From general-return-10966-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org Fri Sep 15 14:17:24 2006
Return-Path: <general-return-10966-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-general-archive@www.apache.org
Received: (qmail 21346 invoked from network); 15 Sep 2006 14:17:22 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 15 Sep 2006 14:17:22 -0000
Received: (qmail 98650 invoked by uid 500); 15 Sep 2006 14:17:21 -0000
Delivered-To: apmail-incubator-general-archive@incubator.apache.org
Received: (qmail 98363 invoked by uid 500); 15 Sep 2006 14:17:20 -0000
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:general-help@incubator.apache.org>
List-Unsubscribe: <mailto:general-unsubscribe@incubator.apache.org>
List-Post: <mailto:general@incubator.apache.org>
List-Id: <general.incubator.apache.org>
Reply-To: general@incubator.apache.org
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 98345 invoked by uid 99); 15 Sep 2006 14:17:19 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Sep 2006 07:17:19 -0700
X-ASF-Spam-Status: No, hits=0.5 required=10.0
	tests=DNS_FROM_RFC_ABUSE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: domain of chirino@gmail.com designates 66.249.92.169 as permitted sender)
Received: from [66.249.92.169] (HELO ug-out-1314.google.com) (66.249.92.169)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Sep 2006 07:17:08 -0700
Received: by ug-out-1314.google.com with SMTP id y2so292904uge
        for <general@incubator.apache.org>; Fri, 15 Sep 2006 07:16:41 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth;
        b=uRL0e/n4oCX0rnQEHWXU8YUbu23XyUOxumqrs+b05Ua+GGD/zKrUws13z53DbUwe3IdvG14Y7HiOe8crefk2AaKSO+cLKELwD7YqOnVtjGSGOSJjQpZNdJcdVlN7/9UWR/inJViWedTrhZec3taQcd8FQX7yD1RdtWN4BGLJ72s=
Received: by 10.66.221.6 with SMTP id t6mr5383013ugg;
        Fri, 15 Sep 2006 07:16:40 -0700 (PDT)
Received: by 10.66.237.5 with HTTP; Fri, 15 Sep 2006 07:16:40 -0700 (PDT)
Message-ID: <af2843cd0609150716l670a3a60tdb7b5ab3d2d37664@mail.gmail.com>
Date: Fri, 15 Sep 2006 10:16:40 -0400
From: "Hiram Chirino" <hiram@hiramchirino.com>
Sender: chirino@gmail.com
To: general@incubator.apache.org
Subject: Re: [VOTE] Approve the 4.1 release of ActiveMQ's maven plugins
In-Reply-To: <f470f68e0609141426i7e28e21ejd006170984465d80@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <af2843cd0609140918w2e270f70yb7a040e8b458a7bf@mail.gmail.com>
	 <f470f68e0609141007m25b7c098ve61c1c4228b3eda0@mail.gmail.com>
	 <af2843cd0609141154j5b8504b3r72bba8684561a345@mail.gmail.com>
	 <f470f68e0609141426i7e28e21ejd006170984465d80@mail.gmail.com>
X-Google-Sender-Auth: d9bc77956fa848cf
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
> On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> > On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
> > > On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
>
> > > remember that you'll need to create signatures before uploading.
> > >
> >
> > AFAIK, projects only sign distributions.
>
> true but jars are distributions too. policy applies equally to all distributions
>
> > If this was not the case
> > then every artifact in the maven repo would need to be signed and that
> > seems like a bit of overkill.
>
> the policy is clear - they must be signed. this might seem like
> overkill until you consider the cost to your personal reputation if an
> unsigned jar is substituted by malware. signing by release managers is
> an easy and effective protection which is why infrastructure insists
> upon it. in the (hopefully unlikely) event of a compromise, it is much
> easier and quicker for a release manager to verify that the signature
> is still valid than to recut the release.
>

Does anybody know if there is a way to get maven to sign every
artifact that get deployed?  As far as I know that does not exist yet.

I just went though the
http://people.apache.org/repo/m2-ibiblio-rsync-repository repo  and
seems there are many jars up with out a asc and hardly anybody signs
the pom.xml or the maven-metadata.xml files.

Seems the directory project does a really good job of signing all
thier artifacts.  Any directory project committer lurking about?  How
do you guys do that?  Do you have any automated scripts to help in
this department?

> > This is not a distribution but just a
> > set of jars that our main distribution will depend on.
>
> -1
>
> every distributed artifact must be signed. jars are distributions.
> they must be signed.
>

Understood.. I look into signing those file.

> - robert
>

-- 
Regards,
Hiram

Blog: http://hiramchirino.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org