[Foundation-discuss] Proposal for RFP for Mac Packaging

Dave Botsch botsch@cnf.cornell.edu
Mon, 16 Nov 2015 22:00:06 -0500 

Hi, all.

Just to respond to my own email and to update everyone on OS X
packaging.

Work by others is already ongoin to re-jigger the packaging to be happy
for OS X. Their plan is to then donate the fixed packaging back to the
OpenAFS community.

The Foundation is planning on signing up for the appropriate level of
Apple Developer so that digital certs recognized by OS X can be used to
sign the package, binaries, and KEXT.

Thanks.


On Mon, Nov 02, 2015 at 02:57:24PM -0500, Dave Botsch wrote:
> The Foundation Board is considering sending out an RFP for Mac OS X
> packaging of OpenAFS.
> 
> For some time now, OpenAFS itself has not distributed binaries for the
> Mac platform (the most recent is 1.6.6 for 10.9) - leaving a big and a
> noticable hole. 
> 
> Putting out binaries and installers for newer versions of OS X have been
> complicated by new Apple security restrictions of the loading of Kernel
> modules (prior to 10.10 one could simply disable the Gatekeeper
> functionality via System Preferences). Unless one disables the kernel
> signing requirement feature via either nvram boot arguments or recovery
> mode options, the unsigned AFS kernel module won't load. For the
> convenience of end users, having the OpenAFS binaries and installer
> digitally signed would also be useful.
> 
> The RFP would encompass two main pieces:
> 
> 	1. Update the Mac OS packaging scripts to create a "flat"
> 	installer package -- only a flat package can be digitally
> 	signed. Test that digital signing of packaging, binaries, and
> 	the kernel extension works as expected.
> 
> 	2. Build and maintain packaging for the most current TWO
> 	releases of Mac OS X for the next year. This would include
> 	editing the various scripts to install and run AFS from a aprt
> 	of the system allowed by System Integrity Protection.
> 
> Packages would be posted on openafs.org (or at least linked from
> openafs.org to the appropriate location).
> 
> The Foundation, itself, could provide keys for and/or digitally sign
> packages and binaries once built.
> 
> This RFP would be open to all individuals, companies, and institutions.
> 
> We invite any thoughts, comments, questions, etc, here on the
> foundation-discuss list. Things you may wish to share privately can be
> sent directly to foundation (at) openafs.org .
> 
> On behalf of the OpenAFS Foundation Board...
> 
> -- 
> ********************************
> David William Botsch
> Programmer/Analyst
> @CNFComputing
> botsch@cnf.cornell.edu
> ********************************
> _______________________________________________
> Foundation-discuss mailing list
> Foundation-discuss@openafs.org
> http://lists.openafs.org/mailman/listinfo/foundation-discuss

-- 
********************************
David William Botsch
Programmer/Analyst
@CNFComputing
botsch@cnf.cornell.edu
********************************