incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: status of PGP support in Maven
Date Fri, 03 Oct 2008 15:20:59 GMT
Henning Schmiedehausen wrote:

> There is a pretty nice proposal on
> http://people.apache.org/~henkp/trust/, however this will again take a
> piece of "freedom of doing software at Apache" away and introduce some
> administrative overhead that all projects must implement and manage.

But, as you say, it is worth doing something, whether exactly that or not,
because

> Formalizing the signing of our releases would be a huge step towards a
> reliable validation for the Apache software releases.

> It still does not help you with third-party releases, though.

Is it our problem if you mean a third party, e.g., IBM, releasing our code
as part of their own commercial product?

> IMHO: Anyone who is using maven for commercial software development and
> does not run a controlled, in-house repository that is actively managed
> and maintained is IMHO in for big, ugly surprises in the long run.

+1  Unfortunately, I believe that you'd be taking about a "high 9s"
percentage of the population of Maven users who do NOT follow that rule.

	--- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message