On 2011-08-17, Piers Williams wrote: > On 10 August 2011 23:38, Stefan Bodewig <bode...@apache.org> wrote:
>> This seems to be consensus by now by pretty much all Open Source >> projects in the .NET space. Just hand out your signing key so people >> can create their own patch builds - as they can do for any other >> platform as well. There is absolutely zero security attached to that >> key if used that way, but that doesn't matter since our releases are >> signed using OpenPGP and we provide hashes of everything. >> I'd propose to not keep the signing key of future releases secret but >> simply keep the full keypair inside the source tree. > I'm unconvinced that handing out the key like that is a good idea, though I > quite understand why people have started to do it. > Either way, in the case that a project *doesn't*, an app.config / > machine.config binding redirect to your forked version (mapping the > different different hash, version etc...) works just fine for keeping the > 3rd party dependencies happy. At the danger of embarrassing myself: it's been my understanding that binding redirects can be used to redirect from one version of an assembly with a given publicKeyToken to another but not from one token to another. What does a binding redirect look like if I want to redirect from publicKeyToken"hash1" to publicKeyToken"hash2"? Stefan