Signing is a certification of origin that follows the artifact
around no matter where it goes...
Sure, but I question whether having signatures inside the artifact is the actual requirement. And as I imagine that the will to more easily consume external artifacts easily is strong, maybe this trade-off of having signatures published beside the file and checked at install-time or even startup is enough. Discussing that is part of the brainstorming.
I think before we talk about a technical solution we should validate
the assumption that consumers don't actually care about signing and
that the Foundation is okay with changing the rules about it. I
say that because a p2 solution that is just an install-time
solution, like a fancy checksum, rather than a run time solution,
has implications for consumers.
Yes, that's indeed one of the core parts of the discussion.
However, I think starting to think about the technical solution is interesting, as it can give more concrete arguments to decide whether or not to adapt the requirement.
Note that the Architecture Council can propose change to EDP if there is agreement this constraint is to be refined, amended or clarified. I'll try to think about bringing this to the attention of Architecture Council for further discussion.
I think verifying the premise that it will be okay not to ship
signed jars should be verified first.
Right. Although they'd be actually signed, it's just that signature is not inside the jar itself.
