Hi,
Before you ask whether you should sign the jars - ask what you would gain
from it. Many less respectable peeps encourage people to sign files because
it is so easy to subvert.
Without signing security consious people often download the source and
rebuild from that. Signing gives them a sense of confidence in the binary
builds which may not be warranted. Worse signing will sometimes force a few
tools to require a keystore which often irritates people enough that they
will disable security by default.
If you were to implement this for all projects I would suggest that the key
is contained on another host. When a committer needs to sign something they
jump on deadelus and execute a suid file that sends jar across the wire,
signs jar and brings it back. This key is regenerated on a specific period
(every couple of months???). The old private key being destroyed at end of
each period.
The reason for this is that if key is kept on deadalus (even if owned by
root) once deadalus is compromised then so could all the files (Or at least
all the files signed in current period).
In otherwords I would suggest that security conscious people download src
drops and compile themselves and not rely on "safety" of signed binaries.
YMMV of course ;)
Cheers,
Pete
*-----------------------------------------------------*
| "Faced with the choice between changing one's mind, |
| and proving that there is no need to do so - almost |
| everyone gets busy on the proof." |
| - John Kenneth Galbraith |
*-----------------------------------------------------*
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
