Antoine Levy-Lambert wrote:
> Hello Kev,
> I do not know *all* the available options.
>
> What I did is that I downloaded Gnu PG (www.gnupg.org), installed it on my computer,
generated myself a key. The public part of the key you have to add at the end of a file called
KEYS which is in svn and lists the public keys of the ant committers.
>
> How to publish your key to a key server I do not remember. I think I uploaded my public
key to a key server, but do not remember off hand how it is called.
>
> You can use GPG to sign the ant binaries and also to sign (or to encrypt) emails. In
the release procedure, there are some emails which have to be signed too. Thunderbird has
a plugin (Enigmail) which can work with GPG.
>
We can't sign the binaries themselves, as java suddenly changes into
secure mode when that happens. but we can publish signatures of the
checksums, and by signing the email announcement you can provide an
authentication trail to the mirrors.
We also need to look at the release docs to see if it covers
distribution to the maven repository.
-steve
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
|