October 7, 2009

Should we share our own private keys for signing DataObjects.Net assemblies?

That's actually the most important question I have now, and I'd like to hear your opinion.

Pros for sharing our keys:

  • It will be easy to replace our original assemblies with your custom ones: you shouldn't change any references in .csproj files you have.
  • In general, we can start shipping assemblies signed by our truly private keys later, so you will be able to choose which version to install.
  • It will be possible to substitute our original assemblies with custom ones (and probably, intentionality compromised - e.g. containing some tracking code, etc.). On the other hand, everyone will be able to replace our own private keys with his own to built his own private build, that can't be compromised by this way.
So in general, the idea of sharing our current private keys seems preferable for me: it is much more friendly to people that could contribute into the project.

What do you think about this? You can leave your opinion in comments to this post.