ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <>
Subject Re: pgp key for signing files
Date Mon, 05 Jun 2006 16:03:13 GMT
Antoine Levy-Lambert wrote:
>> -------- Original-Nachricht --------
>> Datum: Mon, 05 Jun 2006 14:40:12 +0100
>> Von: Steve Loughran <>
>> An: Ant Developers List <>
>> Betreff: Re: pgp key for signing files
>> We can't sign the binaries themselves, as java suddenly changes into 
>> secure mode when that happens. 
> Hello Steve, 
> what we do sign using PGP are the .tar.bz2, .tar.gz and .zip files which constitute the
binary distribution. This is something different from signing a jar. The individual ant jars
are not signed by Java means.

Exactly. Having had an email discussion with ben laurie on the topic, we 
should really have separate PGP key purely for signing these artifacts, 
that is separate from anything used to encrypt emails. Why so? Because 
when the UK goverment key retrieval clause in the RIPA bill engages, 
they have the right to demand the decode keys from anyone subject to the 
UK courts, namely uk citizens, residents or anyone just passing through 
heathrow airport. I know the risk of the goverment demanding your PGP 
key so that they can release their own patched version is pretty low, 
but the risk is there.

>> We also need to look at the release docs to see if it covers 
>> distribution to the maven repository.
> Does this directory [1] have something to do with Maven ?
> There are instructions to populate it in the release instructions [2].
> In any case I would be curious to know what is the use of this java-repository.

I'm checking with, home of the repository police 
-the "repo men" :)

> Regards,
> Antoine
>> -steve
> [1] 
> [2]
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message