On Aug 16, 2012, at 3:13 PM, Om wrote: > On Thu, Aug 16, 2012 at 1:32 PM, Alex Harui <aha...@adobe.com> wrote: > >> >> >> >> On 8/16/12 1:07 PM, "Carol Frampton" <cfram...@adobe.com> wrote: >> >> >>>>> >>>> I understand the installer needs a Mac binary and a Win binary, but >> since >>>> they are not official releases, I don't see why the release manager >> can't >>>> ask someone else to build a package for them. >>> >>> I would think the release manager should not sign "the apache way" a >>> binary or a binary distro with a binary in it that they didn't build. >>> Everything on the distro site needs to be signed. I did not sign the >>> asdoc package when we released and I was asked not too long ago, I think >>> by someone from infra, to do that. >>> >>> Maybe the mentors know the real answer to this. >>> >>> Carol >>> >> I would think if someone supplies the other platform's binary in a secure >> way it should be good enough, but we'll see what the mentors say. >> >> > I agree with Carol. When a release manager signs a binary, they are > implicitly guaranteeing that what is in the binary was really built from > the sources. If they did not create the binary themselves, how can they > verify what exactly went into the binary. > > Now, since any committer can be a release manager[1], a release manager can > probably accept another committer's binary and sign it. > > The better option would be that two committers create the binaries on the > two platforms and sign them separately. Essentially - two release managers > that I mentioned earlier. > > In [1] the section says (emphasis mine): > > The *common practice* at Apache is for a *single individual* to take >> responsibility for the mechanics of a release. That individual is called >> the 'release manager.' Release managers take care of shepherding a release >> from an initial community consensus to make it to final distribution. >> > > This is certainly not a common scenario. I think it is okay to have two > release managers in our case.
On Aug 15, 2012, at 11:39 PM, Bertrand Delacretaz wrote: > On Thu, Aug 16, 2012 at 2:43 AM, Clint Modien <cmod...@gmail.com> wrote: >> ...strange that Apache doesn't have a code signing process in place already… >> seems like a pretty common requirement.... > > See http://www.apache.org/dev/release-signing for how releases are signed. > > You're right that the ASF doesn't currently have a standard process > for digital certificates - the OpenOffice podling has been discussing > this recently, see http://s.apache.org/Hii - I haven't followed the > details. > > -Bertrand It is certainly reasonable for multiple people to have their signing key within the project's KEYS file. Releases may be signed by anyone on that key. Is it possible to derive these p12 files from KEYS? I think it is likely, if so we have a path to signing of these artifacts by project release managers Digital signatures are a whole other level of work. Can we handle sigs that are in the KEYS file such that a user can check to see that these artifacts are "properly" signed. Regards, Dave > > Thanks, > Om > > [1] http://www.apache.org/dev/release-publishing.html#release_manager > > >> -- >> Alex Harui >> Flex SDK Team >> Adobe Systems, Inc. >> http://blogs.adobe.com/aharui >> >>
