Re: RFC: Signed JAR Packaging Policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rob Crittenden wrote:

SUN has been known to bless third-party signing certificates provided
their use was restricted to a well-defined entity. So a Red Hat
certificate is a possibility. A Fedora one would conflict with the
project charter.


Right. A signing certificate can be requested by filling this out and faxing it to Sun:

http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CertForm.txt

What their policies are for issuing certificates I don't know.


https://www.redhat.com/archives/fedora-extras-list/2007-February/msg00311.html
This plan might work then, with slight modification.

1) Fedora spec file builds the JAR from sources, intermediate binary output (using a boolean in the spec or something).
2) Red Hat has a Sun blessed signing key, signing that intermediate binary.
3) In the actual package build: Fedora SRPM contains both the original source and the signed binary from step #2. Build again. 4) Compare the signed JAR to the new JAR, to be sure that they match in all ways except the signature.
5) IF THEY MATCH, throw away the built copy and ship the signed JAR.

Why this is good?
The shipping binary is confirmed to be reproducible from source. Red Hat is clearly not holding anything back, no secrets.

Why this is bad?
It still is not fully reproducible in a sense that other people can't take our source, modify it slightly, and make a Sun-blessed JSS JAR.

The key question:
Is this acceptable to the Fedora Project? How do we draw *our* line between acts that promote and hurt freedom?

In my personal opinion, we should just allow very narrowly defined cases like this. Why?

- Fedora already disagrees with the FSF's position against independent, closed firmware. (Fedora *is* firmly against closed drivers or GPL flaunting like ipw3945). We are already "impure" by their arguably extreme standards. They are free to have their own opinion, we are free to have our own differing opinion.
- This violates nobody's copyrights (except maybe later with GPLv3...)
- This promotes the spirit of FOSS's ideals without compromising on those ideals.

Thoughts?

Warren Togami
wtogami@xxxxxxxxxx

--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers

--
Fedora-maintainers-readonly mailing list
Fedora-maintainers-readonly@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly

[Index of Archives]     [Fedora Users]     [Fedora Development]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux