lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven Rowe (Commented) (JIRA)" <>
Subject [jira] [Commented] (LUCENE-3882) maven-metadata.xml's are only hashed but not signed
Date Mon, 19 Mar 2012 15:00:48 GMT


Steven Rowe commented on LUCENE-3882:

Robert, I think it's not necessary/useful to sign these files.

In Maven Central, many projects don't have signatures for this file, e.g.|1946773355
({{org.apache.apache}}, the Apache parent POM.

I think the issue is that when Maven artifacts are uploaded, for each artifact, entries from
the maven-metadata.xml file's contents are merged with the existing version of that file.
 As a result, the signature will no longer apply.

Maven-core is an example of a project where they used to sign this file, then stopped doing
it, but left the signature in the repo: [|-1493030540].  Note
that the {{maven-metadata.xml.asc}} file is dated 2006.
> maven-metadata.xml's are only hashed but not signed
> ---------------------------------------------------
>                 Key: LUCENE-3882
>                 URL:
>             Project: Lucene - Java
>          Issue Type: Bug
>          Components: general/build
>            Reporter: Robert Muir
>             Fix For: 3.6, 4.0
>         Attachments: LUCENE-3882.patch
> we only produce .sha/.md5 for these files, but not .asc

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message