RFC: Signed JAR Packaging Policy
Richard Megginson
rmeggins at redhat.com
Mon Mar 12 21:16:58 UTC 2007
Jesse Keating wrote:
> On Monday 12 March 2007 17:02:06 Matthew Miller wrote:
>
>> On Mon, Mar 12, 2007 at 04:57:45PM -0400, Warren Togami wrote:
>>
>>> Why this is bad?
>>> It still is not fully reproducible in a sense that other people can't
>>> take our source, modify it slightly, and make a Sun-blessed JSS JAR.
>>>
>> I'm really against it. At the very least, it screws over CentOS. This a bad
>> path to be going down.
>>
>> I'd much prefer gcj and the future Fedora-shipped implementation of the Sun
>> JVM to make it easy to use self-generated certificates. If someone wants to
>> install a proprietary JVM, let's make _that_ the hard case.
>>
>
> I agree. How much fun would it be if apache suddenly decided to not function
> with self signed certs and any cert you used had to come from verasign ?
>
A radical way to do this would be for Fedora to acquire a signing cert
from Sun, and redistribute the key and cert with the JSS package.
Plus: Anyone would be able to build and redistribute JSS, and it would
load into any Java JCE implementation which required a signed jar.
Minus: Anyone would be able to build and sign _any_ jar and claim that
it was from Fedora, which would completely defeat the purpose of JCE, as
well as any other application which required jar signing. For example,
I download a random Java applet into my browser, and the dialog box pops
up which says "This jar file was signed by the Fedora Completely
Untrustworthy Key. Do you Accept or Decline to run this jar?" I don't
exactly know what Sun would do if such a thing were to be unleashed into
the wild . . .
>
> ------------------------------------------------------------------------
>
> --
> Fedora-maintainers mailing list
> Fedora-maintainers at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-maintainers
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20070312/7d9e3fc8/attachment.bin>
More information about the Fedora-maintainers
mailing list