[Fedora-packaging] RFC: Signed JAR Packaging Policy
Rex Dieter
rdieter at math.unl.edu
Thu May 10 04:48:39 UTC 2007
Per
RFC: Signed JAR Packaging Policy http://lwn.net/Articles/225981/
Review Request: jss - Java Security Services (JSS),
http://bugzilla.redhat.com/230262
The "jar signing issue" is something we'll have to address somehow
sooner or later. Imo, it can/should be considered on the same level as
Fedora's signed rpms.
<crazy_idea>
Maybe fedora could have some sort of fedora-ca-keys pkg containing java
CA's that's *only* available to the buildsys (ie, private, similar to
fedora's rpm keys). We could also provide some sort of dummy
fedora-ca-keys pkg in our public repos (or some other means for folks to
generate/create their own ca-keys-containing pkg) to satisfy the
reproducibility(*) issue.
</crazy_idea>
comments?
-- Rex
(*) reproducible in that you could build signed jars, but they wouldn't
be identical, obviously.
More information about the Fedora-packaging
mailing list