RFC: Signed JAR Packaging Policy

Mon Mar 12 18:28:25 UTC 2007

https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00166.html
Red Hat's Directory Server team wants to add JSS to Fedora.  But this is 
currently blocked, because the JSS JAR must be signed by an upstream 
key.  This is currently not permissible under Fedora Packaging 
Guidelines for a few reasons:

- The binary signed by an external source is not built by us.
- We cannot build an exact duplicate in Fedora from sources (because of 
the binary signature.)
- Distribution of a signed binary could be in violation of the spirit, 
if not the letter of FOSS licenses or Free Software Guidelines.  This 
may also become automatically incompatible with the GPLv3.  I am not a 
legal expert so I don't fully understand the implications of this.

How do we handle this situation?

---------------------------------------------------------------
1) Build and Compare to At Least Prove Reproducible Equivalence
---------------------------------------------------------------
https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00311.html
I theorized that it might be OK if we build the binary in Fedora, and 
compare it to the signed binary.  If they match fully (except for the 
signature) then equivalence is proven.  Throw away the built binary and 
use the signed binary in the payload RPM.

https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00313.html
But this method is most likely not technically feasible.

It is also doubtful that this would qualify as Free Software.

---------------------------------------------------------------
2) Do Not Sign the Jar?
---------------------------------------------------------------
- Only local applications would use JSS.
- Those local applications (or the Java stack under it) could somehow 
choose to ignore the JAR's signature.
- We shouldn't worry about this, because JSS (and those local apps) 
would be distributed themselves in signed RPMS.

Only apps controlled by Red Hat may be able to use an unsigned JSS, by 
using JSS directly instead of going through JCA.  This makes it fine for 
Fedora, RHEL and other flexible FOSS software, but 3rd party apps might 
not be compatible.

Theoretically, 3rd party apps could use a second copy of the JSS JAR 
that is the upstream signed binary.  Red Hat could even provide that 
somewhere on the side so users have something consistent.  It just wont 
ship in Fedora proper.

So, two JSS JAR's are possible for parallel install.
- FOSS JSS (unsigned)
- JSS (signed, but not in Fedora)

Discuss feasibility?

Warren Togami
wtogami at redhat.com