incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: maven repository
Date Sat, 31 May 2008 02:30:21 GMT
Brett Porter wrote:

> Noel J. Bergman:
> > I really don't care what cuts across the grain of Maven.  I do care
> > the established principle that people must make a deliberate decision to
> > Incubator artifacts.  If Maven would finally support enforcing signing
> > artifacts, as they have been asked to do for years, we could use an
> > Incubator-specific signing key, forcing people to approve the use of
> > Incubator artifacts, regardless of download location.

> You're asking for it to enforce the use of signed artifacts out of the
> box, not enforce signing.

Yes.  As noted in my reply to Brian E. Fox in his renamed thread "enforced
signing of artifacts".

> I still think that's some time off from happening

Well, you know how I feel about that ...

> I'm more than happy to throw an enforcer rule into the next Maven
> release that warns users if they are:
> - using the incubator repository
> - using an artifact from org.apache.* with version *-incubating.
>   and point them to a URL to learn more.

> Will that do?

Wearing my Incubator PMC hat?  Possibly.  Please elaborate.  Wearing my
security hat?  Not in the slightest, but I'm willing to focus on the
Incubator's issues here.

Obviously, this won't solve the problem of people using older versions of
Maven, but I'm not sure if there is a good solution to that, is there?

> > By the way, there has been some talk in Infrastructure about shutting
> > the ASF's repository entirely if Maven does not provide enforcement of
> > signed artifacts, due to security concerns.

> Can you point me to the message ID and list? I don't recall it.

Would have been on infra@ a time or few over the years.

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message