The WebStart model appears to use X.509 certificates which route back to a Certificate Authority, hence dealing with Thawte signatories. Doesn't seem to be any bridge between the GPG model and the X.509 model which would allow us to use our existing GPG code signing keys. The keys are tied to personal identities, so sharing signing keys as required by the log4net is inappropriate. It should not matter however if Paul signs one release and I sign the next (though my Thawte key is just the freemail variety).
Yep, it would not matter who signed the release. ALL jars in the Webstart package must be signed with the same key though I think. Your freemail Thawte certificate is the same type as mine, the only difference is that I have had my "full name" verified by 2 other Thawte notaries. For a while there, Chainsaw was signed just with 'psmith < at > apache.org', but now it shows my full name. That extra detail is probably irrelevant. if there was an email address that could be 'controlled' by the Logging PMC, then perhaps we could sign it with a freemail certificate that had that email address in it. Should a member get booted out or something else, the certificate could be revoked, and a new one generated by the PMC. One wouldn't be able to get a 'Full name' verified by a notary in this case though, since there isn't a real person to validate! :) The tricky thing is that Thawte freemail is all done online, so not sure how to control access to that online account by the PMC if/when a rogue member decided to get creative...
I'm getting dizzy and maybe can find some way to reconcile all this. I think we have to have our primary distribution means a classic .tar.gz and .zip going through the standard release process. Whether or how we make a WebStart version available after that is a separate issue.
I definitely think continuing to support the Webstart version is worthwhile, it makes upgrades for everyone really easy. I'm obviously not tied to having it signed with my certificate, I just happened to be the first one to get one arranged and fight through all the stupid keysigning rubbish that Sun has placed on us.
Paul --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
