incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: Difference between Maven repository and dist directory
Date Fri, 16 Mar 2007 15:25:55 GMT
Jochen Wiedmann wrote:

> Craig McClanahan wrote:
> > * Some Apache folks are violating our own rules by pushing
> >   these artifacts into our own dist directory (which gets mirrored
> >   there).

> Guilty. I have personally uploaded Woden jar files. And I see no
> reason why I should stop doing so. These are ASL 2.0 licensed files.

ASL may give you the right as an individual to do something with the code,
but it does not give you the right, as an ASF Committer, to violate ASF
policy.  Nor the right to distribute something as an ASF artifact that is
not one.

> > * Ibiblio is accepting Apache artifacts posted by folks other
> >   than the originating projects, which seems like a pretty grave
> >   security concern.

And this is why we need for Maven to implement proper security practices,
including mandated artifact signing and verification.

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message