Re: [ecd-pmc] Questions regarding signing for Che

[Wayne Beaton <wayne@xxxxxxxxxxx>]

That's a fair question. A more general discussion of signing fits well in the incubation mailing list. I'm a little preoccupied with moving discussions there.

While Stevan's proposal may make sense (I don't think it does), the rationale does not. "those have already valid IP Check and proper CQs." is orthogonal to the decision of whether or not to sign. The IP check is concerned with vetting source code coming into the project. Signing is the means by which you give confidence to a consumer that the built bits actually come from eclipse.org.

Wayne

On 15/03/16 12:03 PM, Tyler Jewell wrote:

If this is a PMC discussion, then why move to incubation@xxxxxxxxxxx?

As a PMC member, I am ok with Stevan's proposal. If there are other views from PMC, let's discuss those here.

Tyler Jewell | CEO | tyler@ ​codenvy.​com | 9​ 78​.8​84​.53​55

On Tue, Mar 15, 2016 at 8:55 AM, Wayne Beaton <wayne@xxxxxxxxxxx> wrote:

TL:DR: the EMO believes that all JARs should be signed unless there is some technical reason that makes signing either impossible or undesirable.

The IP Team isn't directly concerned about JAR signing; their focus is on the source code (i.e. the input, not the output). This is more of a technical implementation/dissemination concern which is absolutely within the scope of a PMC to provide advice regarding what should and should not (or can and cannot) be signed.

Having said that, this question may be better suited for incubation@xxxxxxxxxxx mailing list. If everything has gone according to plan, you should both already members of that list and I invite you to move any follow up discussion there.

HTH,

Wayne

On 15/03/16 08:10 AM, Tyler Jewell wrote:

Stevan:

Is this question for the pmc?   Usually the role of the pmc is to only +1 or -1 a specific cq or release plan.  I do not see how the pmc is structured to answer a question that has shades of gray and a range of potential answers.

I would expect the ip team at eclipse to tell the pmc the expectations.

-Tyler

On Tue, Mar 15, 2016 at 3:53 AM -0700, "Stevan Le Meur" <stevan.lemeur@xxxxxxxxx> wrote:

Dear PMC,

We had a discussion this morning with Mikael about the signing procedure we should follow for Che.

As you know Che is a bit different from other Eclipse projects, in the sense that we have bundle archives with a lot of JARs:
(1)- most of the JARs are ours and those JARs, should definitely be signed;
(2)- we are bundling other JARs from third-part, such as Tomcat for example, those have already valid IP Check and proper CQs.

The question we have is how far we should go in the process of signing the JARs that we have into our bundled archives?
Should we sign the third-part JARs (2) or only our own JARs (1) will be enough?

Thanks in advance,

Stévan
_______________________________________________
ecd-pmc mailing list
ecd-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ecd-pmc

_______________________________________________
ecd-pmc mailing list
ecd-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ecd-pmc

--
Wayne Beaton
@waynebeaton
The Eclipse Foundation

_______________________________________________
ecd-pmc mailing list
ecd-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ecd-pmc

_______________________________________________
ecd-pmc mailing list
ecd-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ecd-pmc

--
Wayne Beaton
@waynebeaton
The Eclipse Foundation