Return-Path: Delivered-To: apmail-incubator-general-archive@www.apache.org Received: (qmail 64779 invoked from network); 31 May 2008 13:05:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 31 May 2008 13:05:38 -0000 Received: (qmail 84568 invoked by uid 500); 31 May 2008 13:05:39 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 84474 invoked by uid 500); 31 May 2008 13:05:38 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 84463 invoked by uid 99); 31 May 2008 13:05:38 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 31 May 2008 06:05:38 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [72.14.246.249] (HELO ag-out-0708.google.com) (72.14.246.249) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 31 May 2008 13:04:50 +0000 Received: by ag-out-0708.google.com with SMTP id 5so2768158agb.6 for ; Sat, 31 May 2008 06:05:06 -0700 (PDT) Received: by 10.150.83.22 with SMTP id g22mr3063632ybb.140.1212239106245; Sat, 31 May 2008 06:05:06 -0700 (PDT) Received: by 10.150.192.4 with HTTP; Sat, 31 May 2008 06:05:06 -0700 (PDT) Message-ID: Date: Sat, 31 May 2008 09:05:06 -0400 From: "James Carman" Sender: jcarman@carmanconsulting.com To: general@incubator.apache.org Subject: Re: enforced signing of artifacts, [was maven repository] In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2BABBE7D2A66E04DB8A66A527D29927E403DFB@intrepid.infinity.nu> <9e3862d80805301942q897b0f4i9f9fe4b09494628f@mail.gmail.com> X-Google-Sender-Auth: ed02ff6a460c3844 X-Virus-Checked: Checked by ClamAV on apache.org On Sat, May 31, 2008 at 1:33 AM, Robert Burrell Donkin wrote: > IMO this isn't really a maven issue: basic checks should be performed > on all releases. i favour a private subversion repository with custom > hooks for release publishing. I think it very much is a maven issue. Maven is the tool that automatically downloads jar files from the public repository automagically (I love that by the way). If there were a setting in maven that I could set that says "don't add anything to my local maven repository that isn't signed by someone that I trust", then I think we would be good here. I don't know if I'd make it a required feature, though. I think making it optional would be okay. Maven should also ask you if you want to trust a signer if it hasn't seen it before (kind of like how webstart does). Perhaps it could be a three-choice setting: 1. Allow any jars from the central repository. 2. Ask me before allowing jars from someone I haven't specifically trusted before. 3. Don't allow any jars signed by people I do not trust. This, of course, would mean that we should probably set up a release signing committee so that we only use one signing key from the ASF (users shouldn't have to say that they trust jars signed by me, and Robert, and Brett, and Noel). The members of the committee would be the only ones with write access to the maven rsync directory. The requests could be set up in JIRA or something (hopefully there would be a committee member on each PMC). --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org