You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@reef.apache.org by "Brian Cho (JIRA)" <ji...@apache.org> on 2015/08/11 10:11:46 UTC
[jira] [Commented] (REEF-465) Figure out how to produce safely
signed NuGets
[ https://issues.apache.org/jira/browse/REEF-465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14681402#comment-14681402 ]
Brian Cho commented on REEF-465:
--------------------------------
I'm late to the party on how and why to sign NuGets. Sorry if this is a re-hash.
I ran into an [msdn article|https://msdn.microsoft.com/en-us/library/wd40t7ad.aspx] that has some interesting advice:
# Do not rely on strong names for security. They provide a unique identity only.
# If you are an open-source developer and you want the identity benefits of a strong-named assembly, consider checking in the private key associated with an assembly into your source control system.
What is our goal for providing signed NuGets? If it's only to prevent assembly conflicts, is the old way of keeping both public and private key in git the right way?
> Figure out how to produce safely signed NuGets
> ----------------------------------------------
>
> Key: REEF-465
> URL: https://issues.apache.org/jira/browse/REEF-465
> Project: REEF
> Issue Type: Improvement
> Components: NuGet, REEF.NET
> Reporter: Markus Weimer
>
> We currently have the private / public key pair we use for our builds *in the repository*. This means that the signature on our NuGets and DLLs is not trustworthy. We should find a way to produce properly signed NuGets.
> *Note:* None of this affects the official source release, nor the signature on the Java Maven artifacts. Both are signed with GnuPG, using a key we keep private.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)