From general-return-10968-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org Fri Sep 15 15:18:27 2006 Return-Path: Delivered-To: apmail-incubator-general-archive@www.apache.org Received: (qmail 43906 invoked from network); 15 Sep 2006 15:18:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 15 Sep 2006 15:18:25 -0000 Received: (qmail 59483 invoked by uid 500); 15 Sep 2006 15:18:23 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 59129 invoked by uid 500); 15 Sep 2006 15:18:21 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 59118 invoked by uid 99); 15 Sep 2006 15:18:21 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Sep 2006 08:18:21 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of chirino@gmail.com designates 64.233.184.234 as permitted sender) Received: from [64.233.184.234] (HELO wr-out-0506.google.com) (64.233.184.234) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Sep 2006 08:18:08 -0700 Received: by wr-out-0506.google.com with SMTP id 58so1290311wri for ; Fri, 15 Sep 2006 08:16:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=UkKdN9PpPSiERseRBMoJbRocMVEGT8jiziokaOfe9c1DAUlB4/o3PX1kWsJ9mxPi6NSZvTEtcxALPJI2ZD6FLa6Vjclbcr/TUSb0JgYl4SmAY00EpKMBY2pseifaCuYMUI3SQmIFTNBAIos3UyVLwZZ5x/TC8twM1/bVRF0mE0g= Received: by 10.67.93.6 with SMTP id v6mr5437364ugl; Fri, 15 Sep 2006 08:16:37 -0700 (PDT) Received: by 10.66.237.5 with HTTP; Fri, 15 Sep 2006 08:16:36 -0700 (PDT) Message-ID: Date: Fri, 15 Sep 2006 11:16:36 -0400 From: "Hiram Chirino" Sender: chirino@gmail.com To: general@incubator.apache.org Subject: Re: [VOTE] Approve the 4.1 release of ActiveMQ's maven plugins In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Google-Sender-Auth: e8c09537331d7ecf X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hooray for https://svn.apache.org/repos/private/committers/tools/releases/gpg-sign-all and rsync! Everything under http://people.apache.org/repo/m2-incubating-repository/org/apache/activemq/ is not signed! It was not that hard! On 9/15/06, Hiram Chirino wrote: > On 9/14/06, robert burrell donkin wrote: > > On 9/14/06, Hiram Chirino wrote: > > > On 9/14/06, robert burrell donkin wrote: > > > > On 9/14/06, Hiram Chirino wrote: > > > > > > remember that you'll need to create signatures before uploading. > > > > > > > > > > AFAIK, projects only sign distributions. > > > > true but jars are distributions too. policy applies equally to all distributions > > > > > If this was not the case > > > then every artifact in the maven repo would need to be signed and that > > > seems like a bit of overkill. > > > > the policy is clear - they must be signed. this might seem like > > overkill until you consider the cost to your personal reputation if an > > unsigned jar is substituted by malware. signing by release managers is > > an easy and effective protection which is why infrastructure insists > > upon it. in the (hopefully unlikely) event of a compromise, it is much > > easier and quicker for a release manager to verify that the signature > > is still valid than to recut the release. > > > > Does anybody know if there is a way to get maven to sign every > artifact that get deployed? As far as I know that does not exist yet. > > I just went though the > http://people.apache.org/repo/m2-ibiblio-rsync-repository repo and > seems there are many jars up with out a asc and hardly anybody signs > the pom.xml or the maven-metadata.xml files. > > Seems the directory project does a really good job of signing all > thier artifacts. Any directory project committer lurking about? How > do you guys do that? Do you have any automated scripts to help in > this department? > > > > This is not a distribution but just a > > > set of jars that our main distribution will depend on. > > > > -1 > > > > every distributed artifact must be signed. jars are distributions. > > they must be signed. > > > > Understood.. I look into signing those file. > > > - robert > > > > -- > Regards, > Hiram > > Blog: http://hiramchirino.com > -- Regards, Hiram Blog: http://hiramchirino.com --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org