Return-Path: Delivered-To: apmail-incubator-general-archive@www.apache.org Received: (qmail 59522 invoked from network); 3 Oct 2008 15:07:18 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Oct 2008 15:07:18 -0000 Received: (qmail 18148 invoked by uid 500); 3 Oct 2008 15:07:14 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 17971 invoked by uid 500); 3 Oct 2008 15:07:13 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 17960 invoked by uid 99); 3 Oct 2008 15:07:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Oct 2008 08:07:13 -0700 X-ASF-Spam-Status: No, hits=1.5 required=10.0 tests=FORGED_MUA_OIMO,MSGID_FROM_MTA_HEADER,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [66.112.202.4] (HELO mail.devtech.com) (66.112.202.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Oct 2008 15:06:12 +0000 Message-ID: MIME-Version: 1.0 X-MessageIsInfected: false Received: from mail.devtech.com. ([66.112.202.4]) by mail.devtech.com (JAMES SMTP Server 2.3.1-dev) with SMTP ID 742 for ; Fri, 3 Oct 2008 11:05:46 -0400 (EDT) From: "Noel J. Bergman" To: Subject: RE: status of PGP support in Maven Date: Fri, 3 Oct 2008 11:05:45 -0400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <9e3862d80809150702y7492812coa2f8f0f1deb42970@mail.gmail.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-Virus-Checked: Checked by ClamAV on apache.org Brett Porter wrote: > Currently, it has checking turned on by default, but that isn't going to be > a reasonable setting for some releases to come until the signatures in the > repository are cleaned up. Why not enforce checking, but provide the ability for users to manually approve unsigned artifacts? Once you cache the downloaded artifact, you should not have to approve from cache. > For the releases to be identified as from the incubator, they'll need to be > signed solely by "the incubator". Did you want to elaborate on how you > anticipated that set up working? There are a variety of options, as have been discussed in this thread. An obvious, and overly simple, solution is a designated signing key for the Incubator PMC, and we maintain strict control over the private key. Just having a naive WoT is insufficient, since while I might be authorized to release for JAMES or the Incubator, I am not authorized to release for Maven. But Henning, Dw, Ben (Laurie), Justin and others have experience in this area, and the details should probably be discussed on infrastructure-dev. --- Noel --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org