maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <>
Subject [jira] [Commented] (MPOM-118) Enforce strong GPG signatures by default
Date Wed, 18 May 2016 22:09:13 GMT


Sebb commented on MPOM-118:

I don't see the point.

Hashes are only really useful for checking that a download has succeeded.
They don't provide any authentication, therefore the strength of the hash is not particularly

Indeed providing a stronger hash may mislead end users into thinking that the hash is sufficient.

> Enforce strong GPG signatures by default
> ----------------------------------------
>                 Key: MPOM-118
>                 URL:
>             Project: Maven POMs
>          Issue Type: Improvement
>          Components: asf
>    Affects Versions: ASF-17
>            Reporter: Christopher Tubbs
> maven-gpg-plugin configuration could be improved a bit so that ASF releases are not weakened
by a user's weak personal configuration.
> I suggest adding something like the following to maven-gpg-plugin's configuration in
the pluginManagement section:
> {code:xml}
> <gpgArguments combine.children="append">
>   <arg>--digest-algo=SHA512</arg>
> </gpgArguments>
> {code}

This message was sent by Atlassian JIRA

View raw message