[Fedora-packaging] RFC: Signed JAR Packaging Policy

Rex Dieter rdieter at math.unl.edu
Thu May 10 05:04:00 UTC 2007

Rex Dieter wrote:
> Per
> RFC: Signed JAR Packaging Policy http://lwn.net/Articles/225981/
> Review Request: jss - Java Security Services (JSS), 
> http://bugzilla.redhat.com/230262
> The "jar signing issue" is something we'll have to address somehow 
> sooner or later.  Imo, it can/should be considered on the same level 
> as Fedora's signed rpms.
> <crazy_idea>
> Maybe fedora could have some sort of fedora-ca-keys pkg containing 
> java CA's that's *only* available to the buildsys (ie, private, 
> similar to fedora's rpm keys).   We could also provide some sort of 
> dummy fedora-ca-keys pkg in our public repos (or some other means for 
> folks to generate/create their own ca-keys-containing pkg) to satisfy 
> the reproducibility(*) issue.
> </crazy_idea>

Duh, my bad for not actually re-reading the *whole* previous thread. 
spot pointed out that only "companies" can ask Sun for CA's, and that 
Fedora wouldn't qualify.  But, hey, why not try and ask anyway?  The 
worst that can happen is that Sun says no, in which case, what's so evil 
about using a "Red Hat" java CA?  Regardless, for lack of a CA cert to 
work with, this discussion is moot.

-- Rex

More information about the Fedora-packaging mailing list