Return-Path: Delivered-To: apmail-incubator-general-archive@www.apache.org Received: (qmail 49091 invoked from network); 31 May 2008 02:31:37 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 31 May 2008 02:31:37 -0000 Received: (qmail 35165 invoked by uid 500); 31 May 2008 02:31:36 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 34988 invoked by uid 500); 31 May 2008 02:31:36 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 34971 invoked by uid 99); 31 May 2008 02:31:36 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 May 2008 19:31:36 -0700 X-ASF-Spam-Status: No, hits=1.5 required=10.0 tests=FORGED_MUA_OIMO,MSGID_FROM_MTA_HEADER,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [66.112.202.4] (HELO mail.devtech.com) (66.112.202.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 31 May 2008 02:30:42 +0000 Message-ID: MIME-Version: 1.0 X-MessageIsInfected: false Received: from mail.devtech.com. ([66.112.202.4]) by mail.devtech.com (JAMES SMTP Server 2.3.1-dev) with SMTP ID 884 for ; Fri, 30 May 2008 22:31:03 -0400 (EDT) From: "Noel J. Bergman" To: Subject: RE: maven repository Date: Fri, 30 May 2008 22:30:21 -0400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 In-Reply-To: <9e3862d80805301916q4554755fl1662c385929c5d48@mail.gmail.com> Importance: Normal X-Virus-Checked: Checked by ClamAV on apache.org Brett Porter wrote: > Noel J. Bergman: > > I really don't care what cuts across the grain of Maven. I do care about > > the established principle that people must make a deliberate decision to use > > Incubator artifacts. If Maven would finally support enforcing signing of > > artifacts, as they have been asked to do for years, we could use an > > Incubator-specific signing key, forcing people to approve the use of > > Incubator artifacts, regardless of download location. > You're asking for it to enforce the use of signed artifacts out of the > box, not enforce signing. Yes. As noted in my reply to Brian E. Fox in his renamed thread "enforced signing of artifacts". > I still think that's some time off from happening Well, you know how I feel about that ... > I'm more than happy to throw an enforcer rule into the next Maven > release that warns users if they are: > - using the incubator repository > - using an artifact from org.apache.* with version *-incubating. > and point them to a URL to learn more. > Will that do? Wearing my Incubator PMC hat? Possibly. Please elaborate. Wearing my security hat? Not in the slightest, but I'm willing to focus on the Incubator's issues here. Obviously, this won't solve the problem of people using older versions of Maven, but I'm not sure if there is a good solution to that, is there? > > By the way, there has been some talk in Infrastructure about shutting down > > the ASF's repository entirely if Maven does not provide enforcement of > > signed artifacts, due to security concerns. > Can you point me to the message ID and list? I don't recall it. Would have been on infra@ a time or few over the years. --- Noel --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org