You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by Ulrich Stärk <ul...@spielviel.de> on 2013/10/24 17:36:49 UTC
Fwd: [jira] [Commented] (INFRA-3991) Request for code signing certificate
Do we have a need for signed jars and are interested in participating to make this happen?
Uli
-------- Original Message --------
Subject: [jira] [Commented] (INFRA-3991) Request for code signing certificate
Date: Thu, 24 Oct 2013 15:34:02 +0000 (UTC)
From: Mark Thomas (JIRA) <ji...@apache.org>
To: uli@spielviel.de
[
https://issues.apache.org/jira/browse/INFRA-3991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13804324#comment-13804324
]
Mark Thomas commented on INFRA-3991:
------------------------------------
As a infrastructure volunteer the tasks I choose to work on are selected based on how much time I
have, how interested I am in the topic and whether it involves cleaning up a mess I am somehow
responsible for. Code signing falls under the category of something I am interested in but it is not
a high priority for me so it gets progressed as and when I have the time.
Back in June I provided an explicit example of how folks could help - reaching out to Bill Rowe and
reconnecting with Verisign (now Symantec). No one did. Hence progress stalled again.
Back in August I reached out to Bill and got the necessary details. Still no-one volunteered to make
contact with Symantec.
This week I have found some time and have been in touch with Symantec. I've had a good conversation
with them and we have an outline of a way forward. There are still a lot of details to iron out but
at this stage I am hopeful we'll come up with a solution that works for at least 80% of our use cases.
In terms of helping (to address Christian's question) there is nothing to do immediately. However, I
am likely to be asking for a few interested PMCs (Tomcat, AOO, Logging) to review some materials in
the next few weeks. Constructive feedback on those materials and possibly joining a conference call
are areas where help will be appreciated. If I think of anything else that could help progress this,
I'll mention it here.
> Request for code signing certificate
> ------------------------------------
>
> Key: INFRA-3991
> URL: https://issues.apache.org/jira/browse/INFRA-3991
> Project: Infrastructure
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Reporter: Scott Deboy
> Assignee: Tony Stevenson
>
> The Logging Services project provides a WebStart-deployed Swing application, Chainsaw. To deploy Chainsaw via WebStart and take advantage of all of its features, the jars that are downloaded must be signed by a code signing certificate which has been signed by a trusted root CA.
> It would seem to me it would make sense to have this code signing certificate and associated keys managed by the ASF and not be a project-specific certificate, so other projects could take advantage of the same resources. If you feel it makes more sense to get Logging Services its own code signing certificate that is managed by the PMC, I'm fine with that as well - I would just like the issue to be resolved.
> I assume if this resource were an ASF-wide resource, the keys and certificate would be managed by infra. If so, I'm not sure what workflow infra would like to use - maybe a jira issue with release candidate jars and pgp info, and signed jars could be added back to the same jira? We don't release often, so just let us know what you would like.
> Our needs are relatively simple, and I understand others may have more complex needs. PMC members or the RM could manage self-signed certificates and 'get by', but I would rather have an official code signing cert provided by ASF itself.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org