commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Lundberg <denn...@apache.org>
Subject Re: [all] maven group ids
Date Wed, 16 Aug 2006 22:01:56 GMT
Rahul Akolkar wrote:
> On 8/16/06, Dennis Lundberg <dennisl@apache.org> wrote:
>> Rahul Akolkar wrote:
> <snip/>
>> >
>> > AFAIK, nothing should go into any of the Apache Maven repos unless its
>> > summed and signed. Commons has no particular privilege here, in fact,
>> > we should ensure that all artifacts are accompanied by appropriate
>> > metadata (I don't mean metadata.xml in the m2 sense). There are
>> > existing sums and sigs on some POMs atleast. It appears that even if
>> > its just a relocation section, it needs a resum and resign. If the
>> > consensus is that this adds an overhead for too many people, and is
>> > hence optional, thats another thing.
>>
>> Checksums (md5 and/or sha1) yes, definitely. Signing, hmm well I'm not
>> sure. I haven't cut a release yet, so other will need to fill me in on
>> the current policy for signing or not signing poms. If this is
>> documented somewhere at Apache, please let me know, so that I can add a
>> link in the relocation guide.
>>
> <snap/>
> 
>  From the Apache wide release signing policy [1] (I understand the
> document is still in the works):
> 
> <quote>
> Every artifact distributed by the Apache Software Foundation should
> and every new one must be accompanied by one file containing an
> OpenPGP compatible ASCII armored detached signature and another file
> containing an MD5 checksum.
> </quote>
> 
> And, Henk will complain [2] if we miss sigs.
> 
> -Rahul
> 
> [1] http://www.apache.org/dev/release-signing.html#policy
> [2] http://people.apache.org/~henkp/checker/sig.html

Thanks for those pointers Rahul. I'll be sure to add, at least the first 
one to the guide.

I had a look at the Apache Maven 1 repo at
   http://people.apache.org/repo/m1-ibiblio-rsync-repository/

There doesn't seem to be any consistency when looking at different 
components. I had a look at a few:

configuration:
- older jars have md5
- newer jars have md5 and asc
- older poms have no md5 or asc
- newer poms have md5

lang:
- jars have md5
- poms have md5

logging:
- older jars have md5
- newer jars have md5 and asc
- older poms have md5
- newer poms have md5 and asc

How do we handle this? If the previous pom is signed then the relocated 
one should also be signed, is one way to go.

And a more philosophical question: is a pom an artifact?


Henk's page does not seem to look at the Maven repos at all, only in /dist/

-- 
Dennis Lundberg

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message