incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: enforced signing of artifacts, [was maven repository]
Date Sat, 31 May 2008 02:30:21 GMT
Brian E. Fox wrote:

> > I really don't care what cuts across the grain of Maven.  I do care
> > about the established principle that people must make a deliberate
> > decision to use Incubator artifacts.  If Maven would finally support
> > enforcing signing of artifacts, as they have been asked to do for
> > years, we could use an Incubator-specific signing key, forcing
> > people to approve the use of Incubator artifacts, regardless of
> > download location.

> Can you elaborate more on what you mean here? I've been on the
>  Maven PMC for over a year now and this is the first I've heard of it.

Ask some of the old(er)-timers on the PMC.  They have heard this from
multiple channels over a period of years, both because of the Incubator's
needs and the security aspect.  On the latter, there have been instances of
supposedly ASF released code being put into the repositories by effectively
rogue developers.  Responsible users of Maven don't use unsecured, unvetted,
public repositories; they manually vet and approve artifacts, and maintain
their own local repositories.

> We do support signing of artifacts and all the maven releases are
> signed.  We obviously don't control all the other Apache projects
> in a way to enforce that they sign their artifacts.

The ASF can enforce that policy for all published artifacts.  But Maven does
not require that artifacts be signed *AND* require that the user running the
maven build APPROVE the signer.  Implement that, and we're fine.  We will
require Incubator artifacts to be signed by a designated key available to
the PMC, and once a user has acknowledged that they accept such Incubator
signed artifacts, maven can do what it wants with them.

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message