incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert burrell donkin" <robertburrelldon...@gmail.com>
Subject Re: [VOTE] Approve the 4.1 release of ActiveMQ's maven plugins
Date Fri, 15 Sep 2006 16:45:40 GMT
On 9/15/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
> > On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> > > On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:

<snip>

> > > If this was not the case
> > > then every artifact in the maven repo would need to be signed and that
> > > seems like a bit of overkill.
> >
> > the policy is clear - they must be signed. this might seem like
> > overkill until you consider the cost to your personal reputation if an
> > unsigned jar is substituted by malware. signing by release managers is
> > an easy and effective protection which is why infrastructure insists
> > upon it. in the (hopefully unlikely) event of a compromise, it is much
> > easier and quicker for a release manager to verify that the signature
> > is still valid than to recut the release.
> >
>
> Does anybody know if there is a way to get maven to sign every
> artifact that get deployed?  As far as I know that does not exist yet.

the last i heard it is planned but is currently stalled, waiting on
the completion of a signing utility. maybe someone who knows more
might like to jump in about now...

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message