incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: enforced signing of artifacts, [was maven repository]
Date Mon, 02 Jun 2008 22:16:20 GMT
William A. Rowe, Jr. wrote:

> Why is it not equally possible to validate against a short list of keys
> (e.g. infra PMC members) and their immediate trust.  This is what gpg is
> good at.

First get the code built into Maven for actually checking the signatures and we're golden,
with multiple options.

> As far as signing jars, microsoft authenticode etc, Noel and I planned to
> create such a service (although we've both been really busy in the past few
> months).  But it will always require that the artifacts are already signed
> by someone in the ASF's web-of-trust via pgp.

I've been wondering when you'd come back to life, but you may have been waiting for me.  I
actually had time the past week.

	--- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message