I'm a little stumped on this one. It appears that, as of January 2014, Oracle's JRE (and maybe others) will simply stop allowing self-signed JARs to be run as applets or JWS apps. I'm not sure why they want to make life difficult for open source developers, but it definitely seems like they did not have us in mind when they dreamed this up, and I'm not sure of a good way around it. The CA model just does not really fit well with open source. Open source binaries are supposed to be reproducible by anyone, not tied to a particular developer, and I consider it a point of pride that anyone can check out my build scripts from SVN and, assuming they are using the same type of build machine, produce identical binaries to the ones I release. We are a project, not a company, and the JARs we produce are intended to be re-signed by a company before being deployed in any official capacity. But for testing purposes, there is nothing wrong with a self-signed certificate. This seems like a sweetheart deal for the certificate authorities, at the expense of allowing open source code to be easily tested.
There is a certificate authority (Certrum) that is offering free code signing certificates for use by open source developers, but those are unfortunately generated based on individual credentials. Thus, if I signed TurboVNC with one of those certificates, it would pop up my full name and address and other vital information every time someone ran the TurboVNC Viewer. Not acceptable. For starters, it's an invasion of my privacy, but it also goes against the principles of open source code being a community effort. What if someone else wanted to generate binaries for the project instead of me? What if anyone who didn't have a CSC wanted to build TurboVNC binaries for their own internal testing? Further, an individual certificate like that would imply that I was legally responsible for the behavior of the app, which is in fact not true (the open source licenses explicitly disclaim any warranty.) It just seems like lawsuit bait to sign an app with one's personal name, particularly if the app is not yet released and is being provided solely for testing. Any advice? DRC ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ VirtualGL-Devel mailing list VirtualGL-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/virtualgl-devel
