RFC: Signed JAR Packaging Policy
Nicolas Mailhot
nicolas.mailhot at laposte.net
Mon Mar 12 18:56:33 UTC 2007
Le lundi 12 mars 2007 à 14:46 -0400, Jesse Keating a écrit :
> On Monday 12 March 2007 14:28:25 Warren Togami wrote:
> > https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00166.h
> >tml Red Hat's Directory Server team wants to add JSS to Fedora. But this is
> > currently blocked, because the JSS JAR must be signed by an upstream key.
>
> How does this work for pure end users that want to build / deploy? Are they
> completely unable to sign the jar themselves? Could we ship an unsigned jar,
> allow the end user to sign the jar using whatever method they need to?
The problem is SUN controls the default certificate list in jvms, and
it's reinitialised every time you update a vendor jvm, so in practical
terms only SUN-approved keys "just work"
Even if a user could authorise his own or Fedora's certificate (not sure
he can) remembering to do it after every update is just too much hassle
gcj could of course ignore this but knowing one can switch to a
proprietary jvm any time goes a long way to reassure users.
--
Nicolas Mailhot
More information about the Fedora-maintainers
mailing list