Hooray for https://svn.apache.org/repos/private/committers/tools/releases/gpg-sign-all and rsync! Everything under http://people.apache.org/repo/m2-incubating-repository/org/apache/activemq/ is not signed! It was not that hard! On 9/15/06, Hiram Chirino wrote: > On 9/14/06, robert burrell donkin wrote: > > On 9/14/06, Hiram Chirino wrote: > > > On 9/14/06, robert burrell donkin wrote: > > > > On 9/14/06, Hiram Chirino wrote: > > > > > > remember that you'll need to create signatures before uploading. > > > > > > > > > > AFAIK, projects only sign distributions. > > > > true but jars are distributions too. policy applies equally to all distributions > > > > > If this was not the case > > > then every artifact in the maven repo would need to be signed and that > > > seems like a bit of overkill. > > > > the policy is clear - they must be signed. this might seem like > > overkill until you consider the cost to your personal reputation if an > > unsigned jar is substituted by malware. signing by release managers is > > an easy and effective protection which is why infrastructure insists > > upon it. in the (hopefully unlikely) event of a compromise, it is much > > easier and quicker for a release manager to verify that the signature > > is still valid than to recut the release. > > > > Does anybody know if there is a way to get maven to sign every > artifact that get deployed? As far as I know that does not exist yet. > > I just went though the > http://people.apache.org/repo/m2-ibiblio-rsync-repository repo and > seems there are many jars up with out a asc and hardly anybody signs > the pom.xml or the maven-metadata.xml files. > > Seems the directory project does a really good job of signing all > thier artifacts. Any directory project committer lurking about? How > do you guys do that? Do you have any automated scripts to help in > this department? > > > > This is not a distribution but just a > > > set of jars that our main distribution will depend on. > > > > -1 > > > > every distributed artifact must be signed. jars are distributions. > > they must be signed. > > > > Understood.. I look into signing those file. > > > - robert > > > > -- > Regards, > Hiram > > Blog: http://hiramchirino.com > -- Regards, Hiram Blog: http://hiramchirino.com --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org