[OpenAFS] Re: Providing signed packages

Andrew Deason adeason@sinenomine.net
Thu, 23 Oct 2014 14:11:22 -0500

On Thu, 23 Oct 2014 11:02:32 -0500
Andrew Deason <adeason-PmMlWm1tRC+uOtvtkYNheg@public.gmane.org> wrote:

> For all of these situations where the Foundation would provide the
> ability to sign binaries, there are those legal considerations, then,
> but also other things. The Foundation needs to have a point of contact
> for any of these, and needs to go through the process of signing up
> for the relevant service and buying the relevant certificates/keys,
> etc. We also need to have a place or person(s) to store the secret
> keys; if they're not stored securely, they obviously do no good. It
> also needs to be clear how they will get used to sign the binary
> releases (who gets access to the keys for signing).

One thing that I maybe "missed" here is how binaries get built now.
Right now there's no real formal structure or anything; anyone that is
part of the release-team discussions just provides them if/when able.
Because of that ad-hoc nature is kinda why there's always been a relaxed
attitude towards signing them.

Making use of packages signed by the Foundation doesn't necessarily
change that, at least at first, since the Foundation can just be another
one of those ad-hoc sources of packages. For example, today I/SNA
provides Solaris binaries, Stephen Quinney/inf.ed.ac.uk builds Red Hat
RPMs, and the Foundation could provide OS X packages (and it's up to the
Foundation how to generate them). Or you could have someone submit the
binaries to the Foundation to sign, and it's up to the Foundation to
trust them for signing (if that's even technically feasible in OS X's
framework, and doesn't violate the agreements etc etc).

Either way, I just wanted to mention that, because "fixing" this at
least for the short-term doesn't need to impact the way releases are
coordinated or anything like that. And, to point out that there's no
existing structure or process in openafs.org for the Foundation to
follow; it's a new thing that needs to be thought up. Over time perhaps
the openafs.org release process should be more structured in general or
whatnot, but that's orthogonal to the issue in this thread.

Andrew Deason