Do we have a need for signed jars and are interested in participating to make
this happen?
Uli
Original Message
Subject: [jira] [Commented] (INFRA-3991) Request for code signing certificate
Date: Thu, 24 Oct 2013 15:34:02 + (UTC)
From: Mark Thomas (JIRA)
To: u...@spielviel.de
[
https://issues.apache.org/jira/browse/INFRA-3991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13804324#comment-13804324
]
Mark Thomas commented on INFRA-3991:
As a infrastructure volunteer the tasks I choose to work on are selected based
on how much time I
have, how interested I am in the topic and whether it involves cleaning up a
mess I am somehow
responsible for. Code signing falls under the category of something I am
interested in but it is not
a high priority for me so it gets progressed as and when I have the time.
Back in June I provided an explicit example of how folks could help - reaching
out to Bill Rowe and
reconnecting with Verisign (now Symantec). No one did. Hence progress stalled
again.
Back in August I reached out to Bill and got the necessary details. Still
no-one volunteered to make
contact with Symantec.
This week I have found some time and have been in touch with Symantec. I've had
a good conversation
with them and we have an outline of a way forward. There are still a lot of
details to iron out but
at this stage I am hopeful we'll come up with a solution that works for at
least 80% of our use cases.
In terms of helping (to address Christian's question) there is nothing to do
immediately. However, I
am likely to be asking for a few interested PMCs (Tomcat, AOO, Logging) to
review some materials in
the next few weeks. Constructive feedback on those materials and possibly
joining a conference call
are areas where help will be appreciated. If I think of anything else that
could help progress this,
I'll mention it here.
> Request for code signing certificate
>
>
> Key: INFRA-3991
> URL: https://issues.apache.org/jira/browse/INFRA-3991
> Project: Infrastructure
> Issue Type: New Feature
> Security Level: public(Regular issues)
>Reporter: Scott Deboy
>Assignee: Tony Stevenson
>
> The Logging Services project provides a WebStart-deployed Swing application,
> Chainsaw. To deploy Chainsaw via WebStart and take advantage of all of its
> features, the jars that are downloaded must be signed by a code signing
> certificate which has been signed by a trusted root CA.
> It would seem to me it would make sense to have this code signing certificate
> and associated keys managed by the ASF and not be a project-specific
> certificate, so other projects could take advantage of the same resources.
> If you feel it makes more sense to get Logging Services its own code signing
> certificate that is managed by the PMC, I'm fine with that as well - I would
> just like the issue to be resolved.
> I assume if this resource were an ASF-wide resource, the keys and certificate
> would be managed by infra. If so, I'm not sure what workflow infra would
> like to use - maybe a jira issue with release candidate jars and pgp info,
> and signed jars could be added back to the same jira? We don't release
> often, so just let us know what you would like.
> Our needs are relatively simple, and I understand others may have more
> complex needs. PMC members or the RM could manage self-signed certificates
> and 'get by', but I would rather have an official code signing cert provided
> by ASF itself.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
-
To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
For additional commands, e-mail: dev-h...@tapestry.apache.org
