incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <henn...@apache.org>
Subject RE: status of PGP support in Maven
Date Sat, 04 Oct 2008 00:01:32 GMT
On Fri, 2008-10-03 at 11:20 -0400, Noel J. Bergman wrote:
> Henning Schmiedehausen wrote:
> 
> > There is a pretty nice proposal on
> > http://people.apache.org/~henkp/trust/, however this will again take a
> > piece of "freedom of doing software at Apache" away and introduce some
> > administrative overhead that all projects must implement and manage.
> 
> But, as you say, it is worth doing something, whether exactly that or not,
> because
> 
> > Formalizing the signing of our releases would be a huge step towards a
> > reliable validation for the Apache software releases.
> 
> > It still does not help you with third-party releases, though.
> 
> Is it our problem if you mean a third party, e.g., IBM, releasing our code
> as part of their own commercial product?

Actually I meant verifying/validating the third party dependencies that
Apache projects *use*. So even if we go through all the pains of making
sure that our users really get "apache-baz-1.0", it might just pull in
"some-random-dependency-from-sourceforge-1.0" which can not be
validated.

	Ciao
		Henning



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message