RFC: Signed JAR Packaging Policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00166.html
Red Hat's Directory Server team wants to add JSS to Fedora. But this is currently blocked, because the JSS JAR must be signed by an upstream key. This is currently not permissible under Fedora Packaging Guidelines for a few reasons:

- The binary signed by an external source is not built by us.
- We cannot build an exact duplicate in Fedora from sources (because of the binary signature.) - Distribution of a signed binary could be in violation of the spirit, if not the letter of FOSS licenses or Free Software Guidelines. This may also become automatically incompatible with the GPLv3. I am not a legal expert so I don't fully understand the implications of this.

How do we handle this situation?

---------------------------------------------------------------
1) Build and Compare to At Least Prove Reproducible Equivalence
---------------------------------------------------------------
https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00311.html
I theorized that it might be OK if we build the binary in Fedora, and compare it to the signed binary. If they match fully (except for the signature) then equivalence is proven. Throw away the built binary and use the signed binary in the payload RPM.

https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00313.html
But this method is most likely not technically feasible.

It is also doubtful that this would qualify as Free Software.

---------------------------------------------------------------
2) Do Not Sign the Jar?
---------------------------------------------------------------
- Only local applications would use JSS.
- Those local applications (or the Java stack under it) could somehow choose to ignore the JAR's signature. - We shouldn't worry about this, because JSS (and those local apps) would be distributed themselves in signed RPMS.

Only apps controlled by Red Hat may be able to use an unsigned JSS, by using JSS directly instead of going through JCA. This makes it fine for Fedora, RHEL and other flexible FOSS software, but 3rd party apps might not be compatible.

Theoretically, 3rd party apps could use a second copy of the JSS JAR that is the upstream signed binary. Red Hat could even provide that somewhere on the side so users have something consistent. It just wont ship in Fedora proper.

So, two JSS JAR's are possible for parallel install.
- FOSS JSS (unsigned)
- JSS (signed, but not in Fedora)

Discuss feasibility?

Warren Togami
wtogami@xxxxxxxxxx

--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers

--
Fedora-maintainers-readonly mailing list
Fedora-maintainers-readonly@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly

[Index of Archives]     [Fedora Users]     [Fedora Development]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux