RFC: Signed JAR Packaging Policy
Jeffrey C. Ollie
jeff at ocjtech.us
Tue Mar 13 01:13:41 UTC 2007
On Mon, 2007-03-12 at 23:13 +0100, Nicolas Mailhot wrote:
> Le lundi 12 mars 2007 à 17:29 -0400, Simo Sorce a écrit :
> > On Mon, 2007-03-12 at 16:33 -0400, Warren Togami wrote:
> > > Nicolas Mailhot wrote:
> > > >
> > > > The problem is SUN controls the default certificate list in jvms, and
> > > > it's reinitialised every time you update a vendor jvm, so in practical
> > > > terms only SUN-approved keys "just work"
> > > >
> > >
> > > This might have interesting consequences for Sun's plans to GPLv3 their
> > > Java.
> >
> > Why?
> > Is their own signature required for the package to work, and nothing
> > else will work even if rebuilt from scratch?
>
> commercial jvms will barf if a crypto package is not signed with a
> SUN-approved certificate
Won't commercial JVMs ship with their own signed binary crypto package?
Or alternatively, if you're willing to run a commercial JVM, you're
probably willing to go download the signed binary crypto package.
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20070312/a344e15e/attachment.sig>
More information about the Fedora-maintainers
mailing list