incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <>
Subject Re: maven repository
Date Sat, 31 May 2008 05:53:55 GMT
On Sat, May 31, 2008 at 3:30 AM, Noel J. Bergman <> wrote:
> Brett Porter wrote:
>> Noel J. Bergman:
>> > I really don't care what cuts across the grain of Maven.  I do care
> about
>> > the established principle that people must make a deliberate decision to
> use
>> > Incubator artifacts.  If Maven would finally support enforcing signing
> of
>> > artifacts, as they have been asked to do for years, we could use an
>> > Incubator-specific signing key, forcing people to approve the use of
>> > Incubator artifacts, regardless of download location.
>> You're asking for it to enforce the use of signed artifacts out of the
>> box, not enforce signing.
> Yes.  As noted in my reply to Brian E. Fox in his renamed thread "enforced
> signing of artifacts".

i've talked at length about this before (IIRC with brett and others)
and done quite a bit of thinking. it is a much more general issue than
just maven. one signature isn't good enough. it would be good for
maven to lead the way but IMO we need a comprehensive solution for all
apache releases.

- robert

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message