incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niclas Hedhman" <>
Subject Re: status of PGP support in Maven
Date Mon, 06 Oct 2008 07:06:50 GMT
On Mon, Oct 6, 2008 at 10:45 AM, Henning Schmiedehausen
<> wrote:
> On Fri, 2008-10-03 at 12:31 -0400, Noel J. Bergman wrote:
>> We don't have to.  We can simply mandate that every ASF project sign their
>> artifacts and charge the Maven PMC with enforcing it.
> No. The Maven PMC is charged with developing software for the Apache
> Maven project. If we really want to put a distribution policy in place
> and enforce it, I can see us creating a repository PMC which does this
> (and talk to Maven about the features that they would like to see or
> (gasp!) implement them and contribute them back to Maven. I would see
> such a PMC as part of or collaborating with Infrastructure.

I thought this effort was started years and years ago...

> Maven is a piece of software, not a distribution mechanism. They just
> happen to build it because no one else did.
>> And perhaps now you start to gain a glimer of the depth of the problem
>> created by Maven's irresponsible, unconscionable, lackadaisical, attitude
>> towards security, despite other repository exemplars (e.g., linux
>> distributions), having had security in place for years.  Yes, it may be a
> Please stop it, Noel. This is not constructive.

Being in the camp "I hate Maven too", I must say I agree with Henning
that the language used was inappropriate.

I would like to swap Noel's statement around and ask; Why doesn't
security concerned individuals participate in the Maven effort? Lead
by example and not by bashing...


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message