[Bug 430231] All project builds/downloads for all releases must be signed by the Eclipse Foundation
Bugzilla Link | 430231 |
Status | NEW |
Importance | P3 normal |
Reported | Mar 12, 2014 16:47 EDT |
Modified | Feb 25, 2020 11:09 EDT |
Description
I hope that I got your attention with the summary.
I would like the Architecture Council to issue a policy statement/directive regarding signed builds.
At one end of the spectrum, we could decree that all builds must be signed using the Eclipse Foundation's certificate. However, I assume that there are cases where technical limitations make this impossible or undesirable.
It may, for example, be impossible to sign builds for certain deployment configurations, languages, or technology. Further, it may not be entirely necessary to sign milestone builds (or maybe it is).
With that in mind, I'd like to use this bug first to start gathering ideas, concerns, limitations, etc. that we will use to craft the aforementioned directive.
I am particularly interested in getting input from AC members affiliated with the RT project and the perspective of representatives of runtime and IoT projects.
The outcome may well be along the lines of requiring signed builds where technically feasible and sensible (or something to that effect), or deciding issuing such a directive is ill-advised.
Your input is appreciated.