[Board] OSGeo signing certificates (discussion)

Jody Garnett jody.garnett at gmail.com
Fri Oct 16 11:14:19 PDT 2015


Had a quick chat with Larry who is comfortable working with Alex and the
SAC committee to sort out the details. I did not seem possible to
centralize the building given the nature of cross platform builds.

(It is so hard to not get distracted by the technical details)

Jody

--
Jody Garnett

On 16 October 2015 at 10:31, Alex M <tech_dev at wildintellect.com> wrote:

> Yes it sounds like a little research needs to be done on how to
> centralize the key but not necessarily centralize the building (which is
> not all in one place, and likely never will be).
>
> Perhaps there's a way to allow a specific set of personal gpg keys to
> access a service on an osgeo server that signs the packages.
>
> Thanks,
> Alex
> SAC Chair
>
>
> On 10/16/2015 09:46 AM, Even Rouault wrote:
> > Le vendredi 16 octobre 2015 18:32:19, Jody Garnett a écrit :
> >> Any further discussion, I will hold this thread open for another two
> hours
> >> before making a new motion to the board. Motion is going to be along the
> >> lines of approving a yearly dollar figure, rather than exact details.
> >>
> >> Questions:
> >> - The QGIS Officer (listed as Gary Sherman
> >> <http://wiki.osgeo.org/wiki/Gary_Sherman>) may be in position to make a
> >> better motion on behalf of their team?
> >> - Is the SAC committee the correct contact point to store the
> certificate
> >> (say in a password protected svn?). The certificate will need to be
> >> available to a *very small* group of individuals who configure build box
> >> with the ability to sign an application on behalf of OSGeo.
> >
> > I realize this is about the technic and not the principle, but instead of
> > distributing the certificate with risks of accounts/machines that store
> it to
> > be compromised, wouldn't it make sense to have a single machine where it
> is
> > stored, and (authorized) people do the signing on it ?
> >
> > It would be bad if the OSGeo certificate was misused, which would require
> > revokating it, etc...
> >
> > Some projects use even more advanced mechanism where the people signing
> > binaries don't even have access to the key themselves as far as I
> understand :
> > https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer
> >
> >
> >> --
> >> Jody Garnett
> >>
> >> On 15 October 2015 at 09:11, Jody Garnett <jody.garnett at gmail.com>
> wrote:
> >>> Today's board meeting had the following agenda topic:
> >>>>    - discuss possibility of OSGeo software signing certificates
> [Anita]
> >>>>    (i.e. OSX seems to not allow installation of unsigned software by
> >>>>    default --> user needs to change configuration --> signed software
> >>>>    would appear more professional. On the QGIS mailing list, we were
> >>>>    discussing that we could have a QGIS.org certificate but since QGIS
> >>>>    depends on so many other OSGeo tools - which would also have to be
> >>>>    signed - it might be more appropriate to have an OSGeo
> certificate.)
> >>>
> >>> Moving discussion here to the mailing list, and will make the motion
> >>> tomorrow.
> >>>
> >>> As this is the OSGeo board mailing list I would like to keep the
> >>> technical details of signing to a minimum and focus on our role in
> >>> supporting the QGIS project.
> >>>
> >>> We are focused on a very clear question - can OSGeo obtaining a
> >>> certificate for use by OSGeo projects. The cost appears to be nominal
> >>> (one quote <https://www.digicert.com/code-signing/> is $160/yearly).
> >>>
> >>> I view this as an appropriate use of the OSGeo branding and well within
> >>> our capacity as an organization.
> >>> --
> >>> Jody Garnett
> >
>
> _______________________________________________
> Board mailing list
> Board at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/board
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/board/attachments/20151016/9dd0dc5d/attachment.html>


More information about the Board mailing list