Code signing

[Mark Thomas <ma...@apache.org>]

All,

You may be aware that the ASF is currently evaluating an external code
signing service. So far, things are looking code. Assuming it moves
forward, Apache Tomcat is going to be used as a guinea pig for the live
service. Some of the components Tomcat wants to sign are the procrun
binaries from Commons Daemon.

There is a cost associated with each signing of a group of files so it
makes sense to sign the procrun binaries once and distribute the signed
versions from Commons.

The current plan is that code will be signed by a certificate associated
with a PMC, with individual RM's being granted the ability to request
signing on behalf of the PMC as necessary.

With this in mind, I'd like to propose the following process for signing
Commons Daemon 1.0.15. (I'll do most of the leg work.)

1. Set up the Commons PMC signing org.
2. Add me to that org.
3. Download the procrun binaries, validate them, and get them signed.
4. Propose the signed binaries for release
5. We VOTE (hopefully a simple process)
6. Add them along-side the unsigned binaries at:
http://www.apache.org/dist/commons/daemon/binaries/windows-signed/

Hopefully, future releases will be signed at build time but that will
require some integration work (I'm currently working on a PoC with the
Tomcat build process).

If you have any concerns about the above, please speak up now.

Cheers,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org