Is there any kind of ASF policy about signing JAR files that are made available for download? For most downloads, there is a companion file with some overall signature to prove the authenticity of the download, but in the particular case of Java JAR files, that leaves a piece of the pie undone.
If the classes in the JAR files themselves were signed, whoever provided the download wouldn't be saying anything more than the overall signature says right now. The advantages of signed classes in JAR files are pretty obvious. Signatures are embedded, so you don't have to keep track of a separate signature file. Applet use is simplified since you can avoid pop-ups notifying you about unsigned JAR files; in fact, in some environments, unsigned JARs are forbidden as a matter of policy. Because of the applet situation, we sign some 3rd party JARs with our own key. Needless to say, that's a little dicey since we can't inspect every line of code in the sources for those JARs, but our signature can have the connotation for some people that we have done a rigorous vetting. Really, what we intend to say is merely "we trust ASF, and these are the files we downloaded from ASF". JAR files that are already signed when we download them would cure my anxiety. BTW, we recently noticed that Sun has started signing some of its generally useful JAR files (e.g., mailapi.jar and activation.jar). Until they started doing that, we were in the same boat with their JAR files. -- [EMAIL PROTECTED] (WJCarpenter) PGP 0x91865119 38 95 1B 69 C9 C6 3D 25 73 46 32 04 69 D6 ED F3 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
