incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: status of PGP support in Maven
Date Tue, 07 Oct 2008 22:28:50 GMT
Jason van Zyl wrote:

> Noel, your comments are completely out of whack with reality. You are
> asking Maven to enforce something that no one does. Pretty much
> almost no one.

> Checking PGP signatures is obviously not something the vast majority of
people do.

Really?  Try following the instructions at for
adding the repository without adding the PGP key, and see how well it works.
Not that I am suggesting a single, centralized, master key for the entire
repository.  And, again, RedHat takes it so seriously that they shutdown
their distribution network when they had even the slightest concern that the
signing keys were compromised.

If you are saying that we don't have signed packages, I agree with you that
more projects should be signing.  I have signed JAMES releases for years.
But the problem is much worse when using Maven, since users haven't a clue
as to the provanance of the artifacts they don't even realize that they are
loading onto their systems.

In any event, this discussion should be moved to eithe repository@ or

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message