RFC: Signed JAR Packaging Policy

Warren Togami wtogami at redhat.com
Mon Mar 12 20:57:45 UTC 2007 

Rob Crittenden wrote:
>>
>> SUN has been known to bless third-party signing certificates provided
>> their use was restricted to a well-defined entity. So a Red Hat
>> certificate is a possibility. A Fedora one would conflict with the
>> project charter.
>>
> 
> Right. A signing certificate can be requested by filling this out and 
> faxing it to Sun:
> 
> http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CertForm.txt 
> 
> 
> What their policies are for issuing certificates I don't know.
> 

https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00311.html
This plan might work then, with slight modification.

1) Fedora spec file builds the JAR from sources, intermediate binary 
output (using a boolean in the spec or something).
2) Red Hat has a Sun blessed signing key, signing that intermediate binary.
3) In the actual package build: Fedora SRPM contains both the original 
source and the signed binary from step #2.  Build again.
4) Compare the signed JAR to the new JAR, to be sure that they match in 
all ways except the signature.
5) IF THEY MATCH, throw away the built copy and ship the signed JAR.

Why this is good?
The shipping binary is confirmed to be reproducible from source.  Red 
Hat is clearly not holding anything back, no secrets.

Why this is bad?
It still is not fully reproducible in a sense that other people can't 
take our source, modify it slightly, and make a Sun-blessed JSS JAR.

The key question:
Is this acceptable to the Fedora Project?  How do we draw *our* line 
between acts that promote and hurt freedom?

In my personal opinion, we should just allow very narrowly defined cases 
like this.  Why?

- Fedora already disagrees with the FSF's position against independent, 
closed firmware.  (Fedora *is* firmly against closed drivers or GPL 
flaunting like ipw3945).  We are already "impure" by their arguably 
extreme standards.  They are free to have their own opinion, we are free 
to have our own differing opinion.
- This violates nobody's copyrights (except maybe later with GPLv3...)
- This promotes the spirit of FOSS's ideals without compromising on 
those ideals.

Thoughts?

Warren Togami
wtogami at redhat.com

More information about the Fedora-maintainers mailing list