incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: maven repository
Date Fri, 30 May 2008 14:54:02 GMT
Robert Burrell Donkin wrote:

> it has now been clearly established that we need to move the
> repository. we're now just asking: where?

As I said, Brett Porter's proposal, made early on in the thread, seemed
satisfactory.

> asking podlings to publish through a secondary repository is both
> annoying and ineffective at making it explicit to people that
> they are using artifacts under incubation. this measure cuts
> against the grain of maven.

I really don't care what cuts across the grain of Maven.  I do care about
the established principle that people must make a deliberate decision to use
Incubator artifacts.  If Maven would finally support enforcing signing of
artifacts, as they have been asked to do for years, we could use an
Incubator-specific signing key, forcing people to approve the use of
Incubator artifacts, regardless of download location.

Rather than relax the principle to accomodate a defective tool, if Maven
cannot solve this problem, I'd be more inclined to ban the use of maven
repositories for Incubator artifacts.  That is how strongly I feel about the
principle.

By the way, there has been some talk in Infrastructure about shutting down
the ASF's repository entirely if Maven does not provide enforcement of
signed artifacts, due to security concerns.

Look back over the years of debate on this issue, and I believe that you
will find I've been very consistent.  I want Incubator projects to be able
to perform releases in order to grow their (developer) community, but we
also require that people be aware of the fact that they are not using
official ASF code, as noted by the disclaimer.

> an easy and effective way to ensure that users know that they are using
> an artifact from the incubator would be to ensure that the group or
> artifact ID includes this information.

End users don't read the POM.  They just use it.  So that is no solution at
all.  The signing approach would be, IMO, a reasonable solution.  It would
solve Les' issue -- users would simply have to agree to install the
Incubator-signed artifact(s), and thereafter they'd be fine.

	--- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message