On 07 Oct 2014, at 01:00 , Joan Touzet <[email protected]> wrote: > Presented with no bias on my part, but it showed up in my inbox: > > https://blogs.apache.org/infra/entry/code_signing_service_now_available > > Do we care to use something like this for our Windows binary builds? > Or are we happy enough to just publish a Windows binary with a checksum? > I can see the advantage in signing Windows binaries here.
I have no experience with what that would mean for us and for the end user, but I assume it is streamlining a user experience and give a bit of a sense of security? > If we add Java or Android components in the future, this could extend to > signing those binaries as well. I am sufficiently naive about those > environments to not know whether there exist better, freer, more open > alternatives that would suffice. > > What is the process for signing things that end up in the OSX App Store? Getting CouchDB into the Mac OS X App Store would require us to statically link all of Erlang and Spidermonkey into the Mac OS X bundle, as the guidelines do not allow fork(). It is certainly possible, but at this point probably not something we want to spend too much time on right away. > Would we want to try and get CouchDB in there, or just stick with brew? One thing I’ve been meaning to do is sign the release on our website anyway, as it will make installing CouchDB easier, even when not pushed through the App Store. Currently people have to go through a bit of a security dance before they can “double click and run”. We can make this smooth, but I haven’t had the time to set this up. I also have done no research as to how it would work for the ASF to have this set up, as the private key would have to be shared with anyone who makes builds. For the time being my plan was to use my own Apple Developer Account and identity to do the signing. If someone is inclined to figure out how to do this ASF-wide, I’d welcome that, though :) Best Jan -- > > -Joan
signature.asc
Description: Message signed with OpenPGP using GPGMail
