www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henk P. Penning" <he...@cs.uu.nl>
Subject Re: How to publish jars
Date Thu, 01 Dec 2005 21:48:50 GMT
On Thu, 1 Dec 2005, Mark Thomas wrote:

> Date: Thu, 01 Dec 2005 21:30:08 +0000
> From: Mark Thomas <markt@apache.org>
> Cc: repository@apache.org
> Subject: Re: How to publish jars
>
> Henk P. Penning wrote:

> >   You have to provide PGP digital signatures ; this is required
> >   for every piece of software in 'www.apache.org/dist/'.

> Really? I don't see a single pgp signature for any jar in any
> http://www.apache.org/dist/java-repository/*/jars directory

  Really.

  http://www.apache.org/dist/java-repository/cocoon/jars/

> Most have md5's. Some have sha1's as well. Some have nothing at all.

  True, and that's bad. Fortunately it's changing. See

    http://people.apache.org/~henkp/checker/sig.html

  Please do the right thing, and sign your stuff. There is really
  no reason why stuff in 'java-repository' should be exempt from
  a policy that's widely followed in the rest of www.apache.org/dist.

  Since the 'java-repository' is somehow a rather 'wild' part of
  'www.apache.org/dist', it is especially important that stuff is
  signed ; look at 'java-repository/tomcat/jars/' ; almost all
  files are group writeble by group 'apcvs' ; that's a 1000 people
  that can change any file without changing the owner of the file.

> All of our distros under http://www.apache.org/dist/tomcat/ are pgp
> signed.

  Very good. Please do the same for 'java-repository/tomcat/jars/'.

> Mark

  Henk Penning

----------------------------------------------------------------   _
Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
http://www.cs.uu.nl/staff/henkp.html          M penning@cs.uu.nl  \_/


Mime
View raw message