|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Rob Crittenden wrote:
Can I package up the mozilla.org jar pre-signed jar file? I think that would qualify it as a "binary distribution" though which is frowned upon.rob
This is an interesting question possibly for our packaging guidelines committee. It is obvious that you cannot make a reproducible signed binary as needed in this case using our current guidelines.
Perhaps a scheme like this would be acceptable: 1) Spec file builds the JAR from sources.2) Uses some kind of intelligent compare algorithm to be sure that the Java bytecode is truly identical to the signed JAR. 3) ONLY IF THEY MATCH, then throw away the built copy and ship the signed JAR.
Now there are possible problems with this...1) How error-prone or even possible is it to make reproducible JAR files that can compare in this way? 2) Does this run afoul of any licenses, like the proposed GPLv3 anti-DRM provisions?
Other question... *Who* must sign the JAR file for it to be valid? Warren Togami wtogami@xxxxxxxxxx -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
[Home] [Fedora Legacy] [Fedora Art] [Fedora Docs] [Fedora Package Review] [Fedora Desktop] [Red Hat 9 Bible] [Fedora Bible] [Red Hat 9] [Big List of Linux Books] [Yosemite News] [KDE Users]