Rex Dieter wrote:
Per
RFC: Signed JAR Packaging Policy http://lwn.net/Articles/225981/
Review Request: jss - Java Security Services (JSS),
http://bugzilla.redhat.com/230262
The "jar signing issue" is something we'll have to address somehow
sooner or later. Imo, it can/should be considered on the same level
as Fedora's signed rpms.
<crazy_idea>
Maybe fedora could have some sort of fedora-ca-keys pkg containing
java CA's that's *only* available to the buildsys (ie, private,
similar to fedora's rpm keys). We could also provide some sort of
dummy fedora-ca-keys pkg in our public repos (or some other means for
folks to generate/create their own ca-keys-containing pkg) to satisfy
the reproducibility(*) issue.
</crazy_idea>
Duh, my bad for not actually re-reading the *whole* previous thread.
spot pointed out that only "companies" can ask Sun for CA's, and that
Fedora wouldn't qualify. But, hey, why not try and ask anyway? The
worst that can happen is that Sun says no, in which case, what's so evil
about using a "Red Hat" java CA? Regardless, for lack of a CA cert to
work with, this discussion is moot.
-- Rex
--
Fedora-packaging mailing list
Fedora-packaging@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-packaging
