Do we have a need for signed jars and are interested in participating to make this happen?
Uli -------- Original Message -------- Subject: [jira] [Commented] (INFRA-3991) Request for code signing certificate Date: Thu, 24 Oct 2013 15:34:02 +0000 (UTC) From: Mark Thomas (JIRA) <[email protected]> To: [email protected] [ https://issues.apache.org/jira/browse/INFRA-3991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13804324#comment-13804324 ] Mark Thomas commented on INFRA-3991: ------------------------------------ As a infrastructure volunteer the tasks I choose to work on are selected based on how much time I have, how interested I am in the topic and whether it involves cleaning up a mess I am somehow responsible for. Code signing falls under the category of something I am interested in but it is not a high priority for me so it gets progressed as and when I have the time. Back in June I provided an explicit example of how folks could help - reaching out to Bill Rowe and reconnecting with Verisign (now Symantec). No one did. Hence progress stalled again. Back in August I reached out to Bill and got the necessary details. Still no-one volunteered to make contact with Symantec. This week I have found some time and have been in touch with Symantec. I've had a good conversation with them and we have an outline of a way forward. There are still a lot of details to iron out but at this stage I am hopeful we'll come up with a solution that works for at least 80% of our use cases. In terms of helping (to address Christian's question) there is nothing to do immediately. However, I am likely to be asking for a few interested PMCs (Tomcat, AOO, Logging) to review some materials in the next few weeks. Constructive feedback on those materials and possibly joining a conference call are areas where help will be appreciated. If I think of anything else that could help progress this, I'll mention it here. > Request for code signing certificate > ------------------------------------ > > Key: INFRA-3991 > URL: https://issues.apache.org/jira/browse/INFRA-3991 > Project: Infrastructure > Issue Type: New Feature > Security Level: public(Regular issues) > Reporter: Scott Deboy > Assignee: Tony Stevenson > > The Logging Services project provides a WebStart-deployed Swing application, > Chainsaw. To deploy Chainsaw via WebStart and take advantage of all of its > features, the jars that are downloaded must be signed by a code signing > certificate which has been signed by a trusted root CA. > It would seem to me it would make sense to have this code signing certificate > and associated keys managed by the ASF and not be a project-specific > certificate, so other projects could take advantage of the same resources. > If you feel it makes more sense to get Logging Services its own code signing > certificate that is managed by the PMC, I'm fine with that as well - I would > just like the issue to be resolved. > I assume if this resource were an ASF-wide resource, the keys and certificate > would be managed by infra. If so, I'm not sure what workflow infra would > like to use - maybe a jira issue with release candidate jars and pgp info, > and signed jars could be added back to the same jira? We don't release > often, so just let us know what you would like. > Our needs are relatively simple, and I understand others may have more > complex needs. PMC members or the RM could manage self-signed certificates > and 'get by', but I would rather have an official code signing cert provided > by ASF itself. -- This message was sent by Atlassian JIRA (v6.1#6144) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
