incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert burrell donkin" <robertburrelldon...@gmail.com>
Subject Re: [VOTE] Approve the 4.1 release of ActiveMQ's maven plugins
Date Thu, 14 Sep 2006 21:26:37 GMT
On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
> > On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:

<snip>

> > a few notes:
> >
> > the MANIFEST files are probably not compliant with the Sun standards.
> > would be better with Extension-Name, Specification-Title,
> > Specification-Vendor, Specification-Version, Implementation-Vendor-Id,
> > Implementation-Title, Implementation-Vendor and
> > Implementation-Version. choice of artifactId name is a little
> > unintuitive (but i suspect that there may be reasons for this).
> >
>
> Maven is generating our MANIFEST for us.. I'll have to do a little
> digging into this.

MANIFESTs are a thorny subject: lots of specs which taken
interpretation. sadly compliance in this area by maven is weak.
http://jakarta.apache.org/commons/releases/prepare.html#checkjarmanifest
may be of use.

> > remember that you'll need to create signatures before uploading.
> >
>
> AFAIK, projects only sign distributions.

true but jars are distributions too. policy applies equally to all distributions

> If this was not the case
> then every artifact in the maven repo would need to be signed and that
> seems like a bit of overkill.

the policy is clear - they must be signed. this might seem like
overkill until you consider the cost to your personal reputation if an
unsigned jar is substituted by malware. signing by release managers is
an easy and effective protection which is why infrastructure insists
upon it. in the (hopefully unlikely) event of a compromise, it is much
easier and quicker for a release manager to verify that the signature
is still valid than to recut the release.

> This is not a distribution but just a
> set of jars that our main distribution will depend on.

-1

every distributed artifact must be signed. jars are distributions.
they must be signed.

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message