On Thu, Aug 20, 2015 at 1:06 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> > There are some special things here we do have absolute control over. If a > project wants to provide the 'official' build, why not start signing the > .jar? > Good idea, but to be practical to users, the certificate for the signing needs to be part of the certificate chain of the JVM (otherwise those would be needed to be installed on every host). I don't know how willing infra would be to support PKI at ASF for this, otherwise many projects will be limited due to cost (I could be wrong by now and that there are totally free CAs) Cheers -- Niclas Hedhman, Software Developer http://zest.apache.org - New Energy for Java
