logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Grobmeier <grobme...@gmail.com>
Subject Re: Companions -> Chainsaw?
Date Wed, 05 Oct 2011 06:19:45 GMT
On Wed, Oct 5, 2011 at 12:27 AM, Scott Deboy <scott.deboy@gmail.com> wrote:
> There are a number of people looking for resolution on the code signing cert
> question (Eclipse plugins, maven artifacts, etc).  I'll file a Jira issue.
> Our case is relatively straightforward - hopefully infra can automate it so
> we can send them binaries/drop binaries into a folder, along with a link to
> the vote and pgp signing info and they can sign the artifacts.  We shall
> see.

Sounds excellent. Yesterday I asked at the IRC channel, but no response.
Can you proceed with the downloadable release while the Webstart
"release" is postboned?

Christian


>
> Scott
>
> On Tue, Oct 4, 2011 at 10:51 AM, Christian Grobmeier <grobmeier@gmail.com>
> wrote:
>>
>> OK understood.
>>
>> Not sure were do ask, but maybe infra has an idea if such a thing
>> exists. If not, we might ask the board if we can buy something like
>> that
>>
>> On Tue, Oct 4, 2011 at 7:44 PM, Scott Deboy <scott.deboy@gmail.com> wrote:
>> > We need a code signing certificate that is trusted by a root cert auth,
>> > and
>> > use that cert to sign the jars - I would prefer the ASF handle this.
>> >
>> > See
>> >
>> > http://download.oracle.com/javase/6/docs/technotes/guides/javaws/developersguide/faq.html
>> >
>> > Scott
>> >
>> >
>> > On Tue, Oct 4, 2011 at 10:32 AM, Christian Grobmeier
>> > <grobmeier@gmail.com>
>> > wrote:
>> >>
>> >> > http://logging.apache.org/chainsaw/download.html - by clicking on the
>> >> > 'Java
>> >> > Web Start' link, Chainsaw will download, install and run..
>> >> >
>> >> > To update the version of Chainsaw we provide via Web Start, we need
>> >> > to
>> >> > sign
>> >> > the jars, since Chainsaw writes to the local file system, can
>> >> > initiate
>> >> > socket connections, etc, and Web Start only allows that if the jars
>> >> > are
>> >> > signed and the person oks the access..It seems Apache should have a
>> >> > cert
>> >> > for
>> >> > signing jars, instead of having to do this ourselves..
>> >>
>> >> Is any pgp key fine to sign or should it be one with a trusted
>> >> identiy, like "this software was developed by the ASF" and so on?
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
>> >> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>> >>
>> >
>> >
>>
>>
>>
>> --
>> http://www.grobmeier.de
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
>> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>>
>
>



-- 
http://www.grobmeier.de

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


Mime
View raw message