Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-architecture-council] Is jar signing mandatory?



On Wed, Mar 18, 2020 at 7:55 AM Ed Merks <ed.merks@xxxxxxxxx> wrote:
the high expectations of the consumers

I don't think most consumers really expect jars to be signed. I think those consumers basically trust the source, ie if the jar comes from Eclipse.org servers or services, then it's enough authenticity for them. I looked at some other popular projects (Maven, JUnit, slf4j...) and none has signed jars, but that doesn't prevent their adoption.
In any case, with or without signing, it's easy for anyone to produce an (unsigned) jar that looks like an official Eclipse.org jar for most consumer. And in case user have doubts, they can still check (with build information like originating commit, and comparing some "official" project output) that their jar actually comes from Eclipse Foundation servers. IMO, the jar signing is not required to be able to have some authenticity.

I agree signing should be recommended, especially since it's not a so hard thing to setup; but I'm actually happy of the current state where a project can skip this step for the first releases as IMO, signing doesn't add that much trust that we cannot build without it.

Back to the top