On 10 August 2011 23:38, Stefan Bodewig <bode...@apache.org> wrote: > > This seems to be consensus by now by pretty much all Open Source > projects in the .NET space. Just hand out your signing key so people > can create their own patch builds - as they can do for any other > platform as well. There is absolutely zero security attached to that > key if used that way, but that doesn't matter since our releases are > signed using OpenPGP and we provide hashes of everything. > > I'd propose to not keep the signing key of future releases secret but > simply keep the full keypair inside the source tree. > > Stefan >
I'm unconvinced that handing out the key like that is a good idea, though I quite understand why people have started to do it. Either way, in the case that a project *doesn't*, an app.config / machine.config binding redirect to your forked version (mapping the different different hash, version etc...) works just fine for keeping the 3rd party dependencies happy. -- piers more pedantry at http://piers7.blogspot.com/
