incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gilles Scokart" <gscok...@gmail.com>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Wed, 17 Sep 2008 19:01:06 GMT
Just to clarify things, the artefact published on the apache maven
repository are signed (well, to be exact, most are signed.  See [1]
for the current status)

However, maven doesn't [yet] validate the signature when downloading
the artefacts (ivy neither).  See [2]

[1] http://people.apache.org/~henkp/repo/
[2] http://jira.codehaus.org/browse/MNG-2477


2008/9/17 Noel J. Bergman <noel@devtech.com>:
> Dan,
>
> It is a policy matter, not a legal one.  And enforcing artifact signing
> would address this and other crucial, fatal, flaws in Maven's repository
> management.
>
> I still maintain that unless Maven makes swift strides to enforce signing,
> the ASF should ban the use of the Maven repository for all ASF projects, and
> go so far as to remove all of our artifacts.
>
>        --- Noel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>



-- 
Gilles Scokart

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message