You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flex.apache.org by Om <bi...@gmail.com> on 2012/08/27 09:51:10 UTC
[MENTOR] .p12 file for releasing InstallApacheFlex
> Dave:
>
>
> Is it possible to derive these p12 files from KEYS? I think it is likely,
>> if so we have a path to signing of these artifacts by project release
>> managers
>>
>
> I will investigate this approach. I have limited knowledge about this,
> but I believe that OpenSSL might help us here. Will let you know soon.
>
>
Dave,
I tried this using gnupg and openssl without any luck. Unless someone
knows how to do it, I have hit a dead end.
Erik and I have come up with this proposal to move forward. Please let us
know your thoughts/suggestions.
For the binary releases:
* Erik de Bruin and I are the release managers for this tool
* We will create a new .p12 with a secure password. We will NOT not check
the .p12 file in to SVN.
* I will create the Windows release on my machine using the .p12 file to
sign the AIR app
* I will securely email the .p12 file and the password (in separate emails)
to Erik de Bruin
* Erik creates the Mac release using the same .p12 file
* Erik and I sign the respective releases using our PGP keys in the Apache
Way.
For the source release:
* I will create a compressed file with the source code and sign it with my
PGP key
Are we missing something?
Thanks,
Om
Re: [MENTOR] .p12 file for releasing InstallApacheFlex
Posted by Om <bi...@gmail.com>.
On Tue, Aug 28, 2012 at 4:32 AM, Bertrand Delacretaz <bdelacretaz@apache.org
> wrote:
> Hi,
>
> On Mon, Aug 27, 2012 at 11:37 PM, Dave Fisher <da...@comcast.net>
> wrote:
> ...
> > (1) I think that we need to get confirmation that a .p12 signed release
> is ok with legal-discuss@.
> > That it is a permissible for a convenience binary. I think that is
> likely and I'll look into it tomorrow....
>
In case I wasn't clear earlier, my proposal is to sign it with both a
self-signed digital certificate (.p12) file AND then sign the resulting
binary using our Apache KEYS.
Signing with a .p12 (self-signed or from a CA) is a required step in
creating the AIR application.
>
> IMO distributing (not "releasing") a signed binary is fine, as long as
> it's not signed by the (P)PMC - individuals (including more than one
> if that's possible and useful) can sign convenience binaries and that
> only means it's them who created the binary, the (P)PMC won't provide
> any guarantees for binaries anyway.
>
>
Will this change if we wanted to publish the binary installers on our
site? IMO, it would be beneficial if the mirrors kick in to reduce the
load on Apache servers. So that means that we would have to go through the
normal release process.
> >
> > (2) We probably need to have a release VOTE for the source code making
> up the
> > InstallApacheFlex package...
>
> Absolutely - the ASF releases source code, and if convenience binaries
> are distributed they must be based on released source code - search
> for "binar" at http://apache.org/dev/release.html for more info.
>
> So I'd say in this case a vote is needed to release the installer's
> source code, and another one (or the same with two decisions) to
> authorize whoever produces the convenience binaries to upload them to
> http://apache.org/dist/incubator/flex/FOO/binaries/
>
>
Makes sense. I will start a vote thread once we are ready with the
artifacts.
> -Bertrand
>
Thanks,
Om
Re: [MENTOR] .p12 file for releasing InstallApacheFlex
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Mon, Aug 27, 2012 at 11:37 PM, Dave Fisher <da...@comcast.net> wrote:
...
> (1) I think that we need to get confirmation that a .p12 signed release is ok with legal-discuss@.
> That it is a permissible for a convenience binary. I think that is likely and I'll look into it tomorrow....
IMO distributing (not "releasing") a signed binary is fine, as long as
it's not signed by the (P)PMC - individuals (including more than one
if that's possible and useful) can sign convenience binaries and that
only means it's them who created the binary, the (P)PMC won't provide
any guarantees for binaries anyway.
>
> (2) We probably need to have a release VOTE for the source code making up the
> InstallApacheFlex package...
Absolutely - the ASF releases source code, and if convenience binaries
are distributed they must be based on released source code - search
for "binar" at http://apache.org/dev/release.html for more info.
So I'd say in this case a vote is needed to release the installer's
source code, and another one (or the same with two decisions) to
authorize whoever produces the convenience binaries to upload them to
http://apache.org/dist/incubator/flex/FOO/binaries/
-Bertrand
Re: [MENTOR] .p12 file for releasing InstallApacheFlex
Posted by Dave Fisher <da...@comcast.net>.
Hi Om,
Sorry for the delay I've been busy with work and Apache OpenOffice (incubating).
(1) I think that we need to get confirmation that a .p12 signed release is ok with legal-discuss@. That it is a permissible for a convenience binary. I think that is likely and I'll look into it tomorrow.
(2) We probably need to have a release VOTE for the source code making up the InstallApacheFlex package, but I'm not completely sure. Perhaps Bertrand can answer that question.
Regards,
Dave
On Aug 27, 2012, at 5:48 PM, Om wrote:
> Hi,
>
> Can one of the mentors please respond? I was hoping to make a release of
> InstallApacheFlex soon.
>
> Thanks,
> Om
>
> On Mon, Aug 27, 2012 at 12:51 AM, Om <bi...@gmail.com> wrote:
>
>>
>> Dave:
>>>
>>>
>>
>>> Is it possible to derive these p12 files from KEYS? I think it is likely,
>>>> if so we have a path to signing of these artifacts by project release
>>>> managers
>>>>
>>>
>>> I will investigate this approach. I have limited knowledge about this,
>>> but I believe that OpenSSL might help us here. Will let you know soon.
>>>
>>>
>>
>> Dave,
>>
>> I tried this using gnupg and openssl without any luck. Unless someone
>> knows how to do it, I have hit a dead end.
>>
>> Erik and I have come up with this proposal to move forward. Please let us
>> know your thoughts/suggestions.
>>
>> For the binary releases:
>> * Erik de Bruin and I are the release managers for this tool
>> * We will create a new .p12 with a secure password. We will NOT not check
>> the .p12 file in to SVN.
>> * I will create the Windows release on my machine using the .p12 file to
>> sign the AIR app
>> * I will securely email the .p12 file and the password (in separate
>> emails) to Erik de Bruin
>> * Erik creates the Mac release using the same .p12 file
>> * Erik and I sign the respective releases using our PGP keys in the Apache
>> Way.
>>
>> For the source release:
>> * I will create a compressed file with the source code and sign it with
>> my PGP key
>>
>> Are we missing something?
>>
>> Thanks,
>> Om
>>
Re: [MENTOR] .p12 file for releasing InstallApacheFlex
Posted by Om <bi...@gmail.com>.
Hi,
Can one of the mentors please respond? I was hoping to make a release of
InstallApacheFlex soon.
Thanks,
Om
On Mon, Aug 27, 2012 at 12:51 AM, Om <bi...@gmail.com> wrote:
>
> Dave:
>>
>>
>
>> Is it possible to derive these p12 files from KEYS? I think it is likely,
>>> if so we have a path to signing of these artifacts by project release
>>> managers
>>>
>>
>> I will investigate this approach. I have limited knowledge about this,
>> but I believe that OpenSSL might help us here. Will let you know soon.
>>
>>
>
> Dave,
>
> I tried this using gnupg and openssl without any luck. Unless someone
> knows how to do it, I have hit a dead end.
>
> Erik and I have come up with this proposal to move forward. Please let us
> know your thoughts/suggestions.
>
> For the binary releases:
> * Erik de Bruin and I are the release managers for this tool
> * We will create a new .p12 with a secure password. We will NOT not check
> the .p12 file in to SVN.
> * I will create the Windows release on my machine using the .p12 file to
> sign the AIR app
> * I will securely email the .p12 file and the password (in separate
> emails) to Erik de Bruin
> * Erik creates the Mac release using the same .p12 file
> * Erik and I sign the respective releases using our PGP keys in the Apache
> Way.
>
> For the source release:
> * I will create a compressed file with the source code and sign it with
> my PGP key
>
> Are we missing something?
>
> Thanks,
> Om
>