incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: [VOTE] Approve the 4.1 release of ActiveMQ's maven plugins
Date Fri, 15 Sep 2006 14:16:40 GMT
On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
> On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> > On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
> > > On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
>
> > > remember that you'll need to create signatures before uploading.
> > >
> >
> > AFAIK, projects only sign distributions.
>
> true but jars are distributions too. policy applies equally to all distributions
>
> > If this was not the case
> > then every artifact in the maven repo would need to be signed and that
> > seems like a bit of overkill.
>
> the policy is clear - they must be signed. this might seem like
> overkill until you consider the cost to your personal reputation if an
> unsigned jar is substituted by malware. signing by release managers is
> an easy and effective protection which is why infrastructure insists
> upon it. in the (hopefully unlikely) event of a compromise, it is much
> easier and quicker for a release manager to verify that the signature
> is still valid than to recut the release.
>

Does anybody know if there is a way to get maven to sign every
artifact that get deployed?  As far as I know that does not exist yet.

I just went though the
http://people.apache.org/repo/m2-ibiblio-rsync-repository repo  and
seems there are many jars up with out a asc and hardly anybody signs
the pom.xml or the maven-metadata.xml files.

Seems the directory project does a really good job of signing all
thier artifacts.  Any directory project committer lurking about?  How
do you guys do that?  Do you have any automated scripts to help in
this department?

> > This is not a distribution but just a
> > set of jars that our main distribution will depend on.
>
> -1
>
> every distributed artifact must be signed. jars are distributions.
> they must be signed.
>

Understood.. I look into signing those file.

> - robert
>

-- 
Regards,
Hiram

Blog: http://hiramchirino.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message