[Fedora-packaging] RFC: Signed JAR Packaging Policy
Rex Dieter
rdieter at math.unl.edu
Thu May 10 05:04:00 UTC 2007
Rex Dieter wrote:
> Per
> RFC: Signed JAR Packaging Policy http://lwn.net/Articles/225981/
> Review Request: jss - Java Security Services (JSS),
> http://bugzilla.redhat.com/230262
>
> The "jar signing issue" is something we'll have to address somehow
> sooner or later. Imo, it can/should be considered on the same level
> as Fedora's signed rpms.
>
> <crazy_idea>
> Maybe fedora could have some sort of fedora-ca-keys pkg containing
> java CA's that's *only* available to the buildsys (ie, private,
> similar to fedora's rpm keys). We could also provide some sort of
> dummy fedora-ca-keys pkg in our public repos (or some other means for
> folks to generate/create their own ca-keys-containing pkg) to satisfy
> the reproducibility(*) issue.
> </crazy_idea>
>
Duh, my bad for not actually re-reading the *whole* previous thread.
spot pointed out that only "companies" can ask Sun for CA's, and that
Fedora wouldn't qualify. But, hey, why not try and ask anyway? The
worst that can happen is that Sun says no, in which case, what's so evil
about using a "Red Hat" java CA? Regardless, for lack of a CA cert to
work with, this discussion is moot.
-- Rex
More information about the Fedora-packaging
mailing list