incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Carman" <>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Sat, 31 May 2008 13:25:22 GMT
On Sat, May 31, 2008 at 9:05 AM, James Carman
<> wrote:
> On Sat, May 31, 2008 at 1:33 AM, Robert Burrell Donkin
> <> wrote:
>> IMO this isn't really a maven issue: basic checks should be performed
>> on all releases. i favour a private subversion repository with custom
>> hooks for release publishing.
> I think it very much is a maven issue.  Maven is the tool that
> automatically downloads jar files from the public repository
> automagically (I love that by the way).  If there were a setting in
> maven that I could set that says "don't add anything to my local maven
> repository that isn't signed by someone that I trust", then I think we
> would be good here.  I don't know if I'd make it a required feature,
> though.  I think making it optional would be okay.  Maven should also
> ask you if you want to trust a signer if it hasn't seen it before
> (kind of like how webstart does).  Perhaps it could be a three-choice
> setting:
> 1.  Allow any jars from the central repository.
> 2.  Ask me before allowing jars from someone I haven't specifically
> trusted before.
> 3.  Don't allow any jars signed by people I do not trust.
> This, of course, would mean that we should probably set up a release
> signing committee so that we only use one signing key from the ASF
> (users shouldn't have to say that they trust jars signed by me, and
> Robert, and Brett, and Noel).  The members of the committee would be
> the only ones with write access to the maven rsync directory.  The
> requests could be set up in JIRA or something (hopefully there would
> be a committee member on each PMC).

I guess we would probably want to set up a signing key for each PMC.
Since saying that I approve of using releases from one podling doesn't
necessarily mean I approve of using releases from another podling.
For example, I may trust JSecurity if I am a long-time user of it, but
I don't trust Imperius, because I don't know what the heck it is.
Once a podling graduates, would we need to generate a new signing key
for it (without the "incubating")?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message