[Fedora-packaging] Re: java: building from source vs signed .jar's

Axel Thimm Axel.Thimm at ATrpms.net
Mon Feb 18 19:55:27 UTC 2008


On Mon, Feb 18, 2008 at 02:36:04PM -0500, Tom spot Callaway wrote:
> 
> On Mon, 2008-02-18 at 20:53 +0200, Axel Thimm wrote:
> > On Mon, Feb 18, 2008 at 12:28:47PM -0500, Jesse Keating wrote:
> > > Also I think the problem here is that there is a cert system that is
> > > being held hostage by Sun, and nobody else gets to play.  This is worse
> > > than the current web cert games we play with browsers.
> > 
> > Can't we add a Fedora certificate to the distribution with a private
> > key only the builders have access to? And maybe only for a whitelist
> > of packages that the FPC would approve?
> > 
> > As a short term solution for the geogebra case we could ship it
> > unsigned until we have a procedure in place (of course all self-built
> > from source).
> 
> Not an expert here, but I think that many browsers will refuse to run
> unsigned java bits.

They will issue a warning and let the user decide. There are quite a
lot of appliances w/o a trusted key or not signed at all in routers,
switches, kvm boxes etc. that fall into this category.
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-packaging/attachments/20080218/34077e89/attachment.sig>


More information about the Fedora-packaging mailing list