commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rahul Akolkar" <>
Subject Re: [all] maven group ids
Date Wed, 16 Aug 2006 21:18:27 GMT
On 8/16/06, Dennis Lundberg <> wrote:
> Rahul Akolkar wrote:
> >
> > AFAIK, nothing should go into any of the Apache Maven repos unless its
> > summed and signed. Commons has no particular privilege here, in fact,
> > we should ensure that all artifacts are accompanied by appropriate
> > metadata (I don't mean metadata.xml in the m2 sense). There are
> > existing sums and sigs on some POMs atleast. It appears that even if
> > its just a relocation section, it needs a resum and resign. If the
> > consensus is that this adds an overhead for too many people, and is
> > hence optional, thats another thing.
> Checksums (md5 and/or sha1) yes, definitely. Signing, hmm well I'm not
> sure. I haven't cut a release yet, so other will need to fill me in on
> the current policy for signing or not signing poms. If this is
> documented somewhere at Apache, please let me know, so that I can add a
> link in the relocation guide.

>From the Apache wide release signing policy [1] (I understand the
document is still in the works):

Every artifact distributed by the Apache Software Foundation should
and every new one must be accompanied by one file containing an
OpenPGP compatible ASCII armored detached signature and another file
containing an MD5 checksum.

And, Henk will complain [2] if we miss sigs.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message