You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2013/12/18 01:24:30 UTC
Code signing trial - volunteers wanted
The infrastructure team is about to start a trial of a code signing
service provided by Symantec. Tomcat is going to be the guinea pig for
this trial. As part of the trial we want to test the mapping of the
roles in the service to the roles at the ASF. We are therefore looking
for two volunteers. Both volunteers need to be Tomcat committers. At
least one of the volunteers needs to be a PMC member.
My outline plan at the moment is something like:
- Set up the test signing service
- Figure out how to sign our Windows installer
- Script the process
- Get volunteer one (who will have RM permissions) to do a test release
- Get volunteer two (who will have PMC permissions) to approve the test
release for signing
The idea is that any committer can be a release manager and upload a
release for signing but only a PMC member can approve the upload for
signing. Figuring out if that process is workable is part of the trial.
Thanks in advance,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Code signing trial - volunteers wanted
Posted by Mark Thomas <ma...@apache.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 20/12/2013 03:20, Christopher Schultz wrote:
> Mark,
>
> On 12/17/13, 7:24 PM, Mark Thomas wrote:
>> The infrastructure team is about to start a trial of a code
>> signing service provided by Symantec. Tomcat is going to be the
>> guinea pig for this trial. As part of the trial we want to test
>> the mapping of the roles in the service to the roles at the ASF.
>> We are therefore looking for two volunteers. Both volunteers
>> need to be Tomcat committers. At least one of the volunteers
>> needs to be a PMC member.
>>
>> My outline plan at the moment is something like: - Set up the
>> test signing service - Figure out how to sign our Windows
>> installer - Script the process - Get volunteer one (who will
>> have RM permissions) to do a test release - Get volunteer two
>> (who will have PMC permissions) to approve the test release for
>> signing
>>
>> The idea is that any committer can be a release manager and
>> upload a release for signing but only a PMC member can approve
>> the upload for signing. Figuring out if that process is workable
>> is part of the trial.
>
> In theory, I'm willing to be a guinea pig's guinea pig. I've never
> rolled a release before. I do have Crossover (i.e. Wine)
> available on my Mac and some Windows VMs but I don't have any
> Windows-build capabilities -- at least not right now.
>
> Can I still be helpful?
Short answer: don't know.
Longer answer: I don't yet know if the signing step will have to be
part of the build process or will be something that happens once the
.exe has been created. This is one of the things we need to explore in
the trial. If it is the latter then we can use an existing release to
test in which case there would be no need to build locally.
Thanks for the offer and I'll get back to you when I know more - which
should be early in the new year.
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJStAGbAAoJEBDAHFovYFnn4WkQAI7hU7gWrzceqpPlPIDZ5AaF
T+NkQ3eJgRKyHMfH30zXvlCeME7KQ/5RKSzhoeA/2Q9rNcPYtJrGDUTMWed3Bk/7
t48mz6isWSXLUx5XVGbGwT6OckOpnQh3qklWfTFDrm5GD303BrIRPcxEE2vwP06q
uor8Yl6B19bWtcAas8UC3u3XDYsupyqGIMHhHWmaKjzENY3CsSfzbmNkGORcCl5e
4z2DBseibmLMOCZ8acKO1uHj1mLQxYGmvXstEvv8Pk0Lrrqm/Vg4N71t/RzI21lX
NnaISjzziv+JpNzdtVX7W/xvr8zk8tVoGVXQiaH+kkq3xeMjU0WQLr5uBcPznKFW
BAZS4ykZxbGje5Pp4iuZwesxpjJfnTov+sUQUFVbCmjMZ/JLmhUdKXiE6GTRJeNk
vMJKl/y5JpBiiw/xurXKwtvsHJjbD3cmPeZjlkXSh6Bz774iYlcQsV1LFSoRO4QD
souziD1FBd/I0G09vXyV2auGPnYbgB/80jhlN2bl7vTWRWvK1f4T4jrgrKx4M873
pqcxux7+NHVaGKkbHROA4IuSRy1m4Ogp+d2YznBe/fOD/WufCLD0ai3TQIpCRsiq
sVUniInZF+epEzSTrg21AJamjhqDmOrkyXvZtbUrGI08zatPzbuk4+0JqPIXY0+t
/tyrbc267kBhTiCvMEMd
=BCpK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Code signing trial - volunteers wanted
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 12/17/13, 7:24 PM, Mark Thomas wrote:
> The infrastructure team is about to start a trial of a code signing
> service provided by Symantec. Tomcat is going to be the guinea pig for
> this trial. As part of the trial we want to test the mapping of the
> roles in the service to the roles at the ASF. We are therefore looking
> for two volunteers. Both volunteers need to be Tomcat committers. At
> least one of the volunteers needs to be a PMC member.
>
> My outline plan at the moment is something like:
> - Set up the test signing service
> - Figure out how to sign our Windows installer
> - Script the process
> - Get volunteer one (who will have RM permissions) to do a test release
> - Get volunteer two (who will have PMC permissions) to approve the test
> release for signing
>
> The idea is that any committer can be a release manager and upload a
> release for signing but only a PMC member can approve the upload for
> signing. Figuring out if that process is workable is part of the trial.
In theory, I'm willing to be a guinea pig's guinea pig. I've never
rolled a release before. I do have Crossover (i.e. Wine) available on my
Mac and some Windows VMs but I don't have any Windows-build capabilities
-- at least not right now.
Can I still be helpful?
-chris
Re: Code signing trial - volunteers wanted
Posted by Mark Thomas <ma...@apache.org>.
On 18/12/2013 13:05, Rainer Jung wrote:
> On 18.12.2013 01:24, Mark Thomas wrote:
>> The infrastructure team is about to start a trial of a code signing
>> service provided by Symantec. Tomcat is going to be the guinea pig for
>> this trial. As part of the trial we want to test the mapping of the
>> roles in the service to the roles at the ASF. We are therefore looking
>> for two volunteers. Both volunteers need to be Tomcat committers. At
>> least one of the volunteers needs to be a PMC member.
>>
>> My outline plan at the moment is something like:
>> - Set up the test signing service
>> - Figure out how to sign our Windows installer
>> - Script the process
>> - Get volunteer one (who will have RM permissions) to do a test release
>> - Get volunteer two (who will have PMC permissions) to approve the test
>> release for signing
>>
>> The idea is that any committer can be a release manager and upload a
>> release for signing but only a PMC member can approve the upload for
>> signing. Figuring out if that process is workable is part of the trial.
>
> If you like, I can try the approval step. It depends a bit on the
> infrastructure needed and during the next 2 weeks I might not always be
> available.
Thanks. I suspect things won't progress that fast any way. This is more
likely to be a task for January. There is a web based GUI and an API.
Part of the test is to figure out which works best for us but either way
the local infrastructure requirements should be minimal.
Cheers,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Code signing trial - volunteers wanted
Posted by Rainer Jung <ra...@kippdata.de>.
On 18.12.2013 01:24, Mark Thomas wrote:
> The infrastructure team is about to start a trial of a code signing
> service provided by Symantec. Tomcat is going to be the guinea pig for
> this trial. As part of the trial we want to test the mapping of the
> roles in the service to the roles at the ASF. We are therefore looking
> for two volunteers. Both volunteers need to be Tomcat committers. At
> least one of the volunteers needs to be a PMC member.
>
> My outline plan at the moment is something like:
> - Set up the test signing service
> - Figure out how to sign our Windows installer
> - Script the process
> - Get volunteer one (who will have RM permissions) to do a test release
> - Get volunteer two (who will have PMC permissions) to approve the test
> release for signing
>
> The idea is that any committer can be a release manager and upload a
> release for signing but only a PMC member can approve the upload for
> signing. Figuring out if that process is workable is part of the trial.
If you like, I can try the approval step. It depends a bit on the
infrastructure needed and during the next 2 weeks I might not always be
available.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org