Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-architecture-council] Is jar signing mandatory?

Wayne,

I'm happy that you kicked in.  I'm really uncomfortable with the notion that signing is merely an optional nice-to-have.  I.e., something we can skip because it's obviously easier not to bother, and that's okay, because it's not required.  To me signing is a security issue and a certification of origin.  We should not generally cut corners on such a thing.

Regards,
Ed


On 17.03.2020 18:40, Wayne Beaton wrote:
The EDP purposely avoids discussing any particular technology. You'll also notice no references to services that we consider to be "core" (Git repositories, issue trackers, dev lists, ...).

The notion of "core" services is supported by the principles (and the open source rules of engagement) that are described in the EDP. The handbook contains a list of those services that the EMO has determined to be core.

The handbook also says this about signing:

Where technically sensible, all downloadable artifacts should be signed by an Eclipse Foundation certificate.

It's not presented as a rule per se, so there's some wiggle room. We should probably harden this.

I don't think that there can be any controversy that a signed artifact must be signed by an EF certificate.

Less clear is how we interpret "technically sensible". My interpretation is that all release artifacts that can be signed, must be signed.

I believe that we can reasonably assert that it's okay for a project's incubation releases to be unsigned. I tend to consider signing to be a requirement for graduation (at the PMC's discretion, of course).

Wayne


On Mon, Mar 16, 2020 at 1:45 PM Mickael Istria <mistria@xxxxxxxxxx> wrote:
Hi all,

I looked at EDP and couldn't find a reference to Jar signing.
So do I get it right that there is no requirement for artifacts to be signed for a release? More particularly, for a 1st release of an incubating project that just joined Eclipse.org, is signing a real requirement or can it be added into a further release?

Thanks in advance.

--
Mickael Istria
Eclipse IDE developer, for Red Hat Developers
_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council


--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.


_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council

Back to the top