incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Carman" <>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Sat, 31 May 2008 13:05:06 GMT
On Sat, May 31, 2008 at 1:33 AM, Robert Burrell Donkin
<> wrote:

> IMO this isn't really a maven issue: basic checks should be performed
> on all releases. i favour a private subversion repository with custom
> hooks for release publishing.

I think it very much is a maven issue.  Maven is the tool that
automatically downloads jar files from the public repository
automagically (I love that by the way).  If there were a setting in
maven that I could set that says "don't add anything to my local maven
repository that isn't signed by someone that I trust", then I think we
would be good here.  I don't know if I'd make it a required feature,
though.  I think making it optional would be okay.  Maven should also
ask you if you want to trust a signer if it hasn't seen it before
(kind of like how webstart does).  Perhaps it could be a three-choice

1.  Allow any jars from the central repository.
2.  Ask me before allowing jars from someone I haven't specifically
trusted before.
3.  Don't allow any jars signed by people I do not trust.

This, of course, would mean that we should probably set up a release
signing committee so that we only use one signing key from the ASF
(users shouldn't have to say that they trust jars signed by me, and
Robert, and Brett, and Noel).  The members of the committee would be
the only ones with write access to the maven rsync directory.  The
requests could be set up in JIRA or something (hopefully there would
be a committee member on each PMC).

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message