incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <robertburrelldon...@gmail.com>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Sat, 31 May 2008 05:33:36 GMT
On Sat, May 31, 2008 at 3:42 AM, Brett Porter <brett.porter@gmail.com> wrote:
> 2008/5/31 Brian E. Fox <brianf@reply.infinity.nu>:
>> Can you elaborate more on what you mean here? I've been on the Maven PMC
>> for over a year now and this is the first I've heard of it.
>>
>> We do support signing of artifacts and all the maven releases are
>> signed. We obviously don't control all the other Apache projects in a
>> way to enforce that they sign their artifacts.
>
> Noel is referring to enforcing checking signatures, not signing them.
> I've had a proposal out there for some time which anyone is free to
> comment on: http://docs.codehaus.org/display/MAVEN/Repository+Security
>
> There hasn't been a lot of traction behind it so far. Ease of use,
> especially OOTB, is probably one of the main concerns.

IMO this isn't really a maven issue: basic checks should be performed
on all releases. i favour a private subversion repository with custom
hooks for release publishing.

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message