[Foundation-discuss] Re: [OpenAFS] Providing signed packages (was Re: any experiences with OpenAFS client ...)

[chas williams - CONTRACTOR]

On Thu, 23 Oct 2014 18:27:27 -0400
Stephen Joyce <stephen@email.unc.edu> wrote:

> The openafs.org website (is that now owned by the Foundation?) provides 
> binaries now. One could argue that it's the same risk[1], but that signing 
> binaries creates more awareness (but I'm not sure I have the energy to 
> think that critically with my current head cold).

I don't think signing of the binaries is the primary risk assumed.
Since OpenAFS is essentially provided without warranty and the consumer
agrees to this as part of their usage.  If OpenAFS screws up and eats
all your data, well you agreed that you wouldn't sue us (as modified by
applicable laws).

The primary risk seems to be protection and usage of the signing
certificates.  If stolen or abused, it seems reasonable that you should
be held liable for any damages incurred by their usage assuming that you
didn't take reasonable precautions to prevent theft (and this is where
the liability insurance comes into play since you would need to
prove/defend this).

Or let's say OpenAFS decides to start signing some other projects as
well.  Apple would potentially have a case for misuse of the
certificate.  But, we might disagree. For instance, lets say that there
is an OpenAFS fuse-based distribution and the Foundation decides it
should sign the OSXFUSE module and distribute this as part of OpenAFS.
This is where the lawyers would be involved.  Would OSXFUSE be part of
OpenAFS? Would we be entitled to distribute it?  If Apple wins, who
pays for the damages (and legal costs) incurred by Apple?

None of the above has anything to do with whether or not OpenAFS
correctly handles data but they are issues involved with being able to
sign binaries.

Naturally, IANAL but I stayed at a Holiday Inn Express last night.