maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anders Hammar <and...@hammar.net>
Subject Re: Missing signatures for the wagon 1.0-beta-2 artifacts
Date Tue, 16 Mar 2010 14:45:55 GMT
To carry on my own thread, would it be possible to bump the dependency to
the maven artifact to version 2.1 or later (for all apache plugins)?
Another solution could be to add dependency management to change the
transitive dependency to wagon to a version with a signature (1.0-beta-3 or
whatever). This could be added to the maven-plugins parent pom.

Anyone else that thinks that this dependency in the plugins to Apache
artifacts that aren't signed, is an issue?

/Anders

On Fri, Mar 12, 2010 at 13:31, Anders Hammar <anders@hammar.net> wrote:

> While implementing a Maven environment for a customer where the signatures
> for used Apache artifacts are verified, I've stumbled upon the fact that the
> artifacts of wagon 1.0-beta-2 aren't signed. As all other versions (1.0
> alphas and betas) have signatures, I'm confused. Does anyone know 1.0-beta-2
> wasn't signed?
>
> Unfortunately, very many plugins (most?) have a dependency to Maven 2.0.x
> which depends on this specific version of wagon. This causes an issue as it
> can't be verified. Could this be solved somehow so that we can have
> dependencies to signed artifacts?
>
> /Anders
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message