[Fedora-packaging] RFC: Signed JAR Packaging Policy

Rex Dieter rdieter at math.unl.edu
Thu May 10 04:48:39 UTC 2007

RFC: Signed JAR Packaging Policy http://lwn.net/Articles/225981/
Review Request: jss - Java Security Services (JSS), 

The "jar signing issue" is something we'll have to address somehow 
sooner or later.  Imo, it can/should be considered on the same level as 
Fedora's signed rpms.

Maybe fedora could have some sort of fedora-ca-keys pkg containing java 
CA's that's *only* available to the buildsys (ie, private, similar to 
fedora's rpm keys).   We could also provide some sort of dummy 
fedora-ca-keys pkg in our public repos (or some other means for folks to 
generate/create their own ca-keys-containing pkg) to satisfy the 
reproducibility(*) issue.


-- Rex

(*) reproducible in that you could build signed jars, but they wouldn't 
be identical, obviously.

More information about the Fedora-packaging mailing list