binary being delivered, please remember > using the buildbot it still no guarantee against malicous code, a committer > could easily insert that over time. Connecting buildbot and signing would > mean allowing many people having access to the certificate, which is a risk > in itself. > > A central signing server has many advantages, but one big disadvantage it > puts more load in infra, something they are very nervours about. > > rgds > jan I. > > Regards, >> Andrea. >> >> ------------------------------**------------------------------**--------- >> To unsubscribe, e-mail: >> dev-unsubscribe@openoffice.**apache.org<[email protected]> >> For additional commands, e-mail: [email protected] >> >> >
signature.asc
Description: OpenPGP digital signature
