On Tue, Aug 28, 2012 at 4:32 AM, Bertrand Delacretaz <bdelacre...@apache.org > wrote:
> Hi, > > On Mon, Aug 27, 2012 at 11:37 PM, Dave Fisher <dave2w...@comcast.net> > wrote: > ... > > (1) I think that we need to get confirmation that a .p12 signed release > is ok with legal-discuss@. > > That it is a permissible for a convenience binary. I think that is > likely and I'll look into it tomorrow.... > In case I wasn't clear earlier, my proposal is to sign it with both a self-signed digital certificate (.p12) file AND then sign the resulting binary using our Apache KEYS. Signing with a .p12 (self-signed or from a CA) is a required step in creating the AIR application. > > IMO distributing (not "releasing") a signed binary is fine, as long as > it's not signed by the (P)PMC - individuals (including more than one > if that's possible and useful) can sign convenience binaries and that > only means it's them who created the binary, the (P)PMC won't provide > any guarantees for binaries anyway. > > Will this change if we wanted to publish the binary installers on our site? IMO, it would be beneficial if the mirrors kick in to reduce the load on Apache servers. So that means that we would have to go through the normal release process. > > > > (2) We probably need to have a release VOTE for the source code making > up the > > InstallApacheFlex package... > > Absolutely - the ASF releases source code, and if convenience binaries > are distributed they must be based on released source code - search > for "binar" at http://apache.org/dev/release.html for more info. > > So I'd say in this case a vote is needed to release the installer's > source code, and another one (or the same with two decisions) to > authorize whoever produces the convenience binaries to upload them to > http://apache.org/dist/incubator/flex/FOO/binaries/ > > Makes sense. I will start a vote thread once we are ready with the artifacts. > -Bertrand > Thanks, Om
