I've been approached by the dev's of a GPL'd java app (www.geogebra.org), wanting my assistance wrt rpm packaging (and eventual inclusion in fedora I hope), but there's a snag. They want (need) their java applet runable over the web (webstart'able), and that means signed jars. They proposed we simply package their prebuilt (and signed) .jars, but that is contrary to our usual "build from source" position.
So, the dilemma is 1. come up with packaging policy and mechanism for fedora to produce signed jars. I raised this issue in the past, but we punted, since fedora, at the time, didn't include any java implementations that supported this. icedtea changes that. 2. allow an exception to the "build from source" guideline for pregenerated, signed .jar's. 3. just say no 4. insert suggestion here. ... 99. profit!
-- Rex
On Mon, 2008-02-18 at 08:04 -0600, Rex Dieter wrote:
I've been approached by the dev's of a GPL'd java app (www.geogebra.org), wanting my assistance wrt rpm packaging (and eventual inclusion in fedora I hope), but there's a snag. They want (need) their java applet runable over the web (webstart'able), and that means signed jars. They proposed we simply package their prebuilt (and signed) .jars, but that is contrary to our usual "build from source" position.
So, the dilemma is
- come up with packaging policy and mechanism for fedora to produce signed
jars. I raised this issue in the past, but we punted, since fedora, at the time, didn't include any java implementations that supported this. icedtea changes that. 2. allow an exception to the "build from source" guideline for pregenerated, signed .jar's. 3. just say no 4. insert suggestion here. ... 99. profit!
OK, so this is my stance:
* Unless Fedora can sign the jars that we build from source, this is a showstopper.
We cannot permit pre-generated signed jars. I've seen too many horrifying java crapboxes stuffed full of proprietary components, ancient components, and illegal components to simply permit this under any conditions. If it doesn't build from source, we aren't shipping it.
Now, I would be interested in hearing whether we can do this with IcedTea or not, and if so, how to accomplish it. This seems like it would be a very necessary component to the non-existent Java packaging guidelines.
~spot
Tom "spot" Callaway wrote:
OK, so this is my stance:
- Unless Fedora can sign the jars that we build from source, this is a
showstopper.
...
Now, I would be interested in hearing whether we can do this with IcedTea or not, and if so, how to accomplish it. This seems like it would be a very necessary component to the non-existent Java packaging guidelines.
We're pretty much on that same page then, +1 to all that. This will definitely need some attention, input, and love from the fedora java folks alright.
-- Rex
On Mon, 18 Feb 2008 11:19:28 -0600 Rex Dieter rdieter@math.unl.edu wrote:
We're pretty much on that same page then, +1 to all that. This will definitely need some attention, input, and love from the fedora java folks alright.
I don't recall if this was public or not, but I seem to recall having this conversation a while ago, and the conclusion was exactly as spot says it is.
Also I think the problem here is that there is a cert system that is being held hostage by Sun, and nobody else gets to play. This is worse than the current web cert games we play with browsers.
On Mon, Feb 18, 2008 at 12:28:47PM -0500, Jesse Keating wrote:
Also I think the problem here is that there is a cert system that is being held hostage by Sun, and nobody else gets to play. This is worse than the current web cert games we play with browsers.
Can't we add a Fedora certificate to the distribution with a private key only the builders have access to? And maybe only for a whitelist of packages that the FPC would approve?
As a short term solution for the geogebra case we could ship it unsigned until we have a procedure in place (of course all self-built from source).
On Mon, 2008-02-18 at 20:53 +0200, Axel Thimm wrote:
On Mon, Feb 18, 2008 at 12:28:47PM -0500, Jesse Keating wrote:
Also I think the problem here is that there is a cert system that is being held hostage by Sun, and nobody else gets to play. This is worse than the current web cert games we play with browsers.
Can't we add a Fedora certificate to the distribution with a private key only the builders have access to? And maybe only for a whitelist of packages that the FPC would approve?
As a short term solution for the geogebra case we could ship it unsigned until we have a procedure in place (of course all self-built from source).
Not an expert here, but I think that many browsers will refuse to run unsigned java bits.
~spot
On Mon, Feb 18, 2008 at 02:36:04PM -0500, Tom spot Callaway wrote:
On Mon, 2008-02-18 at 20:53 +0200, Axel Thimm wrote:
On Mon, Feb 18, 2008 at 12:28:47PM -0500, Jesse Keating wrote:
Also I think the problem here is that there is a cert system that is being held hostage by Sun, and nobody else gets to play. This is worse than the current web cert games we play with browsers.
Can't we add a Fedora certificate to the distribution with a private key only the builders have access to? And maybe only for a whitelist of packages that the FPC would approve?
As a short term solution for the geogebra case we could ship it unsigned until we have a procedure in place (of course all self-built from source).
Not an expert here, but I think that many browsers will refuse to run unsigned java bits.
They will issue a warning and let the user decide. There are quite a lot of appliances w/o a trusted key or not signed at all in routers, switches, kvm boxes etc. that fall into this category.
On Monday 18 February 2008, Tom "spot" Callaway wrote:
Not an expert here, but I think that many browsers will refuse to run unsigned java bits.
I don't remember seeing a browser that would flat out reject all unsigned applets. But some things are available for signed applets only.
http://mindprod.com/jgloss/applet.html#RESTRICTIONS http://mindprod.com/jgloss/signedapplets.html http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/co...
Hi,
On Mon, Feb 18, 2008 at 08:04:42AM -0600, Rex Dieter wrote:
I've been approached by the dev's of a GPL'd java app (www.geogebra.org), wanting my assistance wrt rpm packaging (and eventual inclusion in fedora I hope), but there's a snag.
Not directly related to the signing issue, but I've had geogebra on my plate since some time, as I need it for a deployment. Do you want to join forces?
On Monday 18 February 2008, Rex Dieter wrote:
- come up with packaging policy and mechanism for fedora to produce signed
jars. I raised this issue in the past, but we punted, since fedora, at the time, didn't include any java implementations that supported this. icedtea changes that.
Having Fedora's Java accept Fedora-signed jars would be of limited usefulness in the case of applets; you'd probably want to serve the applets to all kinds of non-Fedora clients too.
packaging@lists.fedoraproject.org