However, a legitimate criticism has been that there’s very little transparency in Microsoft’s signing process. Some people have waited for significant periods of time before being receiving a response. A large part of this is simply that demand has been greater than expected, and Microsoft aren’t in the best position to review code that they didn’t write in the first place.
To that end, we’re adopting a new model. A mailing list has been created at email@example.com, and members of this list will review submissions and provide a recommendation to Microsoft on whether these should be signed or not. The current set of expectations around binaries to be signed documented here and the current process here – it is expected that this will evolve slightly as we get used to the process, and we’ll provide a more formal set of documentation once things have settled down.
This is a new initiative and one that will probably take a little while to get working smoothly, but we hope it’ll make it much easier to get signed releases of Shim out without compromising security in the process.
Source From: fedoraplanet.org.
Original article title: Matthew Garrett: Announcing the Shim review process.
This full article can be read at: Matthew Garrett: Announcing the Shim review process.