On 3-Oct-08, at 10:50 AM, Noel J. Bergman wrote:
> Moved to the thread it belongs in ...
>
> Jason van Zyl wrote:
>> Noel J. Bergman wrote:
>>> Emmanuel Lecharny wrote:
>>>> Better a bad decision than no decision, otherwise, soon, nobody
>>>> will
>>>> vote anymore...
>>> Not really. Consider that there appears to be a clear consensus
>>> that if Maven were to fix the download situation, requiring that
>>> users
>>> approve the user of Incubator artifacts, rather than transparently
>>> use
>>> them, many of the -1 would be +1.
>
>> That's unlikely to happen. We're not going to be implementing policy
>> enforcement for you.
>
> We don't need for you to implement any "policy" other than the
> requirement
> for users to approve authorized signing keys. You simply need to
> implement
> artifact signing and mandatory authorization, which is why I've
> moved this
> to the thread Brett started for purposes of discussing signing.
You are not the Incubator PMC, and what the Incubator says they
require is far from clear. Disclaimers, notices, PGP keys. No one
knows what anyone wants here. No one can follow these discussions.
There will be no mandatory authorization. That will not be turned on
by default in the foreseeable future. The tools will exist for people
to use as they see fit. It is more likely that people using repository
managers will enable this, but it won't be turned on in the Maven
client. Oleg, who is responsible for implementing Mercury which has
full PGP support, has this functionality working on all branches of
Maven but the option to use it will be in the hands of the user. As
the quality and tools for supporting PGP get better, and more people
use them we will again take a look at the default behavior
>
>
> Did you not see what just happened to Redhat with respect to
> Fedora? They
> take artifact security seriously. For a long time, it has appeared
> that
> Maven does not, but I am hopeful now that mandatory authorization will
> appear, so that I and others will not have to increase lobbying
> efforts to
> have the Maven repository closed, at least with respect to ASF
> projects.
Lobby away. Close the repository, then what's going to happen? Someone
checks out all the sources with a CI system, builds everything and
publishes them, then what are you going to do? Shut down anonymous SVN
access because people are doing what they can by rights of the
license? Track them down and tell them not to do it? Tell the Maven
PMC to intervene to stop people from making submissions via JIRA. Stop
the repositories that are already syncing Apache artifacts to central
or hosting their own repositories? How are you going to stop people
from doing this Noel when its their right? You going to lock down
everything to the point where no one wants to get involved?
>
>
> --- Noel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
We know what we are, but know not what we may be.
-- Shakespeare
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
|