Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [p2-dev] Making p2 deal with (PGP?) signatures for artifacts in metadata

On Tue, Jan 19, 2021 at 11:51 AM Ed Merks <ed.merks@xxxxxxxxx> wrote:
The EDP, not just SimRel, mandates this:

EDP says "should", SimRel says "must" ( ) that's a major difference.

Signing is a certification of origin that follows the artifact around no matter where it goes...

Sure, but I question whether having signatures inside the artifact is the actual requirement. And as I imagine that the will to more easily consume external artifacts easily is strong, maybe this trade-off of having signatures published beside the file and checked at install-time or even startup is enough. Discussing that is part of the brainstorming.

I think before we talk about a technical solution we should validate the assumption that consumers don't actually care about signing and that the Foundation is okay with changing the rules about it.   I say that because a p2 solution that is just an install-time solution, like a fancy checksum, rather than a run time solution, has implications for consumers.

Yes, that's indeed one of the core parts of the discussion.
However, I think starting to think about the technical solution is interesting, as it can give more concrete arguments to decide whether or not to adapt the requirement.
Note that the Architecture Council can propose change to EDP if there is agreement this constraint is to be refined, amended or clarified. I'll try to think about bringing this to the attention of Architecture Council for further discussion.

I think verifying the premise that it will be okay not to ship signed jars should be verified first.

Right. Although they'd be actually signed, it's just that signature is not inside the jar itself.

Back to the top