incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Porter" <brett.por...@gmail.com>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Sat, 31 May 2008 02:42:13 GMT
2008/5/31 Brian E. Fox <brianf@reply.infinity.nu>:
> Can you elaborate more on what you mean here? I've been on the Maven PMC
> for over a year now and this is the first I've heard of it.
>
> We do support signing of artifacts and all the maven releases are
> signed. We obviously don't control all the other Apache projects in a
> way to enforce that they sign their artifacts.

Noel is referring to enforcing checking signatures, not signing them.
I've had a proposal out there for some time which anyone is free to
comment on: http://docs.codehaus.org/display/MAVEN/Repository+Security

There hasn't been a lot of traction behind it so far. Ease of use,
especially OOTB, is probably one of the main concerns.

- Brett

-- 
Brett Porter
Blog: http://blogs.exist.com/bporter/

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message