On Mon, Aug 27, 2012 at 9:57 AM, Jim Jagielski <j...@jagunet.com> wrote: > Re adding ooo-dev@ since this is STILL an AOO issue. > > On Aug 27, 2012, at 9:38 AM, Rob Weir <robw...@apache.org> wrote: > >> On Mon, Aug 27, 2012 at 8:59 AM, Jim Jagielski <j...@jagunet.com> wrote: >>> >>> On Aug 27, 2012, at 8:56 AM, donald_harbi...@us.ibm.com wrote: >>>> >>>> Yes, that's what end users care about. But it's not sufficient for AOO >>>> since we are seeking alternative distribution channels. >>> >>> What does that mean? Can I grok "alternative distribution channels" >>> as "more mirrors" or something else? >>> >> >> You probably don't see this on the server yet, but end-user operating >> systems, both desktop and devices, both at OS level as well as in >> browsers and with antivirus software, are shifting over to excluding >> non-signed executable by default. > > Believe it or not, I actually use end-user OSs. I am right now! Wow! >
I did not mean to imply otherwise. But I am quite confident that few, if any other Apache projects are developing end-user software, so they might not be aware of this trend from the software development perspective. >> This is equally true of software >> distributed on CD's, via downloads, or listed in OS-vendor "stores". >> That is the direction that the industry is going. Any desktop >> application that ignores this trend will become unusable by most >> users. Instead of detached digital signatures that Apache releases >> already carry, the OS vendors expect integrated signatures via code >> signing. >> >> Where I hear the churning is over whether the technological change - >> code signing rather than detached PGP/GPG signatures -- means anything >> different from a liability standpoint. One could argue that a >> signatures merely vouches for authentication, integrity and >> non-repudiation -- the classic guarantees of a digital signature. But >> I'm hearing others suggest that the move from one technology to >> another technology for signing suggests additional guarantees about >> the content of the signed artifact, above and beyond what the ASF >> normally offers. But of course, any additional liability is >> explicitly disclaimed by the Apache License. >> >> So given that other Apache projects distribute binaries that are.... >> >> 1) approved by the PMC's >> >> 2) distributed on Apache mirrors >> >> 3) linked to as ASF products by project websites >> >> 4) accompanied by PGP/GPG detached signatures >> >> ...what additional liability do we believe comes from the >> technological change from one signature mechanism to another? Or >> specifically, what liability is added that is not already explicitly >> disclaimed by ALv2? >> > > A signature does 2 things: > > 1. Ensures that no bits have been changed > 2. That the bits come from a known (and trusted) entity. > Almost. It doesn't guarantee trust. CA's don't require any specific level of software quality assurance before they issue a certificate. Any trust is implied by association with the identity of the signer. So it is a brand association. This is similar to the association that comes with association with a project's release announcement, or from distribution via Apache mirrors, or links from Apache websites. These all imply -- in one degree or another -- an association with Apache, and the trust that flows from that. But what code signing does do is help protect ASF reputation. By having the binaries signed we can distance ourselves from those who distribute versions of AOO with virus and malware attached. Again, this is something you probably don't see in the server world, but it is quite common with popular end-user open source software. So trust (reputation) is important. But we're already seeing that trust and reputation can be hurt by lack of code signing. > The fact that we've used GPG-signed artifacts is immaterial, imo. > To a savvy user the use of the detached digital signature can provide exactly the same assurances that code signing would do. Exactly the same thing. It just happens to be that the industry has moved toward a CA model rather than a web of trust model. > But recall in all this that even when the PMC releases code, it is > signed by the individual RM, and not by the PMC itself. > Correct. But the concerns in the thread were about individual liability. Having an individual signature (whether GPG/PGP or Authenticode) certainly doesn't make the story any better. So I wonder if the best solution here is to make it clear in the language of the certificate that it is an "unofficial, convenience binary"? -Rob --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
