incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Porter" <brett.por...@gmail.com>
Subject Re: maven repository
Date Sat, 31 May 2008 02:16:47 GMT
2008/5/31 Noel J. Bergman <noel@devtech.com>:
> Robert Burrell Donkin wrote:
>
>> it has now been clearly established that we need to move the
>> repository. we're now just asking: where?
>
> As I said, Brett Porter's proposal, made early on in the thread, seemed
> satisfactory.

That wasn't a proposal, it's how things are today.

My understanding is the following:
- releases are published to that repository, not to the rsync repository
- "incubating" is in the version, not in any other identifier (since
the version is the only thing attached to the release, the rest
continue after incubating).
- there is no automated rsync to the central repository
- the maven repository maintainers don't ban the upload of incubating
artifacts to the central repository.

> I really don't care what cuts across the grain of Maven.  I do care about
> the established principle that people must make a deliberate decision to use
> Incubator artifacts.  If Maven would finally support enforcing signing of
> artifacts, as they have been asked to do for years, we could use an
> Incubator-specific signing key, forcing people to approve the use of
> Incubator artifacts, regardless of download location.

You're asking for it to enforce the use of signed artifacts out of the
box, not enforce signing. I still think that's some time off from
happening, but hey - volunteers are always welcome.

I'm more than happy to throw an enforcer rule into the next Maven
release that warns users if they are:
- using the incubator repository
- using an artifact from org.apache.* with version *-incubating.
and point them to a URL to learn more.

Will that do?

>
> By the way, there has been some talk in Infrastructure about shutting down
> the ASF's repository entirely if Maven does not provide enforcement of
> signed artifacts, due to security concerns.

Can you point me to the message ID and list? I don't recall it.

Thanks,
Brett

-- 
Brett Porter
Blog: http://blogs.exist.com/bporter/

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message