On 2011-08-12, Curt Arnold wrote: > On Aug 11, 2011, at 12:16 AM, Stefan Bodewig wrote:
>> Right now I'd lean towards making breaking changes for a 1.3.x line of >> releases and using the new key there, I'm not sure whether signing those >> with the old key would be useful at all. > The following email describes a situation where a new log4net signed > with the existing key would be very handy. Yes, I know. Getting out a new release containing those bug fixes using the existing key should be a top priority. Questions like "hat platforms do we want to support" can come later. > We'd need to nuance the message so that most people who don't have a > need for the drop in compatible old-key signed assemblies link against > the new key signed binaries. Or one that doesn't have a strong name at all. > If we are disclosing the a common unsecret key, then the need to > address every platform nuance is much reduced and we can just direct > someone who needs a build for a specific variant of .NET or Mono to > build it themselves. Right, that's why I proposed to not keep the new key secret - secret keys and open source simply don't match. I do understand that some existing users may have some (false, TBH) ideas about security attached to the old key and thus you don't want to disclose that as well - even though it would simplify the migration a lot (there wouldn't be any sort of migration at all). Stefan
