|Re: [eclipse.org-architecture-council] Is jar signing mandatory?|
I'm happy that you kicked in. I'm really uncomfortable with the notion that signing is merely an optional nice-to-have. I.e., something we can skip because it's obviously easier not to bother, and that's okay, because it's not required. To me signing is a security issue and a certification of origin. We should not generally cut corners on such a thing.
The EDP purposely avoids discussing any particular technology. You'll also notice no references to services that we consider to be "core" (Git repositories, issue trackers, dev lists, ...).
The notion of "core" services is supported by the principles (and the open source rules of engagement) that are described in the EDP. The handbook contains a list of those services that the EMO has determined to be core.
The handbook also says this about signing:
Where technically sensible, all downloadable artifacts should be signed by an Eclipse Foundation certificate.
It's not presented as a rule per se, so there's some wiggle room. We should probably harden this.
I don't think that there can be any controversy that a signed artifact must be signed by an EF certificate.
Less clear is how we interpret "technically sensible". My interpretation is that all release artifacts that can be signed, must be signed.
I believe that we can reasonably assert that it's okay for a project's incubation releases to be unsigned. I tend to consider signing to be a requirement for graduation (at the PMC's discretion, of course).
On Mon, Mar 16, 2020 at 1:45 PM Mickael Istria <mistria@xxxxxxxxxx> wrote:
I looked at EDP and couldn't find a reference to Jar signing.So do I get it right that there is no requirement for artifacts to be signed for a release? More particularly, for a 1st release of an incubating project that just joined Eclipse.org, is signing a real requirement or can it be added into a further release?
Thanks in advance.
eclipse.org-architecture-council mailing list
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
Director of Open Source Projects | Eclipse Foundation, Inc.
_______________________________________________ eclipse.org-architecture-council mailing list eclipse.org-architecture-council@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
Back to the top