RFC: Signed JAR Packaging Policy
Gary Benson
gbenson at redhat.com
Tue Mar 13 18:51:13 UTC 2007
Rob Crittenden wrote:
> Gary Benson wrote:
> > I'd argue that Warren's two-step build doesn't screw over CentOS,
> > or anyone else for that matter. Anyone wanting to rebuild could
> > simply rebuild (steps 3-5). Anyone wanting to modify would get
> > their own key from Sun and do the full two-step thing (steps 1-5).
> > There's even a refinement in that jarfile signatures are not
> > rigidly bound to their jars, so rather than shipping an entire jar
> > in the source rpm we could simply bundle the signature information
> > and insert that into the jar we built.
>
> This is assuming that the jar we build is identical to the Mozilla
> jar without the signature, right?
No. Warren's idea was this one:
https://www.redhat.com/archives/fedora-maintainers/2007-March/msg00446.html
Cheers,
Gary
More information about the Fedora-maintainers
mailing list