lucenenet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Jordan <robe...@gmx.net>
Subject Re: [Lucene.Net] Creating a Strong Named Assembly as part of our release
Date Mon, 21 Feb 2011 18:48:26 GMT
On 21.02.2011 18:08, Troy Howard wrote:
> Do we allow our SNK to be public and then run the risks of allowing
> anyone to create a DLL using our signature? or do we find a way to
> manage our private key privately?

We should publish the key because assembly signing was never
designed to provide the same level of authenticity like
AuthentiCode or similar infrastructures.

Apache's OpenPGP signature should remain authoritative
(see below).

> Perhaps we should not attempt to release a SNA?

If the DLLs did not have a SNA, some users would be forced
to rebuild, rendering the OpenPGP signature of the official
release meaningless. This would be really unfortunate.

Robert


Mime
View raw message