Christopher wrote on 2/25/16 1:47 PM: > I'm not sure where exactly this discussion should fit, but I know people > have brought up questions about ASF-wide signing of artifacts before, so > I'll just mention it on this list. > > Fedora infrastructure has built a project called sigul: > https://fedorahosted.org/sigul/ > which they use as part of their infrastructure to automate signing of RPMs > and ISOs and such. > > ASF could set up a similar service for ASF-wide release signing. > > This particular project looks like it has a GPL2 license on it, and I'm not > sure what the policy is for Fedora infrastructure, but for Fedora > packagers, contributions (under their ICLA) are MIT, so it's possible that > if we wanted to use this, and provide ASF-wide release signing, the Fedora > community would be willing to re-license under MIT if that were necessary > for us to consider using it. > Interesting point. The first question is: what Apache projects want to do something like this? While volunteers can work on whatever new ideas people like working on, we don't tend to build officially supported services (especially security-related ones!) unless there are some specific PMCs that ask for it.
Once there's some interest from projects, it's a question of figuring out a draft plan and seeing if the security and maintenance are something the ASF and our small but awesome infrastructure team would be willing to host. Also, have you read through the Apache release policy and signing details to see exactly how this would fit? http://www.apache.org/dev/release.html http://www.apache.org/dev/release-signing.html The ASF does have a central code signing service for Windows binaries and JARs supported by Symantec, although it's not widely used yet: https://reference.apache.org/pmc/codesigning - Shane
