https://issues.apache.org/ooo/show_bug.cgi?id=125360
--- Comment #3 from Rob Weir <[email protected]> --- We've had a lot of discussion on this. The issue is not money. Companies generally are happy to donate things like this to Apache. The issue is more of security. We need a way to ensure that only officially approved and reviewed code is signed. But we also need to ensure that the signing key is protected. There is also a big distaste for having a single Apache wide key that, if compromised, would make a mess of many protects. And we need to do this in a decentralized way. And considering the prominence of this application (over 125 million download of Apache OpenOffice) we assume that any automated system we set up for this purpose would be a prestige target for hackers. This is a question for Windows as well as Mac users, sign code signing is used on both platforms. We think we have a way of doing this now for Windows at least as described in this blog post from the Apache Infrastructure team: https://blogs.apache.org/infra/entry/code_signing_service_now_available Of course, integrating this into the build system will require some work. Extending it to future Mac signing will require more investigation as well build work. So, although progress is slow, we're making progress. We should probably close this issue as RESOLVED/NOTABUG. Follow up discussion, please, to the mailing list [email protected]. -- You are receiving this mail because: You are the assignee for the issue. You are watching all issue changes.
