incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Sat, 31 May 2008 05:33:36 GMT
On Sat, May 31, 2008 at 3:42 AM, Brett Porter <> wrote:
> 2008/5/31 Brian E. Fox <>:
>> Can you elaborate more on what you mean here? I've been on the Maven PMC
>> for over a year now and this is the first I've heard of it.
>> We do support signing of artifacts and all the maven releases are
>> signed. We obviously don't control all the other Apache projects in a
>> way to enforce that they sign their artifacts.
> Noel is referring to enforcing checking signatures, not signing them.
> I've had a proposal out there for some time which anyone is free to
> comment on:
> There hasn't been a lot of traction behind it so far. Ease of use,
> especially OOTB, is probably one of the main concerns.

IMO this isn't really a maven issue: basic checks should be performed
on all releases. i favour a private subversion repository with custom
hooks for release publishing.

- robert

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message