<div dir="ltr">Had a quick chat with Larry who is comfortable working with Alex and the SAC committee to sort out the details. I did not seem possible to centralize the building given the nature of cross platform builds.<div><br></div><div>(It is so hard to not get distracted by the technical details)</div><div><br></div><div>Jody</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>--</div><div>Jody Garnett</div></div></div></div></div></div>
<br><div class="gmail_quote">On 16 October 2015 at 10:31, Alex M <span dir="ltr"><<a href="mailto:tech_dev@wildintellect.com" target="_blank">tech_dev@wildintellect.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yes it sounds like a little research needs to be done on how to<br>
centralize the key but not necessarily centralize the building (which is<br>
not all in one place, and likely never will be).<br>
<br>
Perhaps there's a way to allow a specific set of personal gpg keys to<br>
access a service on an osgeo server that signs the packages.<br>
<br>
Thanks,<br>
Alex<br>
SAC Chair<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On 10/16/2015 09:46 AM, Even Rouault wrote:<br>
> Le vendredi 16 octobre 2015 18:32:19, Jody Garnett a écrit :<br>
>> Any further discussion, I will hold this thread open for another two hours<br>
>> before making a new motion to the board. Motion is going to be along the<br>
>> lines of approving a yearly dollar figure, rather than exact details.<br>
>><br>
>> Questions:<br>
>> - The QGIS Officer (listed as Gary Sherman<br>
>> <<a href="http://wiki.osgeo.org/wiki/Gary_Sherman" rel="noreferrer" target="_blank">http://wiki.osgeo.org/wiki/Gary_Sherman</a>>) may be in position to make a<br>
>> better motion on behalf of their team?<br>
>> - Is the SAC committee the correct contact point to store the certificate<br>
>> (say in a password protected svn?). The certificate will need to be<br>
>> available to a *very small* group of individuals who configure build box<br>
>> with the ability to sign an application on behalf of OSGeo.<br>
><br>
> I realize this is about the technic and not the principle, but instead of<br>
> distributing the certificate with risks of accounts/machines that store it to<br>
> be compromised, wouldn't it make sense to have a single machine where it is<br>
> stored, and (authorized) people do the signing on it ?<br>
><br>
> It would be bad if the OSGeo certificate was misused, which would require<br>
> revokating it, etc...<br>
><br>
> Some projects use even more advanced mechanism where the people signing<br>
> binaries don't even have access to the key themselves as far as I understand :<br>
> <a href="https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer" rel="noreferrer" target="_blank">https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer</a><br>
><br>
><br>
>> --<br>
>> Jody Garnett<br>
>><br>
>> On 15 October 2015 at 09:11, Jody Garnett <<a href="mailto:jody.garnett@gmail.com">jody.garnett@gmail.com</a>> wrote:<br>
>>> Today's board meeting had the following agenda topic:<br>
>>>> - discuss possibility of OSGeo software signing certificates [Anita]<br>
>>>> (i.e. OSX seems to not allow installation of unsigned software by<br>
>>>> default --> user needs to change configuration --> signed software<br>
>>>> would appear more professional. On the QGIS mailing list, we were<br>
>>>> discussing that we could have a QGIS.org certificate but since QGIS<br>
>>>> depends on so many other OSGeo tools - which would also have to be<br>
>>>> signed - it might be more appropriate to have an OSGeo certificate.)<br>
>>><br>
>>> Moving discussion here to the mailing list, and will make the motion<br>
>>> tomorrow.<br>
>>><br>
>>> As this is the OSGeo board mailing list I would like to keep the<br>
>>> technical details of signing to a minimum and focus on our role in<br>
>>> supporting the QGIS project.<br>
>>><br>
>>> We are focused on a very clear question - can OSGeo obtaining a<br>
>>> certificate for use by OSGeo projects. The cost appears to be nominal<br>
>>> (one quote <<a href="https://www.digicert.com/code-signing/" rel="noreferrer" target="_blank">https://www.digicert.com/code-signing/</a>> is $160/yearly).<br>
>>><br>
>>> I view this as an appropriate use of the OSGeo branding and well within<br>
>>> our capacity as an organization.<br>
>>> --<br>
>>> Jody Garnett<br>
><br>
<br>
</div></div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Board mailing list<br>
<a href="mailto:Board@lists.osgeo.org">Board@lists.osgeo.org</a><br>
<a href="http://lists.osgeo.org/mailman/listinfo/board" rel="noreferrer" target="_blank">http://lists.osgeo.org/mailman/listinfo/board</a></div></div></blockquote></div><br></div>