Per RFC: Signed JAR Packaging Policy http://lwn.net/Articles/225981/ Review Request: jss - Java Security Services (JSS), http://bugzilla.redhat.com/230262
The "jar signing issue" is something we'll have to address somehow sooner or later. Imo, it can/should be considered on the same level as Fedora's signed rpms.
<crazy_idea> Maybe fedora could have some sort of fedora-ca-keys pkg containing java CA's that's *only* available to the buildsys (ie, private, similar to fedora's rpm keys). We could also provide some sort of dummy fedora-ca-keys pkg in our public repos (or some other means for folks to generate/create their own ca-keys-containing pkg) to satisfy the reproducibility(*) issue. </crazy_idea>
comments?
-- Rex
(*) reproducible in that you could build signed jars, but they wouldn't be identical, obviously.
Rex Dieter wrote:
Per RFC: Signed JAR Packaging Policy http://lwn.net/Articles/225981/ Review Request: jss - Java Security Services (JSS), http://bugzilla.redhat.com/230262
The "jar signing issue" is something we'll have to address somehow sooner or later. Imo, it can/should be considered on the same level as Fedora's signed rpms.
<crazy_idea> Maybe fedora could have some sort of fedora-ca-keys pkg containing java CA's that's *only* available to the buildsys (ie, private, similar to fedora's rpm keys). We could also provide some sort of dummy fedora-ca-keys pkg in our public repos (or some other means for folks to generate/create their own ca-keys-containing pkg) to satisfy the reproducibility(*) issue. </crazy_idea>
Duh, my bad for not actually re-reading the *whole* previous thread. spot pointed out that only "companies" can ask Sun for CA's, and that Fedora wouldn't qualify. But, hey, why not try and ask anyway? The worst that can happen is that Sun says no, in which case, what's so evil about using a "Red Hat" java CA? Regardless, for lack of a CA cert to work with, this discussion is moot.
-- Rex
On Wednesday 09 May 2007 22:04:00 Rex Dieter wrote:
Duh, my bad for not actually re-reading the *whole* previous thread. spot pointed out that only "companies" can ask Sun for CA's, and that Fedora wouldn't qualify. But, hey, why not try and ask anyway? The worst that can happen is that Sun says no, in which case, what's so evil about using a "Red Hat" java CA? Regardless, for lack of a CA cert to work with, this discussion is moot.
redistributability.
Jesse Keating wrote:
On Wednesday 09 May 2007 22:04:00 Rex Dieter wrote:
Duh, my bad for not actually re-reading the *whole* previous thread. spot pointed out that only "companies" can ask Sun for CA's, and that Fedora wouldn't qualify. But, hey, why not try and ask anyway? The worst that can happen is that Sun says no, in which case, what's so evil about using a "Red Hat" java CA? Regardless, for lack of a CA cert to work with, this discussion is moot.
redistributability.
huh? redistributability of what exactly?
If you're talking about the keys, I'm not advocating (re)distributing the java CA keys, any more than I'd advocate (re)distributing the keys fedora uses to sign it's rpms (cause that'd be silly/useless).
-- Rex
On Monday 14 May 2007 10:00:16 Rex Dieter wrote:
If you're talking about the keys, I'm not advocating (re)distributing the java CA keys, any more than I'd advocate (re)distributing the keys fedora uses to sign it's rpms (cause that'd be silly/useless).
Right, but our packages are perfectly usable without being signed. Without changes to the java stuff, the package is completely UNusable without being signed.
On Monday 14 May 2007 11:25:21 Rex Dieter wrote:
agreed, precisely why I'm trying to come up with mechanisms/policy wrt signed .jars in Fedora. :)
Simple. Fix java so that it operates with an unsigned jar in a blatantly 'insecure' mode, like a self signed cert in apache.
Jesse Keating wrote:
On Monday 14 May 2007 11:25:21 Rex Dieter wrote:
agreed, precisely why I'm trying to come up with mechanisms/policy wrt signed .jars in Fedora. :)
Simple. Fix java so that it operates with an unsigned jar in a blatantly 'insecure' mode, like a self signed cert in apache.
Fine, it's one thing to make jvm's at least usable without signed .jars, but that shouldn't block the bigger issue of finding a workable mechanism to get signed .jars into Fedora packaging.
-- Rex
packaging@lists.fedoraproject.org