pivot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Brown <gkbr...@mac.com>
Subject Re: ASF code signing certificate
Date Mon, 07 Dec 2009 14:05:24 GMT
OK. Once the graduation is formally approved, I'll send a message to infra describing what
we are looking for and see if they can help. I'd like to get a valid certificate in place
before we launch, if at all possible.


On Dec 7, 2009, at 9:01 AM, Martijn Dashorst wrote:

> AFAIK infra has enough karma to purchase small hardware, domains and
> certificates. If they don't have enough they can escalate it to the
> board to make sure it happens.
> Martijn
> On Mon, Dec 7, 2009 at 2:56 PM, Greg Brown <gkbrown@mac.com> wrote:
>> The problem with waiting until after we graduate is that we'll launch with an invalid
cert signed by Todd, rather than a valid cert signed by the ASF. This won't leave a good first
impression on anyone seeing Pivot for the first time.
>> You are probably right that general@incubator is probably not the right place for
this discussion, but I think it is at least worth posting the question to the infra list.
I'm guessing that most of the previous discussion around PKI focused on SSL, etc. - maybe
it won't be as difficult to push a code signing cert. through.
>> How are purchase decisions generally handled? Would someone on the infra list be
able to approve something like this, or is there another list I should also post to?
>> Thanks,
>> Greg
>> On Dec 6, 2009, at 11:45 PM, Niclas Hedhman wrote:
>>> On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <gkbrown@mac.com> wrote:
>>>> Hello mentors,
>>>> Back when Pivot first entered the Incubator, I had asked about the availability
of an official Apache code signing certificate. Some of our demo and tutorial JARs are signed,
but they currently use an unofficial (and expired) certificate Todd had created locally for
testing purposes. This doesn't inspire quite as much confidence in the authenticity of the
code as we would like.  :-)
>>>> The response at the time was that no such certificate currently exists. Once
we graduate, do you know if it might be possible to request one? I believe these cost around
$500 (US) - is the ASF likely to cover something like this, or do you think we would need
to fund it ourselves?
>>>> FWIW, I actually tried to get both Verisign and Thawte to contribute a certificate
a few months back, and I didn't get a reply from either one...maybe I will try again after
we graduate. Anyone have any contacts at either place?
>>> PKI is not something to toss around lightly (I am sure you are aware
>>> of that), and the security conscious individuals at ASF have for long
>>> ponder over how a PKI at ASF could/should look like. One thing that
>>> was excluded was an ASF-wide cert available to "many". It has been
>>> discussed to setup a system where infra "owned" a master cert, from
>>> which they signed certs of "verified individual committers/officers".
>>> The problem is/was that this has not been high on the agenda, since
>>> for "releases" the PGP approach of "web of trust" has been considered
>>> both sufficient and superior of centralized PKIs.
>>> My advice is to wait until after graduation and then approach
>>> infra/board to bring up the usecase/need to see if this can be managed
>>> to a level of satisfaction "within our lifetime" ;-)  Bringing this to
>>> general@incubator.a.o now will just be "messy" and lead to no
>>> resolution.
>>> Cheers
>>> --
>>> Niclas Hedhman, Software Developer
>>> http://www.qi4j.org - New Energy for Java
>>> I  live here; http://tinyurl.com/2qq9er
>>> I  work here; http://tinyurl.com/2ymelc
>>> I relax here; http://tinyurl.com/2cgsug
> -- 
> Become a Wicket expert, learn from the best: http://wicketinaction.com
> Apache Wicket 1.4 increases type safety for web applications
> Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.0

View raw message