JohanLarsson
commented
7 years ago I'll look into it.
About the lol after the docs remark, does it mean they are bad?
Closed changbowen closed 7 years ago
JohanLarsson
commented
7 years ago I'll look into it.
About the lol after the docs remark, does it mean they are bad?
changbowen
commented
7 years ago no no... lol just stands for "laugh out loud"... consider it an emoji like :D i was just trying to say that your documents on the project is great.
JohanLarsson
commented
7 years ago Ah, ok, I wasn't sure so I started fishing for things to improve :).
JohanLarsson
commented
7 years ago About signing: I'm thinking about adding the key to the repo. That way it can still work as open source. What do you think about that?
changbowen
commented
7 years ago I don't know much about the security concerns here. If the key is also used somewhere else, perhaps it is not the best idea to include it in the repo? I think the key is only used when building the project. Without the key people can still view all the code. If they want to build their own copy and test, they can use a temporary key or disable signing (I think). Perhaps just sign the compiled dll so we can use the signed version on nuget. Also another strong-named project called Fluent Ribbon does not have the key included.
JohanLarsson
commented
7 years ago http://stackoverflow.com/a/396159/1069200 Looks like Skeet releases the key.
changbowen
commented
7 years ago Looks like this is a debatable topic... also I am only making suggestions :) From the link: Releasing keys removes those guarantees, and defeats the entire purpose of strong names, and the security surrounding them. Also from the link: If people want to modify the code in a project and then re-use the modified version in a strongly-named assembly, they can sign the modified version with their own key. It's not difficult.
I feel that by definition it is a key thus should not be shared in public. And for people to use the code you don't need to share it. But if sharing it makes life easier, do it. That's the purpose of me writing codes anyway :)
ReedCopsey
commented
7 years ago Signing isn't a security benefit, only provides stronger identity. See https://msdn.microsoft.com/en-us/library/wd40t7ad(v=vs.110).aspx - even msdn makes it clear that signing doesn't provide security.
Including the key for open source seems wholly appropriate.
Hello, You've made the world a better place. Also, excellent documentation skills lol. One small question. Is it possible to sign the assemblies with strong name? I'm working on one that is strongly-named and had to sign it with a temporary key to make it work :)