After this, please drop general@ On Aug 27, 2012, at 10:16 AM, Rob Weir <robw...@apache.org> wrote:
>> >> A signature does 2 things: >> >> 1. Ensures that no bits have been changed >> 2. That the bits come from a known (and trusted) entity. >> > > Almost. It doesn't guarantee trust. Sure it does. If something is signed by Bill or Ross, etc I trust that it came from them. Anything else is tangential to what a signature provides. > CA's don't require any specific > level of software quality assurance before they issue a certificate. > Any trust is implied by association with the identity of the signer. > So it is a brand association. This is similar to the association that > comes with association with a project's release announcement, or from > distribution via Apache mirrors, or links from Apache websites. These > all imply -- in one degree or another -- an association with Apache, > and the trust that flows from that. > > But what code signing does do is help protect ASF reputation. Huh? All it says is that these bits originated from this entity. If you trust that entity, then you can trust those bits. The "reputation" stuff is part of the release process, not the signing process. > By > having the binaries signed we can distance ourselves from those who > distribute versions of AOO with virus and malware attached. Again, > this is something you probably don't see in the server world, but it > is quite common with popular end-user open source software. Again... Huh??? WTF do you think we sign code, esp stuff destined for the server? So the end-user is ensured that the bits came from a trusted source. "Oh look, I found the Apache 2.4.3 source tarball on some warez site signed by 'Ben Dover' who has an unknown key. Looks good to me. Think I'll install it on my website" > > So trust (reputation) is important. But we're already seeing that > trust and reputation can be hurt by lack of code signing. We. Sign. Code. So I'm again unsure what the issue is... it sounds like we're talking in circles. Can we have a real-world example? From my understanding, Apple's App Store is likely the most onerous situation. So what, right now, is "broken" with the AOO release process as related to the App Store and what would need to be done to "fix" it? If that's the wrong example, I'll take any other one. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
