incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: [VOTE] Approve the 4.1 release of ActiveMQ's maven plugins
Date Fri, 15 Sep 2006 15:16:36 GMT
Hooray for  https://svn.apache.org/repos/private/committers/tools/releases/gpg-sign-all
and rsync!

Everything under
http://people.apache.org/repo/m2-incubating-repository/org/apache/activemq/
is not signed!  It was not that hard!


On 9/15/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
> > On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> > > On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
> > > > On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> >
> > > > remember that you'll need to create signatures before uploading.
> > > >
> > >
> > > AFAIK, projects only sign distributions.
> >
> > true but jars are distributions too. policy applies equally to all distributions
> >
> > > If this was not the case
> > > then every artifact in the maven repo would need to be signed and that
> > > seems like a bit of overkill.
> >
> > the policy is clear - they must be signed. this might seem like
> > overkill until you consider the cost to your personal reputation if an
> > unsigned jar is substituted by malware. signing by release managers is
> > an easy and effective protection which is why infrastructure insists
> > upon it. in the (hopefully unlikely) event of a compromise, it is much
> > easier and quicker for a release manager to verify that the signature
> > is still valid than to recut the release.
> >
>
> Does anybody know if there is a way to get maven to sign every
> artifact that get deployed?  As far as I know that does not exist yet.
>
> I just went though the
> http://people.apache.org/repo/m2-ibiblio-rsync-repository repo  and
> seems there are many jars up with out a asc and hardly anybody signs
> the pom.xml or the maven-metadata.xml files.
>
> Seems the directory project does a really good job of signing all
> thier artifacts.  Any directory project committer lurking about?  How
> do you guys do that?  Do you have any automated scripts to help in
> this department?
>
> > > This is not a distribution but just a
> > > set of jars that our main distribution will depend on.
> >
> > -1
> >
> > every distributed artifact must be signed. jars are distributions.
> > they must be signed.
> >
>
> Understood.. I look into signing those file.
>
> > - robert
> >
>
> --
> Regards,
> Hiram
>
> Blog: http://hiramchirino.com
>


-- 
Regards,
Hiram

Blog: http://hiramchirino.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message