On Thu, 23 Oct 2014 18:27:27 -0400 Stephen Joyce <step...@email.unc.edu> wrote:
> The openafs.org website (is that now owned by the Foundation?) provides > binaries now. One could argue that it's the same risk[1], but that signing > binaries creates more awareness (but I'm not sure I have the energy to > think that critically with my current head cold). I don't think signing of the binaries is the primary risk assumed. Since OpenAFS is essentially provided without warranty and the consumer agrees to this as part of their usage. If OpenAFS screws up and eats all your data, well you agreed that you wouldn't sue us (as modified by applicable laws). The primary risk seems to be protection and usage of the signing certificates. If stolen or abused, it seems reasonable that you should be held liable for any damages incurred by their usage assuming that you didn't take reasonable precautions to prevent theft (and this is where the liability insurance comes into play since you would need to prove/defend this). Or let's say OpenAFS decides to start signing some other projects as well. Apple would potentially have a case for misuse of the certificate. But, we might disagree. For instance, lets say that there is an OpenAFS fuse-based distribution and the Foundation decides it should sign the OSXFUSE module and distribute this as part of OpenAFS. This is where the lawyers would be involved. Would OSXFUSE be part of OpenAFS? Would we be entitled to distribute it? If Apple wins, who pays for the damages (and legal costs) incurred by Apple? None of the above has anything to do with whether or not OpenAFS correctly handles data but they are issues involved with being able to sign binaries. Naturally, IANAL but I stayed at a Holiday Inn Express last night. _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info