Rob Crittenden wrote:
SUN has been known to bless third-party signing certificates provided
their use was restricted to a well-defined entity. So a Red Hat
certificate is a possibility. A Fedora one would conflict with the
project charter.
Right. A signing certificate can be requested by filling this out and
faxing it to Sun:
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CertForm.txt
What their policies are for issuing certificates I don't know.
https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00311.html
This plan might work then, with slight modification.
1) Fedora spec file builds the JAR from sources, intermediate binary
output (using a boolean in the spec or something).
2) Red Hat has a Sun blessed signing key, signing that intermediate binary.
3) In the actual package build: Fedora SRPM contains both the original
source and the signed binary from step #2. Build again.
4) Compare the signed JAR to the new JAR, to be sure that they match in
all ways except the signature.
5) IF THEY MATCH, throw away the built copy and ship the signed JAR.
Why this is good?
The shipping binary is confirmed to be reproducible from source. Red
Hat is clearly not holding anything back, no secrets.
Why this is bad?
It still is not fully reproducible in a sense that other people can't
take our source, modify it slightly, and make a Sun-blessed JSS JAR.
The key question:
Is this acceptable to the Fedora Project? How do we draw *our* line
between acts that promote and hurt freedom?
In my personal opinion, we should just allow very narrowly defined cases
like this. Why?
- Fedora already disagrees with the FSF's position against independent,
closed firmware. (Fedora *is* firmly against closed drivers or GPL
flaunting like ipw3945). We are already "impure" by their arguably
extreme standards. They are free to have their own opinion, we are free
to have our own differing opinion.
- This violates nobody's copyrights (except maybe later with GPLv3...)
- This promotes the spirit of FOSS's ideals without compromising on
those ideals.
Thoughts?
Warren Togami
wtogami@xxxxxxxxxx
--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers
--
Fedora-maintainers-readonly mailing list
Fedora-maintainers-readonly@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
