www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robert burrell donkin <rdon...@apache.org>
Subject Re: Maven repository policies
Date Sun, 31 Jul 2005 20:26:51 GMT
On Sun, 2005-07-31 at 12:55 -0700, Phil Steitz wrote:
> robert burrell donkin wrote:
> > On Fri, 2005-07-29 at 12:34 +1000, Brett Porter wrote:
> > 
> >>On 7/27/05, Phil Steitz <phil@steitz.com> wrote:
> > 
> > 
> > <snip>
> > 
> >>>>6) all files in the /dist/ repository must have a .asc signature. We
> >>>>will need to get this automated by the final release of Maven 2.
> >>
> >>>What about KEYS?
> >>
> >>Yes, standard distribution rules. I'm not sure if we need that in the
> >>repo or just a URL from /dist/ at large - will see what comes of
> >>commons-openpgp.
> > 
> > 
> > just FYI there was a feeling at apachecon from the infrastructure movers
> > and shakers that KEYS files were an transitional expediency and that
> > they would be removed at some point in the future. 
> 
> To be replaced by what?

AIUI when the apache web of trust is strong and deep enough, there will
be no need for apache to maintain this information. you should be able
to download the key from any public key server. once the certification
authority is up and running, infrastructure will be able to start
tightening things up. GPG keys are likely to become compulsory for
committers. there's quite a lot of documentation that's going to be
needed at the foundation level before this can happen, though.

- robert

Mime
View raw message