Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ecd-pmc] Questions regarding signing for Che 
Hey!

I think if the bundles/jars are being distributed as part of the project, those artifacts should all be signed.

This allows people to verify that they got the correct and right artifact and nothing compromised. For that it doesn’t matter if the JAR was being built from source code of the project itself or comes as a third-party JAR that is included in the product.

Just my 2 cents,
-Martin




> Am 15.03.2016 um 19:38 schrieb Wayne Beaton <wayne@xxxxxxxxxxx>:
> 
> That's a fair question. A more general discussion of signing fits well in the incubation mailing list. I'm a little preoccupied with moving discussions there.
> 
> While Stevan's proposal may make sense (I don't think it does), the rationale does not. "those have already valid IP Check and proper CQs." is orthogonal to the decision of whether or not to sign. The IP check is concerned with vetting source code coming into the project. Signing is the means by which you give confidence to a consumer that the built bits actually come from eclipse.org.
> 
> Wayne
> 
> On 15/03/16 12:03 PM, Tyler Jewell wrote:
>> If this is a PMC discussion, then why move to incubation@xxxxxxxxxxx?
>> 
>> As a PMC member, I am ok with Stevan's proposal. If there are other views from PMC, let's discuss those here.
>> 
>> 	
>> Tyler Jewell | CEO | tyler@ ​codenvy.​com | 9​ 78​.8​84​.53​55
>> 
>> 
>> On Tue, Mar 15, 2016 at 8:55 AM, Wayne Beaton <wayne@xxxxxxxxxxx> wrote:
>> TL:DR: the EMO believes that all JARs should be signed unless there is some technical reason that makes signing either impossible or undesirable.
>> 
>> The IP Team isn't directly concerned about JAR signing; their focus is on the source code (i.e. the input, not the output). This is more of a technical implementation/dissemination concern which is absolutely within the scope of a PMC to provide advice regarding what should and should not (or can and cannot) be signed.
>> 
>> Having said that, this question may be better suited for incubation@xxxxxxxxxxx mailing list. If everything has gone according to plan, you should both already members of that list and I invite you to move any follow up discussion there.
>> 
>> HTH,
>> 
>> Wayne
>> 
>> 
>> On 15/03/16 08:10 AM, Tyler Jewell wrote:
>>> Stevan:
>>> 
>>> Is this question for the pmc?   Usually the role of the pmc is to only +1 or -1 a specific cq or release plan.  I do not see how the pmc is structured to answer a question that has shades of gray and a range of potential answers.
>>> 
>>> I would expect the ip team at eclipse to tell the pmc the expectations.
>>> 
>>> -Tyler
>>> 
>>> 
>>> 
>>> 
>>> On Tue, Mar 15, 2016 at 3:53 AM -0700, "Stevan Le Meur" <stevan.lemeur@xxxxxxxxx> wrote:
>>> 
>>> Dear PMC,
>>> 
>>> We had a discussion this morning with Mikael about the signing procedure we should follow for Che.
>>> 
>>> As you know Che is a bit different from other Eclipse projects, in the sense that we have bundle archives with a lot of JARs:
>>> (1)- most of the JARs are ours and those JARs, should definitely be signed;
>>> (2)- we are bundling other JARs from third-part, such as Tomcat for example, those have already valid IP Check and proper CQs.
>>> 
>>> The question we have is how far we should go in the process of signing the JARs that we have into our bundled archives?
>>> Should we sign the third-part JARs (2) or only our own JARs (1) will be enough?
>>> 
>>> Thanks in advance,
>>> 
>>> Stévan
>>> _______________________________________________
>>> ecd-pmc mailing list
>>> 
>>> ecd-pmc@xxxxxxxxxxx
>>> 
>>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>>> 
>>> https://dev.eclipse.org/mailman/listinfo/ecd-pmc
>>> 
>>> 
>>> _______________________________________________
>>> ecd-pmc mailing list
>>> 
>>> ecd-pmc@xxxxxxxxxxx
>>> 
>>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>>> 
>>> https://dev.eclipse.org/mailman/listinfo/ecd-pmc
>> 
>> -- 
>> Wayne Beaton
>> @waynebeaton
>> The Eclipse Foundation
>> <Mail-Anhang.jpeg>
>> 
>> _______________________________________________
>> ecd-pmc mailing list
>> ecd-pmc@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>> https://dev.eclipse.org/mailman/listinfo/ecd-pmc
>> 
>> 
>> 
>> 
>> _______________________________________________
>> ecd-pmc mailing list
>> 
>> ecd-pmc@xxxxxxxxxxx
>> 
>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>> 
>> https://dev.eclipse.org/mailman/listinfo/ecd-pmc
> 
> -- 
> Wayne Beaton
> @waynebeaton
> The Eclipse Foundation
> <38x138_0.jpg>
> _______________________________________________
> ecd-pmc mailing list
> ecd-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/ecd-pmc

Back to the top