What is it with this old/new key? http://logging.apache.org/log4net/download_log4net.cgi
I can share some thought about this new key philosophy regarding they anyone should be able to patch it but I think it is wrong. How can I validate a package from untrusted sources if they have access to the 'official' private key ? If anyone needs strong named assemblies then that is for reasons. If they want to have a patchable log4net then they should compile their own version with their own key. For example, somebody has created a log4net nuget : http://nuget.org/packages/log4net How can I validate if this is an official binary? It could do al sorts of stuff if everybody can just recompile it and put it on such a big site as nuget.org This is just bad and my guess is that if the "official release" is not the old key that you just killed log4net as nobody wants to recompile all their dependancies. And still, if you want to move to a new 'public' key pair (which as I mentioned is a bad bad bad thing) then dont create an official 'old' key binary. -- Ramon
