Relax the signing requirements for the dotnetfoundation owner user #13792
Conversation
dotnet-policy-service
bot
added
the
Community
|
I @glennawatson board member of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority. |
|
I @Perksey can confirm through correspondence with .NET Foundation board members and personnel that the purpose and contents of this proposal to relinquish exclusive control over package signing authorities (pursuant to the policies within this proposal) to project maintainers is understood, discussed, and agreed through usual .NET Foundation communication processes with affected .NET Foundation projects, including my own project Silk.NET. I acknowledge that this shall grant me as a package owner, along with other package owners including the dotnetfoundation where applicable, the permission to add certificates signed by a trusted root certification authority as defined in this proposal. This attestation is as a result of an independent evaluation of the proposal as a .NET Foundation project maintainer as requested by @glennawatson. |
This has been discussed with @JonDouglas who recommended making this proposal.
We went through our internal processes as recommended by @JonDouglas, including discussing in the Project committee and also the board level.
We want to make a formal request to relax the dotnetfoundation user author signing requirements to be closer to the normal nuget.org owner but only requiring a root trusted authority author signature for the package.
Fixes NuGet/NuGetGallery#10187