Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[orbit-dev] To sign or not to sign? .... is that a question?

Have we decided this issue in Orbit? I vaguely remember talking about it, but don't recall a decision.  And, thinking about it now, I could see doing it or not doing it, I sort of lean towards not doing it.

Reasons Orbit should sign:

        It could be argued that "every bundle produced by Eclipse should be signed by Eclipse".
               
        If we leave it up to the projects to sign or not to sign, there would be bundles "in the wild" that had the same version and qualifier, but one was signed and one was not (not sure this is bad .. just confusing).



Reasons Orbit should not sign:

        Orbit essentially produces bundles for the projects, and it's up to the projects to sign them, before they distribute them.  Orbit itself doesn't distribute these bundles, in the normal sense of the word.

        There might be some hopefully rare cases where a bundle can not be signed, at least for some particular project, if it would result in excessive performance penalty, which can happen if it has it's own classloader .. .and we know several third party bundles do have their own class loaders.



Any other opinions, or arguments pro or con?  Or ... pointers to where this has already been decided?!

Thanks,

Back to the top