This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Trusted Software Vendor
- From: Christopher Faylor <cgf-use-the-mailinglist-please at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Tue, 12 Jun 2012 09:16:08 -0400
- Subject: Re: Trusted Software Vendor
- References: <!&!AAAAAAAAAAAYAAAAAAAAAH3PqnIBVHtCiVMVjN0ExZLigAAAEAAAAJXIkaLIcH5Pn+g+gRSa2KoBAAAAAA==@expertise.cl> <20120608184641.GA13771@ednor.casa.cgf.cx> <4FD32DC5.10703@gmail.com> <20120609155700.GA21988@ednor.casa.cgf.cx> <4FD73CC9.3070501@etr-usa.com>
- Reply-to: cygwin at cygwin dot com
On Tue, Jun 12, 2012 at 06:57:45AM -0600, Warren Young wrote:
>On 6/9/2012 9:57 AM, Christopher Faylor wrote:
>>and I'm really not willing to burden cygwin.com with the cycles
>>necessary to unpack tarballs at cygwin.com to sign them.
>
>Based on the traffic I see to cygwin-apps, my sense is that this would
>amount to single-digit CPU-minutes per day, once you get through the
>initial conversion. That can be nice'd to the point that it takes a
>month; this doesn't have to be a Big Bang conversion.
>
>I think a much bigger problem is getting a Linux toolchain set up on
>the main package repo server that can sign these executables. My
>Google-fu says the GNU tools have no idea how to do this today.
>
>Then someone has to spend at least a few hours writing and testing the
>script to do all this. It might take a person-day.
If you are working under the misapprehension that I don't understand
what's required to get this to work, I can assure you that you're wrong.
>Red Hat might not have to buy a code signing cert for this. They might
>already have one that will work: http://goo.gl/5Hm3C
The Cygwin project is not Red Hat. It wouldn't be "Red Hat" buying
anything.
cgf
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple