incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bruce Snyder" <bruce.sny...@gmail.com>
Subject Re: status of PGP support in Maven
Date Fri, 03 Oct 2008 20:53:29 GMT
On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <noel@devtech.com> wrote:
> Moved to the thread it belongs in ...
>
> Jason van Zyl wrote:
>> Noel J. Bergman wrote:
>> > Emmanuel Lecharny wrote:
>>>> Better a bad decision than no decision, otherwise, soon, nobody will
>>>> vote anymore...
>>> Not really.  Consider that there appears to be a clear consensus
>>> that if Maven were to fix the download situation, requiring that users
>>> approve the user of Incubator artifacts, rather than transparently use
>>> them,  many of the -1 would be +1.
>
>> That's unlikely to happen. We're not going to be implementing policy
>> enforcement for you.
>
> We don't need for you to implement any "policy" other than the requirement
> for users to approve authorized signing keys.  You simply need to implement
> artifact signing and mandatory authorization, which is why I've moved this
> to the thread Brett started for purposes of discussing signing.

I'm trying to understand why authorization should be mandatory? To my
knowledge, only some of the Linux package management tools (apt, port,
rpm, yum) verify signatures by default and in the event of failure,
they allow you to continue without the key verification.

Also, I've actually spoken to a number of folks about GPG verification
of artifacts over the last year and very few folks actually use this
today.

> Did you not see what just happened to Redhat with respect to Fedora?  They
> take artifact security seriously.  For a long time, it has appeared that
> Maven does not, but I am hopeful now that mandatory authorization will
> appear, so that I and others will not have to increase lobbying efforts to
> have the Maven repository closed, at least with respect to ASF projects.

Please explain what happened to RedHat with respect to Fedora. I'm not
familiar with the situation.

Bruce
-- 
perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
);'

Apache ActiveMQ - http://activemq.org/
Apache Camel - http://activemq.org/camel/
Apache ServiceMix - http://servicemix.org/

Blog: http://bruceblog.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message